Many security professionals don’t like security ratings, also known as cybersecurity risk scores. This is partly because people don’t like being criticized, but it’s mostly it’s because security ratings—as they are presently conceived and sold— don’t and can’t work the way we need them to. Security ratings don’t predict breaches or help people make valuable business decisions, and they don’t directly make anyone safer. Our customers shouldn’t have to spend their valuable time explaining the results of security ratings to their leadership and boards. It’s time for the cybersecurity industry to find a better way to achieve our common goal of measurably improving external network postures.