SecurityScorecard, a ratings platform for cybersecurity risk, uses real time data to measure companies’ security and improve their resilience. The company, a World Economic Forum Tech Pioneer, and a member of the Forum’s Global Innovator community, says its customers include 73% of the Fortune 100, nine of the top 10 U.S. banks, nine of the top 10 in pharmaceuticals, and all 10 top insurers.
The need for such a rating system is greater than ever, Aleksandr Yampolskiy, SecurityScorecard’s CEO, said during an interview in Davos during the Forum’s annual meeting.
During the meeting the Forum released its Global Cybersecurity Outlook 2023 report which says that global instability is exacerbating the risk of catastrophic cyber attacks (see The Innovator’s separate story about the report.)
Three things are contributing to the state of global insecurity, says Yampolskiy, the first is that the world has become more digitized and interconnected, the second is geopolitical tensions, such as the war in Ukraine and the third is that cyber criminals are becoming more sophisticated, and they have a big financial incentive.
The idea behind SecurityScorecard is to allow companies to understand their vulnerabilities by giving them a letter grade, in a similar fashion to the way that rating agencies such as Standard & Poor rate the creditworthiness of countries and private enterprises.
It’s patented rating technology is used by organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.
Even today some Chief Information Security Officers (CISOs) resist the idea of scoring. They would rather not know how vulnerable their company is because they are afraid it will reflect badly on them, says Yampolskiy, who co-founded the company in 2013 with fellow security and risk expert Sam Kassoumeh. That’s a mistake, he says, because organizations with a poor cybersecurity grade are 7.7 times more likely to have a data breach than companies with a good score.
Prior to founding the SecurityScorecard, Yampolskiy was a CTO at BlogTalkRadio, a large online talk radio and podcast hosting platform, whose technology he scaled to over 30 million visitors each month. He was also a CISO at Gilt Groupe, where he managed all aspects of IT infrastructure security, fraud, secure application development, and PCI compliance. Yampolskiy also led security teams at Goldman Sachs and Oracle, among other companies.
“When I was working as a CISO I saw there was a big gap in the market because there is no way to quantify risk,” he says. “The way we do it is we non-intrusively gather all kinds of signals and datapoints to determine the resilience of a company and reduce it to a score.”
SecurityScorecard provides training to help companies with poor scores to become more cyber resilient but is technology agnostic. It has built a platform that serves as a marketplace for its clients to find apps, services, and partners to help them become more resilient.
The company has raised $290 million from backers such as Sequoia Capital. It sells in 46 countries. About 60% of its business is in the U.S.
The company, which regularly contributes content and insights to the Forum’s Cybersecurity Centre, won the Gartner Peer Insight Customers’ Choice award and been named a Leader in the Forrester New Wave. In 2021, Yampolskiy was named E&Y Entrepreneur of the Year 2021 New York Award winner and Cyber Defense Magazine’s CEO of the Year.
Competitors include cybersecurity rating company Bitsight.
