Businesses spend millions fighting cyberattacks, but many of them are still victims. The reason? They do not monitor their systems continuously in order to identify weak points, but rely on point-in-time snapshots, which in the digital age become outdated very quickly. It was this situation that led Aleksandr Yampolskiy and Sam Kassoumeh to Security scorecard, a company that looks at security threats from the outside and creates security ratings similar to a credit rating on a daily basis.
The two met while working at e-commerce firm Gilt Groupe, where they realized they shared a vision for a better approach to cybersecurity. They also realized that the negligence of others in their corporate roles could cost them their jobs.
“We had various tools available to support us in our work. However, our marketing team signed contracts with vendors that we thought we didn’t have enough visibility, ”says Yampolskiy. “How could we understand how working with them would compromise our data if there wasn’t a way to really measure it, or even to understand how secure it was?”
They were looking for a way to calculate a security score and gain a holistic understanding of cyber risk, much like how credit scores help financial institutions understand individuals’ risk.
Kassoumeh says: “What if we could find a way to give one company a deep insight into the security situation of another company that could be instantly, accurately and independently verified without asking for permission or waiting weeks for answers to important security questions have to? In what was truly a lightbulb moment, we both believed that there were non-intrusive ways of measuring a company’s security status. “
They began speaking to CISOs and CIOs in the industry and found in 2013 that they were all flying blind and lacking access to metrics to quantify their own risk to their boards of directors or the risk of third parties.
“Little did they know if the law firm they sent their M&A papers to on Friday could result in them being on the front page of the New York Times tomorrow and then losing their jobs after a catastrophic data breach,” says Kassoumeh . “So Alex and I asked a question. Just as a bank can use credit scores to measure the trustworthiness of individuals enough to safely issue a loan, why can’t we develop security scores to determine the level of risk that companies are exposed to? “
In 2013, they founded a New York City-based cybersecurity company and started it from a tiny office, with investor meetings held in a coffee shop in Midtown Manhattan. Working on their idea in the evenings and on weekends, they could see the market shift to the cloud and that more sensitive information was in more sensitive systems around the world, a shift that left traditional tools behind.
“We led various security and engineering teams and invested in many different security solutions. Vulnerability scans, endpoint protection, firewalls and countless security audits, ”says Yampolskiy. “But these tools were too short and did not offer a more holistic, continuous view of risk.”
Finally, they developed a way of discreetly recognizing external signals at any company in the world, which would indicate the strength of “cyber hygiene” behind their firewall. These signals could be measured externally without the company being evaluated having to use additional technology. And so the idea for SecurityScorecard was born.
Initially, they self-financed their prototype while keeping their main jobs. “We sketched out what we wanted to achieve with the platform, and this prototype led our seed investors, including Richard Seewald from Evolution Equity and several others at Boldstart Ventures, to believe in us and give us our first real cash flow,” says Jampolski.
The SecurityScorecard security scoring platform records over 27 billion vulnerabilities weekly and records over 700 million infected computers in various organizations every day. Its patented rating technology is used by more than 1,000 companies worldwide, including Coca-Cola and Bloomberg, for self-monitoring, third-party risk management, board reporting and cyber insurance underwriting.
“Machine learning enables us to optimize the correlation between our security ratings and the relative likelihood of a data breach,” explains Kassoumeh. “This provides scores with better risk insights so our users can make smarter business and security decisions. We found that companies with a low score are more than seven times more likely to be hit by violations or compliance penalties than companies with a high score. “
CISOs and security managers can use security assessments to monitor the effectiveness of their processes and controls over time, assess team performance, and show the ROI of security spending. You can use security assessments between audits to prove that new security measures are working. And with continuous monitoring of weak points and risk signals, the data analysis engine recalibrates the score as soon as new protective measures are integrated.
But it’s an ever-changing world where organizations face many different types of threats and security risks. The global pandemic was a case in point of companies being forced to adapt to widespread remote working, whether or not they were ready for it.
“Companies that weren’t in the cloud now do their business in the cloud, and companies that didn’t use remote connections now have an urgent need for it,” says Yampolskiy. “This move was quick, creating security vulnerabilities and misconfigurations due to the need for rush, which further underscores the importance of continuous network monitoring as both new and familiar adversaries try to exploit security vulnerabilities.”
SecurityScorecard recently completed a Series E round for $ 180 million, bringing total funding to more than $ 290 million. This will further accelerate the company’s growth through planned investments in new product lines, global expansion, a growing partner ecosystem and additional capabilities to assess and mitigate cybersecurity risks in novel ways.
The company has almost 250 employees, and the number is rising. Its service is currently the only one in the world that continuously evaluates over 1.6 million companies. The co-founders aim to go public in the next few years.
“We are well positioned for this,” says Kassoumeh. “As part of our mission, we anticipate that over the next two to three years, every company in the world will have their own safety assessment and use them for a variety of use cases, including reporting to their board of directors and public shareholders for discussions about reducing Risks, lowering cyber insurance premiums and more. “