Security Ratings. PHOTO: Cybercrime Magazine.

CISOs: What’s Your Cybersecurity Score?

It’s as important as a credit score

David Braue

Melbourne, Australia – Jul. 27, 2021

Like many CISOs, Dr. Aleksandr Yampolskiy thought his company’s data was pretty well secured: after all, long-running investments into threat-intelligence feeds, vulnerability scanners, vendor risk management and other tools were bound to provide security, right?

It was only when his employer, e-commerce company Gilt Groupe, was sold to new parent Hudson’s Bay Company that its data security problems became clear.

“As a CISO, I invested a lot of money into all kinds of tools,” Yampolskiy told Cybercrime Magazine, “yet I was completely in the dark if the information that I sent to those third parties was being protected.”

It was in the midst of the addition of a new fraud-prevention service that the wheels fell off. “We started integrating with our systems,” he recalled, “and as we were integrating with their systems, we discovered unencrypted credit card data belonging to other companies.”

That was the “oh crap moment,” he said, that ultimately bred SecurityScorecard — which started incubating in 2013 and, with the support of co-founder and COO Sam Kassoumeh, emerged as a full-fledged company in 2014.

Its core conceit was to find a standardized way of measuring a company’s information security posture by remotely pinging all of its publicly available systems, then collecting the protocol responses that the target system sends back.

Systems are tied back to individual organizations using a variety of methods, with hundreds of data points collected on more than 5 million companies to provide a broad and rich data set to which any company can be compared.

Those early days — just two people sitting at desks in a rented office — were frugal but “exciting,” now-CEO Yampolskiy said, “but we were confident that measuring security, and coming up with a way to score companies, was something that would revolutionize how security is done.”

The market clearly agreed: seven years later, SecurityScorecard is closing in on unicorn status after a March Series E fund-raising pushed its funding to over $290 million on a valuation of close to $1 billion.

As important as credit scores

Standardizing the process by which cybersecurity risk is evaluating has become critically important for companies that face ever-escalating cybercriminal attacks, stricter governance requirements, closer oversight by regulators and insurers, and the increasing involvement of risk-averse boards and executives.

“Security ratings have become a must-have,” said Yampolskiy, “instead of a nice look; analysts are confirming that security ratings are going to be as big as credit ratings in the next few years.”

Gartner, for one, agrees: the consulting giant named security ratings services as one of ten top security projects in 2019, noting that “as digital transformation matures, the risks associated with complex ecosystems become an integral part of the business.”

Security and risk management leaders should use security ratings services “to provide continuous, independent scoring for their overall digital ecosystem,” Gartner advised — and that was before COVID-19 exacerbated risk by accelerating digital transformation amidst a tidal wave of cybersecurity attacks.

That guidance has remained, with Gartner’s latest top-ten list highlighting the importance of automating security risk assessments that “tend to be either skipped entirely or done on a limited basis…. Assessments will allow for limited risk automation and visibility into where risk gaps exist.”

Over the years, SecurityScorecard has expanded its data collection methods to include a large network of sinkholes and honeypots — which collect data about potential malware compromise outside of a company’s network — and extensive OSINT and commercial threat intelligence feeds.

The company has also launched Atlas, a questionnaire-based machine learning platform that correlates responses to security questions back to security ratings, providing an internal view of security to complement outside scores.

“The goal of the ratings is not to replace human judgement,” Yampolskiy said, “but it is to facilitate the conversation between a company and its suppliers, M&A targets, investment targets, the board, and others.”

“The scores create a context, the findings, and a pathway to improvement. You can use the scores and the findings as a way to facilitate an intelligent dialogue — and then you can figure out if you accept the risk or you don’t.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About SecurityScorecard

SecurityScorecard is the global leader in cybersecurity ratings and the only service with over two million companies continuously rated. Our mission is to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees, and vendors.