Everyone is curious to know how safe they are especially in the digital age. Sometimes we want to lie to ourselves that we are safer than we are, but when it comes to our businesses we must be honest. SecurityScorecard helps you maintain that integrity by helping you monitor your cyber security risks, informing you when there is something to actually be concerned about through their patented solution.
AlleyWatch spoke with the Dr. Alexander Yampolskiy and took an inside peek at how the company is going to new extents to assure your safety.
Tell us about the product or service.
SecurityScorecard is the most accurate security rating platform. We’re a SaaS company that empowers organizations with security intelligence and fosters collaborations between organizations and partners. We provide organizations with security ratings based on a 10-factor breakdown complete with specific issue types. Our platform also provides further insight into compliance and regulation standards, specifying how companies might not meet specific compliance standards such as PCI, HIPAA, ISO, SIG, and SIG-Lite.
We non-intrusively measure critical data points across the entire internet such as Endpoint Security, Network Security, IP Reputation, as well as from unique sources such as Hacker Chatter, which combs through dark web hacker forums for mentions of an organization and Leaked Information, which reports on what sensitive information, such as passwords and email addresses, has been leaked online.
Organizations can use the information in the platform to make informed security decisions about what aspect of their security needs to be improved and to validate the efficacy of any security measures and investments. For mitigating third party risk, users reach out to their partners and communicate the vulnerability found in the platform either by sharing generated reports or directly inviting the vendor to the platform.
The platform is perfect for Vendor Risk Managers, Security Practitioners and Heads of Security, as well as CyberInsurers.
How is it different?
SecurityScorecard’s top differentiators are in the breadth and depth of its data. We have pre-calculated scores for 100K organizations and report on 400% more critical data points than our closest competitor. Our data is 80% proprietary and we have several patents for our data collection methods. This allows us to be as close to the data as possible, allowing us to validate and sanitize the data.
Our Automatic Vendor Detection (AVD) model allows organizations to look at their vendors’ third party, providing fourth and fifth party insight, an increasingly essential aspect of vendor risk management. Our collaborative approach to security is also built into our platform, which gives organizations a way to directly communicate with vendors through the platform and share identified vulnerabilities, in order to immediately begin the remediation process.
What market are you attacking and how big is it?
We’ve created our own market – the Security Ratings market, validated by Gartner. It takes on cybersecurity from a different angle: actionable information. We provide immediate security intelligence on organizations and their vendors that can be transformed into action. Currently, there are less than 10 vendors who are in the security ratings market, who provide a subset of the information we provide in our platform.
What is the business model?
We offer licenses to use our SaaS platform with a prefixed number of vendor slots. Users can purchase a pre-fixed number of slots from 15 up to 5000 and more, with an unlimited option based on the size of the company and the number of vendors that is being assessed.
What inspired the business?
I, and my co-founder, Sam Kassoumeh are two former CISOs who saw a large gap in vendor risk management and security intelligence. Traditional vendor risk management relies on self-reported questionnaires, expensive onsite assessments, and penetration tests. These methods were expensive, time-consuming, and only relevant from the moment of the assessment (known as the point-in time problem). We wanted a way to look at the security posture of their vendors at any time in order to have a clear view of their vendor ecosystem. This inspired the creation of SecurityScorecard.
What’s the driving force behind attracting white hat hackers to work with your company?
Our company is focused on our SaaS platform that is built from a security intelligence foundation. Our team of data scientists, security researchers, and developers are all required to have ‘Security DNA’ one of our values. Because of that, white hat security researchers [hackers] have the freedom to engage in security research and see their findings directly implemented in our company. Specific company initiatives include a King/Queen of Developers position, a week-long role where a developer receives a free lunch, a specialized work station, and the capability to work on any specific project they want, regardless of team or current sprint.
Finding strong talent is very challenging but also very rewarding. We take pride in our EPPICS values (Strong Work Ethic, Pushing the limits, Positivity, Innovation, Culture of Ownership, and Security DNA) and want any of our new employees, especially white hat hackers to embody those values. It isn’t enough for us simply put these values up on the wall, it should be the driving force of our culture. To embody these values is to use them when faced with difficult decisions, to use them when no one is watching, and to make sure that everyone else is also embodying those values. This makes it difficult to secure the right talent but it also ensures that when we do hire someone, it’s a great fit.
In addition to our strong security culture, we also offer a number of benefits and incentives that all our employees can take advantage of. We offer a yearly $3,000 stipend for career-related classes and a $1,500 reimbursement stipend for related conferences for every employee.
What are the milestones that you plan to achieve within six months?
We revealed our new ThreatMarket™, the world’s first security search engine, earlier this year to much fanfare and anticipation. With its launch, we’re hoping to better bridge the gap between vendor risk managers, and security researchers, in order to improve the security intelligence community as a whole. In six months, we’re hoping to spearhead a wave of new security research that all companies, large or small, can use in order to minimize their chances of being breached.
What is the one piece of startup advice that you never got?
Information travels differently depending on the size of your company. Something I never thought would be a serious challenge was making the decision on what channels to use so the company can communicate with each other. When we were only a company of 10 people, information traveled through osmosis. Everyone was next to each other in the same room, so everyone knew what was happening in the company.
Things are very different when your company grows to 100+. It’s much more difficult for information to easily travel to every employee and it’s something that needs to addressed as a priority. So many problems can be attributed to lack of communication or miscommunication, if you don’t prioritize facilitating information sharing within your company, the challenges of running a startup will only grow. One thing we consciously decided to do, as a company, was to limit the number of phones people had access to, except for the sale team and a few select individuals. Why? Because if an employee started working here and found a phone on their first day, they would expect that they would have to make a lot of calls. We didn’t want that – instead, we wanted to facilitate face-to-face communication or video-conferencing for our remote team. It’s subtle, but it’s a way of communication and information sharing that really embodies the values mentioned earlier.
If you could be put in touch with anyone in the New York community who would it be and why?
I’ve been fortunate to speak with almost anyone I wanted to in New York City, which is a testament to the accessibility of people in New York. If I had to choose one, it would be Michael Bloomberg, who I had previously had the chance to meet at conferences, but just in passing. Not only is he a successful businessman, but he’s also intelligent, a philanthropist, and an inspiring leader. If I had the chance to sit down and talk to him, I would ask him what I ask every successful leader and inspiring person I meet: if you could meet yourself when you were 20 years old or fresh out of college, what advice would you give yourself?
Why did you launch in New York?
I immigrated to New York City from Russia with my family over 22 years ago. I’ve always loved New York and am settled here. What has always impressed me about this city is its impressive multifaceted qualities. It’s fast-paced, diverse, has a hard-working population, and some of the best talent found in any industry, whether it’s security, marketing, business, or finance. Our customers and prospective customers are here and it’s great to be able to take a 30-minute ride and speak to them in person. Despite Silicon Valley getting the majority of the start-up buzz, I think that New York is more advantageous for startups because that’s not the only thing the city focuses on. A location like Silicon Valley has startups with a lot of funding and the talent often shops around for the best salary or the best benefits. In New York, we’re able to secure the right talent because not only is everyone a competitive high performer, but they care about the work they do, rather than just how much they’re paid.
What’s your favorite rooftop bar in NYC to unwind?
The Gansevoort Park rooftop is my favorite location for a number of reasons. The location, the atmosphere, and the view is beautiful but there’s a personal reason why I enjoy it.
I’ve always had a fear of heights, and the Gansevoort Hotel has glass tiles on its floors where you can sit down, have your drink, and then look down at the street. That always made me uncomfortable but I knew I had to get over it. I believe that pushing yourself outside the edge of your comfort zone is how you become a better person and a successful person. I used to work there and I would always force myself to sit over the glass tiles, have a coffee, get uncomfortable, even scared, and get over my discomfort. This is what drives me to make difficult decisions and take risks. It’s all about balancing how far you push yourself past the edge of comfort. That’s why I resigned as a CTO and started SecurityScorecard. It was scary, but it was important.
Now, the Gansevoort is my favorite rooftop bar.