Gartner recently named Security Ratings a top priority for CIOs for 2019, and one of the platforms that all major companies want a gold star from is SecurityScoreboard: the leading security ratings platform. In a matter of minutes, this platform can instantly and non-intrusively measure the security of any company in the world. Its rating and analysis contextualizes cybersecurity risk so all parties involved – including vendors and suppliers – can interpret and assess any vulnerabilities within a business operation.
AlleyWatch spoke with cofounder Aleksandr Yampolskiy about the importance of cybersecurity and the company’s recent Series D funding, which brings the company’s total funding to $110M.
Who were your investors and how much did you raise?
SecurityScorecard completed a $50M Series D financing round, led by Riverwood Capital, Intel, Evolution, Two Sigma, Accomplice, among other investors participated in the round as well.
Tell us about the product or service that SecurityScorecard offers.
As the only security ratings provider to have scored over 1 million companies, SecurityScorecard provides the industry’s broadest range of rated companies, offering its customer community an incredible amount of historical data to contextualize cybersecurity risk. Today, SecurityScorecard’s platform is the “gold standard” for security ratings used across 175 countries for cybersecurity insurance underwriting, M&A due diligence, reputation management, and vendor risk management.
Sam and I are both former cybersecurity practitioners by trade. Something we both personally experienced as CISO’s is that even if I felt good about my own company’s security – maybe I had good support from execs and board and good budget – everyone was still losing sleep and worrying about the data not in their own infrastructure. Over the past 15 years, we saw this paradigm shift where we all saw more and more of the company’s operations being outsourced to third-party partners like cloud service providers or various types of software as a service platforms. Chief security officers felt they were losing control and visibility of their data as it was being managed by these other companies. Addressing that concern is really what led to the genesis of SecurityScorecard in 2013 where we had the idea – could we instantly and non-intrusively measure security of any company in the world?
How is SecurityScorecard different?
We have a number of core differentiators in what we do. Number one, as I mentioned earlier, is that we have over a million rated companies in our system – five times as much as anybody else in the market. This couples closely with our fast scoring where we’re scoring companies of any size in minutes, while other solutions on the market may take days.
Another key differentiator is that we provide a lot of interest in data science analytics and unique AI insights on top of the data itself. Security ratings are interesting, but the really useful information is deriving additional actionable insights on top of that data.
We recently also launched Atlas risk exchange, which with our main platform provides a 360-degree view of risk.
Finally, SecurityScorecard is the only security ratings provider with complete transparency and visibility into the ratings methodology (we actually publish it for the world to see on our site) – providing companies with a clear, transparent path to becoming more secure and resilient.
What market does SecurityScorecard target and how big is it?
In short, the market is massive, the opportunity is growing, and we expect this will continue to be the case. While the genesis of the company was around visibility into vendor performance, we’ve found that many of our customers wind up using SecurityScorecard for other use cases. For example, they monitor themselves because they actually enjoy using us that much. It’s great that even vendors who are invited to the platform often end up using it for themselves on an ongoing basis to help with prioritization, using tools like score planner. They then invite their vendors too, generating this great flywheel effect. As a result, we have a fairly big critical mass in the market, and for us, this is exciting because it means we’re providing hundreds of thousands of companies worldwide the blueprint to becoming more cyber-resilient.
Additionally, we see use in the cyber insurance underwriting space by players like AXA, Allianz, and others, in compliance, and in other areas.
The market is massive, the opportunity is growing, and we expect this will continue to be the case as a result of the market drivers.
How has your role evolved as the company scales?
As the company scales, increasingly, I too have to reinvent and challenge myself. The type of CEO you have to be at 10 to 20 is different than 100 to 200.
Ultimately, it’s all about spending time surrounded by the right people, the ones who congratulate you for your success and then immediately ask you where you are going next.
How has the business changed since we last spoke in 2017 after SecurityScorecard’s Series C round?
We’ve doubled the revenue for the fourth year in a row, doubled the number of new customer logos, and rapidly expanded operations in EMEA and APAC with many competitive displacements. We’re working with the leading underwriters and insurance brokers, and have seen an exponential increase in partner integrations, including Splunk, ServiceNow, and RSA Archer. We’ve launched Atlas risk exchange, a professional services offering to help build and scale risk management programs. And with Gartner naming Security Ratings a top priority for CIOs for 2019, we expect the next year to show even more growth.
What are the largest security threats facing companies now that are not being addressed?
Cyber threats are rapidly evolving, but one fundamentally critical question more companies don’t ask themselves, but should, is what is a hacker’s window of opportunity?
To explain a little, three key metrics that organizations should be thinking about when they are measuring security are:
The level of preparedness: How many endpoints are fully patched and up to date? What is the percentage of endpoints?
The detection time: When the new version of software comes out, like a new version of Internet Explorer or Google Chrome, how many days does it take for a company to initiate and begin an upgrade to the next version?
The response time: How many days does it take to complete the update?
The difference between the detection time and response time is called the window of opportunity. For example, if it takes one day for an organization to detect the next version of Google Chrome but five days to complete that update, the attacker has a four-day window of opportunity to exploit the vulnerability and break into your organization. This is going to show you the key indicators of organizational health that are observable from outside and that measure the efficacy of the organization’s internal IT security control. So, the critical question that you need to be asking your own organization, third-party vendors, insurance applicants, or your M&A targets is what is a hacker’s window of opportunity into the environment of this company?
So, the critical question that you need to be asking your own organization, third-party vendors, insurance applicants, or your M&A targets is what is a hacker’s window of opportunity into the environment of this company?
Our customers are asking these tough questions and getting the data through our Security Program Analytics to understand and measure the maturity and evolution of their organization’s IT security program as it is built and matured (and that of their third and fourth parties).
What was the funding process like?
It’s an exciting process for the whole team. The security rating space is a hot market, and this was a very competitive, oversubscribed round. We decided to partner with Riverwood Capital – smart, innovative investors with an excellent track record of investing and scaling in top enterprise businesses. It’s promising to see and we’re excited for what the future holds.
What are the biggest challenges that you faced while raising capital?
Related to the above, we really had no challenge. There’s a huge addressable market, it was very competitive, capital was easy to find. For us, it was really about finding the right relationship with the right investor who we felt would guide us to the next level – we’ve found that in Riverwood Capital.
What are the milestones you plan to achieve in the next six months?
Double the revenue yet again, rapidly continue to innovate with leading analytics and product and service offerings.
Where is your favorite quick getaway summertime destination?
My family and I love to escape to Cape Cod – it’s always great to get away for the weekend, enjoy some beautiful views and family time, and get the creative juices flowing!