SecurityScorecard, the risk management firm whose platform helps provide security ratings, said Thursday that it raised $27.5 million in Series C funding.
The latest round, the company said in a statement, was led by Nokia Growth Partners (NGP) with participation from Moody’s Corporation, AXA Strategic Ventures and Intel Capital. Several existing investors – including Sequoia Capital and Google Ventures – also participated. The funds will be used to increase data coverage (in terms of how much data is collected).
The company said in its press release that it “continuously monitors the security posture of more than 200,000 enterprises and government agencies … and assigns an A to F rating” to enterprises.
In an interview with Karen Webster, Dr. Aleksandr Yampolskiy, CEO and founder of SecurityScorecard, said the genesis of the firm can be traced to his previous tenure as chief security officer at Gilt Groupe. In that role, he faced the daily conundrum of investing money in solutions to protect the company’s data, while the marketing department was introducing third parties who wanted access to their customer data for joint partner programs.
Yampolskiy said that those announcements created lots of anxiety, because there was no way to tell if those firms had the proper data protection policies in place.
Thus, came the idea of the security scorecard – one designed to determine whether it was possible “to know from the outside, without anybody giving you permission or consent, to measure how secure any company is in the world?”
And the company by the same name was born.
According to Yampolskiy, creating the scorecard starts with gathering “all types of information” from the internet about the state of a company’s security. The granular info gleaned can delve into risks, such as using out-of-date (and thus vulnerable) software to create documents or whether a firm’s site is configured to combat denial of service attacks.
The data is back-tested historically, Yampolskiy said. Companies that are poorly rated are five-and-a-half times more likely to be breached than those with a relatively high rating of “A” or “B.” The rationale, said Yampolskiy, is simple: If we discover all the things that a company is not doing according to best security practices and such shortcomings are observable by outsiders, “then they are probably not doing a good job on the inside either.”
Yampolskiy views the scorecards as a way to foster collaborative effort to improve everyone’s security prospects, fostering conversations between firms and vendors about security and vulnerabilities. Current use cases extend across firms that rate their customers and suppliers, others who report to their own boards of directors about the state of their own security scorecards, and firms that use the data to make better underwriting decisions.
“A lot of the times, companies might not even know what’s out there,” in terms of risks, said Yampolskiy. “They think they know their systems.” He likened the vulnerabilities to a person who is used to traveling in and out by way of the front door, and leaves the back door totally exposed to someone who sees it and then exploits that vulnerability.
Webster asked how third party (via API) connections to everything have changed companies' interest in and demand to see how these third parties score.
Yampolskiy said that APIs add another layer of vulnerability, as in past years data was hosted in a single data center. Then came devices used for business (and the need to protect those devices), and the shift to the cloud has changed how many firms conduct core business processes. Now, just about any sliver of corporate information travels to dozens of third parties. Think of shipping information that travels beyond, say, FedEx or UPS, making its way to credit card companies, marketing companies and so on.
Where a company once existed as a standalone house, with APIs it now stands in a crowded neighborhood – and should one house catch fire, the others are at risk, due to proximity.
Said Yampolskiy of his firm, “Our mission is to create a new language for how companies talk about security, measure security and communicate security. I’m a big believer that you cannot improve what you cannot measure.”