Cybersecurity ratings platform SecurityScorecard raises $180M

SecurityScorecard, a cybersecurity rating and risk-monitoring platform, today announced that it has raised $180 million in a series E round of funding.

Founded in 2013, SecurityScorecard enables companies to evaluate and continuously monitor their security, including weaknesses in third-party vendors that they use. Using seven years of historical data, SecurityScorecard assigns ratings of A-to-F to help security personnel address the most important vulnerabilities and evaluate external partnerships, giving an easy way to “understand their cyber posture,” SecurityScorecard COO and cofounder Sam Kassoumeh told VentureBeat. “We have shown that companies with a bad score (i.e. “F”) are 7.7 times more likely to be breached than companies with a good score.”

Ratings are given out on a category basis, so a company may receive an average “medium severity” grade for their patching cadence and DNS Health, but a “high severity” rating for their network security.

The score is really just the tip of the iceberg though, a metric upon which SecurityScorecard offers additional tools and services, including analytics that enable businesses to “operate with a situational awareness of the cyber risk landscape and make business decisions with more confidence,” as Kassoumeh put it.

External combustion

While businesses can invest all the money in the world in shoring up their internal defenses, they have limited control over companies they do business with — data breaches caused by third-party compromises has been a growing problem through the years. Perhaps the most obvious recent example was the SolarWinds supply chain attack, which saw a flaw in the company’s Orion network management software used as a vehicle to spread malicious code to nearly 18,000 of its customers, including government agencies and tech titans such as Microsoft which revealed at the time that hackers had downloaded source code for Azure and Exchange. Microsoft president Brad Smith called it the “largest and most sophisticated attack the world has ever seen.”

SecurityScorecard recently published its own investigations into the Exchange attack, noting that while it was not as extensive as first feared, it was still far reaching.

“Using our proprietary technology to scan the internet for vulnerable public-facing Microsoft Exchange servers revealed 2,500-18,000 vulnerable servers worldwide, a majority of which are in Europe, the Middle East and Africa,” Kassoumeh said. “We also discovered the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.”

Cloudburst

The problem that SecurityScorecard is trying to fix is not a new one, of course — Kassoumeh and CEO / cofounder Alex Yampolskiy first had the idea for SecurityScorecard while working on security for an ecommerce website around a decade ago. But in the intervening years, the technological landscape has increasingly focused on the cloud, which hasn’t helped matters.

“Sam and I had the idea for security ratings back in 2013 when we were trying to understand the risks posed by our extended ecosystem of vendors and business partners, in addition to trying to report our own cybersecurity health to our board of directors,” Yampolskiy said. “This problem has only become more acute as companies became more interconnected and moved to the cloud.”

Indeed, cloud infrastructure spending has gone through the roof over the past year, driven in large part by the rapid shift to remote working. This, in turn, opens the doors to a swathe of potential vulnerabilities, which is why cybersecurity spending is touted to grow by 10% in 2021 — putting companies such as SecurityScorecard in a strong position.

The company said that it has added 450 new customers to its roster over the past year, with its international revenue and footprint showing particular strength. It has also received a number of accolades, including recognition by the World Economic Forum as one of 2020’s “technology pioneers,” while Forrester recently included SecurityScorecard as one of the “seven most significant” cybersecurity risk rating platforms. Other players included were BitSight, UpGuard, RiskRecon, Panorays, Prevalent, and Black Kite (formerly Normshield), which secured $7.5 million in funding late last year.

This suggests there is a degree of saturation in the space, however SecurityScorecard said that it’s setting out to differentiate in several ways.

Ecosystem

Kassoumeh pointed to the company’s data, which he said it continuously updates and gathers “27 billion points per week, and run one of the largest malware sinkholes networks in the world” spanning more than 500 million infected machines. “This enables us to continuously gather, attribute, and rate 2 million companies in the world, and provide real-time intelligence that does not require any manual inputs or curation,” Kassoumeh explained. “This data enables us to give a ‘fast score’ within minutes, as opposed to days and weeks.”

But perhaps the biggest selling point for SecurityScorecard is its focus on the broader ecosystem through a dedicated marketplace that brings a bunch of pre-built integrations spanning categories such as risk management and compliance; government; vendor risk management (VRM); security information and event management (SIEM); and more. This means that customers of Splunk, for example, can access SecurityScorecard’s security ratings, risk category data, and issue-related data directly inside Splunk, helping them monitor their own internal and external cybersecurity risks.

“Through this ecosystem, SecurityScorecard empowers customers to gain operational scale through automated workflows, continuous risk intelligence gathering by incorporating our cybersecurity data to other solutions they use, and reduce time to risk mitigation,” Kassoumeh said.

Prior to now, SecurityScorecard had raised around $112 million, and with its latest $180 million cash injection the company has attracted many of its previous investors including Alphabet’s GV and Intel Capital, alongside new backers such as Silver Lake Waterman and T. Rowe Price Associates.