When it comes to cybersecurity, lots of companies say they run a tight ship. But how do you know for sure?
As companies become more and more intertwined through software and cloud-based products, it’s not enough to take others at their word anymore. After all, one vendor’s sloppy security settings could lead to a data breach for another. It happened to Target.
We want to become the de facto standard anywhere a company is performing a cyber risk assessment.”
That’s where SecurityScorecard comes in. Headquartered in New York, the company provides security ratings for more than one million companies across 175 countries.
As insurance firms and other businesses start to treat cybersecurity as a serious issue, SecurityScorecard’s business has boomed. And on Thursday, the company prepared to capitalize on its growth with the close of a $50 million Series D round.
The round will help the company scale as they strive to become the standard in cyber risk assessment, said Sam Kassoumeh, COO and co-founder of SecurityScorecard.
“We want to become the de facto standard anywhere a company is performing a cyber risk assessment,” Kassoumeh said. “The goal is to become woven into how companies are assessing risk.”
Kassoumeh and Aleksandr Yampolskiy launched SecurityScorecard in 2013 to build out a formal security assessment tool that would help companies assess their own security practices as well as those of their vendors. In the past, businesses only had three options, Kassoumeh said. They could simply ignore the problem, send a comprehensive pen-and-paper questionnaire or perform a penetration test. Each one either took up too much time or relied on the vendor’s word.
SecurityScorecard instead conducts a noninvasive security analysis that scans a company’s network for issues, gets a picture of the number of domains and subdomains they own and looks at how long it takes them to patch any breaches or attend to any IT issues.
The company’s algorithm takes in all that information, weights it and then spits out a grade from A to F. Keeping the grading system simple gives those companies a tool they can use to bridge the gap of technological knowledge, Kassoumeh said.
“Board members are starting to ask, ‘How secure are we?’” Kassoumeh said. “The grading system is being used as a bridge language to help articulate security performance and ROI to that board member.”
Customers and non-customers are able to access the website to check their grades, as well as the grades of others. They can also see tips for how they can improve their security. The goal is to inspire companies to be more proactive about their security and use it as a competitive advantage, Kassoumeh said.
“If I see a follower monitoring me and my competition, it makes me want to improve my grade,” Kassoumeh said. “It makes the tech ecosystem more secure. Companies who engage with our platform typically improve at least one or two letter grades.”
With this round, SecurityScorecard aims to expand their offerings. They plan to work with more small and mid-sized businesses who may not have the budget for a security team, gain a larger foothold in Europe and Asia, provide more service tools to help customers improve their security and partner with insurance underwriters to help them measure cyber risk.
They also plan to grow their team from about 180 by about 30 percent, with most of those jobs being located in New York.
Riverwood Capital led the round, along with participation from existing investors Evolution Equity, Intel Capital, Two Sigma, AXA Ventures, Accomplice and more.