Cybersecurity ratings platform SecurityScorecard raises $180M

SecurityScorecard, a cybersecurity rating and risk-monitoring platform, today announced it has raised $180 million in a series E round of funding.

Founded in 2013, SecurityScorecard enables companies like Nokia, AXA, Liberty Mutual, and Cadence Bank to evaluate and continuously monitor their security, including weaknesses in third-party vendors that they use. “In the same way you can get a credit score and use credit scores to measure financial trustworthiness, cybersecurity ratings do the same,” company CEO and cofounder Alex Yampolskiy told VentureBeat.

Using seven years of historical data, SecurityScorecard assigns ratings from A to F to help security personnel address their most important vulnerabilities and evaluate external partnerships, providing an easy way to “understand their cyber posture,” COO and cofounder Sam Kassoumeh added. “We have shown that companies with a bad score are 7.7 times more likely to be breached than companies with a good score.”

Ratings are given out on a category basis, so a company may receive an average “medium severity” grade for their patching cadence and DNS Health but a “high severity” rating for their network security, for example.

Above: SecurityScorecard: Ratings

The score is really just the tip of the iceberg though, and SecurityScorecard offers additional tools and services based on this metric, including enterprise risk management that helps establish vulnerabilities in IT infrastructure and analytics that enable businesses to “operate with a situational awareness of the cyber risk landscape and make business decisions with more confidence,” Kassoumeh said.

External combustion

While businesses can invest all the money in the world into shoring up their internal defenses, they have limited control over companies they do business with, and data breaches caused by third-party compromises have been a growing problem. Perhaps the most obvious recent example was the SolarWinds supply chain attack, in which a flaw in the company’s Orion network management software was used as a vehicle to spread malicious code to nearly 18,000 of its customers. These included government agencies and tech titans like Microsoft, which revealed at the time that hackers had downloaded source code for Azure and Exchange. Microsoft president Brad Smith called it the “largest and most sophisticated attack the world has ever seen.”

SecurityScorecard recently published its own investigations into the Exchange attack, noting that while it was not as extensive as first feared, it was still far-reaching.

“Using our proprietary technology to scan the internet for vulnerable public-facing Microsoft Exchange servers revealed 2,500-18,000 vulnerable servers worldwide, a majority of which are in Europe, the Middle East, and Africa,” Kassoumeh said. “We also discovered the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.”

Cloudburst

The problem SecurityScorecard is trying to fix is not a new one, of course — Kassoumeh and Yampolskiy first had the idea for SecurityScorecard while working on security for an ecommerce website around a decade ago. But in the intervening years, the technological landscape has increasingly focused on the cloud, which has made the issue more urgent.

“Sam and I had the idea for security ratings back in 2013 when we were trying to understand the risks posed by our extended ecosystem of vendors and business partners, in addition to trying to report our own cybersecurity health to our board of directors,” Yampolskiy said. “This problem has only become more acute as companies became more interconnected and moved to the cloud.”

Indeed, cloud infrastructure spending has gone through the roof over the past year, driven in large part by the rapid shift to remote working. This opens the doors to a swathe of potential vulnerabilities, which is why cybersecurity spending is expected to grow by 10% in 2021 — putting a company like SecurityScorecard in a strong position.

The company said it has added 450 new customers to its roster over the past year, with its international revenue and footprint showing strong growth. It has also received a number of accolades, including recognition by the World Economic Forum as one of 2020’s “technology pioneers,” while Forrester recently included SecurityScorecard as one of the “seven most significant” cybersecurity risk rating platforms. Other players included on that list were BitSight, UpGuard, RiskRecon, Panorays, Prevalent, and Black Kite (formerly Normshield), which secured $7.5 million in funding late last year.

This suggests a degree of saturation in the space, but SecurityScorecard is setting out to differentiate itself in several ways.

Ecosystem

Kassoumeh pointed first to the company’s data, which he said is continuously updated. He said the company is able to gather “27 billion points per week and run one of the largest malware sinkholes networks in the world” — spanning more than 500 million infected machines. “This enables us to continuously gather, attribute, and rate 2 million companies in the world and provide real-time intelligence that does not require any manual inputs or curation,” Kassoumeh explained. “This data enables us to give a ‘fast score’ within minutes, as opposed to days and weeks.”

But SecurityScorecard’s biggest selling point may be its focus on the broader ecosystem through a dedicated marketplace that brings a bunch of prebuilt integrations spanning categories such as risk management and compliance, government, vendor risk management (VRM), security information and event management (SIEM), and more. This means customers of Splunk, for example, can access SecurityScorecard’s security ratings, risk category data, and issue-related data directly inside Splunk, helping them monitor their own internal and external cybersecurity risks.

“Through this ecosystem, SecurityScorecard empowers customers to gain operational scale through automated workflows [and] continuous risk intelligence gathering by incorporating our cybersecurity data into other solutions they use and reduce time to risk mitigation,” Kassoumeh said.

SecurityScorecard had previously raised around $112 million, and its latest $180 million cash injection attracted many returning investors, including Alphabet’s GV and Intel Capital, alongside new backers such as Silver Lake Waterman and T. Rowe Price Associates.