Companies spend millions fighting cyberattacks, yet many of them still fall victim. The reason? They are not continuously monitoring their systems to spot vulnerabilities, but relying instead on point-in-time snapshots that become outdated very quickly in the digital age. It was this situation that led Aleksandr Yampolskiy and Sam Kassoumeh to launch SecurityScorecard, a company that takes an external view of security threats and provides daily security ratings similar to a credit score.
The pair met while working at e-commerce firm Gilt Groupe, where they realized they shared a vision for a better approach to cybersecurity. They also recognized that in their corporate roles, the negligence of others could cost them their jobs.
“We had various tools at our disposal to help us do our jobs, however, our marketing team would sign contracts with vendors that we didn’t think we had enough visibility around,” says Yampolskiy. “How could we understand how working with them would put our data at risk if there was no way to really measure or even understand how secure they were?.”
They started looking for a way of computing a security score and having a holistic understanding of cyber risk, similar to how credit scores help financial institutions understand the risk of individuals.
Kassoumeh says: “What if we could engineer a way of providing one company with a deep view into another company’s security posture that would be instant, accurate, and independently verifiable without having to ask permission or wait for weeks for answers to important security questions? In what was truly a lightbulb moment, we both believed there were non-intrusive ways to gauge the security health of a company.”
They began speaking to CISOs and CIOs in the industry, and realized that in 2013 that they were all flying blind, with no access to metrics to quantify their own risk to their boards or the risk of third parties.
“They had no idea if the law firm to whom they sent their M&A paperwork on Friday could lead them to being on the front page of The New York Times tomorrow, and then losing their job after a disastrous data breach,” says Kassoumeh. “So, Alex and I asked a question. Just as a bank can use credit scores to measure the trustworthiness of individuals enough to safely provide a loan, why can’t we develop security scores to determine companies’ level of risk?”
In 2013 they founded New York City-based cybersecurity firm, launching it from a tiny office, with investor meetings conducted at a cafe in midtown Manhattan. Working evenings and weekends on their idea, they could see that the market was shifting to the cloud and that there was more sensitive information in more sensitive systems around the world, a shift that left traditional tools lagging.
“Running various security and tech teams, we invested in lots of different security solutions; vulnerability scans, endpoint protection, firewalls, and countless security audits,” says Yampolskiy. “But those tools fell short and didn’t provide a more holistic, continuous view of risk.”
Eventually they developed a way of detecting external signals non-intrusively on any company in the world, which would indicate the strength of its ‘cyber hygiene’ behind their firewall. These signals could be measured externally without the need for the company being evaluated to deploy any additional technology. And so, the idea for SecurityScorecard was born.
Initially, they self-funded their prototype while keeping their day jobs. “We would sketch out what we wanted the platform to accomplish and that prototype, led our seed investors, including Richard Seewald at Evolution Equity, and several others at Boldstart Ventures, to believe in us and give us our first real flush of cash,” says Yampolskiy.
The SecurityScorecard security ratings platform gathers over 27 billion vulnerabilities per week and captures over 700 million infected machines in different organizations each day. Its patented rating technology is used by more than 1,000 organizations globally, including Coca-Cola and Bloomberg, for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting.
“Using machine learning, we can optimize the correlation between our security ratings and the relative likelihood of a data breach,” explains Kassoumeh. “This provides scores with more meaningful risk insights so that our users can make smarter business and security decisions. We’ve found that companies with a low score are more than seven times as likely to be breached or face compliance penalties than companies with a high rating.”
CISOs and security managers can use security ratings to monitor the effectiveness of their processes and controls over time, evaluate team performance, and show ROI of security spending. They can utilize security ratings between audits to prove that new security measures work. And with continuous monitoring of vulnerabilities and risk signals, as soon as new protection measures are incorporated, the data analysis engine recalibrates the score.
But it is a constantly shifting world, in which organizations face many different types of threats and security risks. The global pandemic has been a case in point, forcing businesses to adapt to widespread remote working, whether they were ready for it or not.
“Companies that weren’t on the cloud are now running their businesses on the cloud, and companies that didn’t utilize remote connections now have a critical need for them,” says Yampolskiy. “This shift occurred rapidly, resulting in vulnerabilities and misconfigurations due to necessity of haste, further highlighting the importance of continuous network monitoring as both new and familiar adversaries look to exploit vulnerabilities.”
SecurityScorecard recently completed a $180 million Series E round, taking its total funding to more than $290 million. This will further accelerate its corporate growth with planned investments across new product lines, global expansion, a broadening partner ecosystem, and added features to assess and mitigate cybersecurity risk in novel ways.
The company has nearly 250 employees, and growing. Its service is currently the only one in the world to continuously rate over 1.6 million companies. The cofounders are looking to IPO in the next few years.
“We are well-positioned to accomplish that,” says Kassoumeh. “As part of our mission, we anticipate that within the next two to three years every company in the world will have their own security rating and will use it for several use cases, including reporting to their board and public shareholders, leveraging for discussions on reducing risk, driving down cyber insurance premiums, and more.”