Cybersecurity ratings platform SecurityScorecard raises $180M

SecurityScorecard, a cybersecurity rating and risk-monitoring platform, today announced it has raised $180 million in a series E round of funding.

Founded in 2013, SecurityScorecard enables companies like Nokia, AXA, Liberty Mutual, and Cadence Bank to evaluate and continuously monitor their security, including weaknesses in third-party vendors that they use. “In the same way you can get a credit score and use credit scores to measure financial trustworthiness, cybersecurity ratings do the same,” company CEO and cofounder Alex Yampolskiy told VentureBeat.

Using seven years of historical data, SecurityScorecard assigns ratings from A to F to help security personnel address their most important vulnerabilities and evaluate external partnerships, providing an easy way to “understand their cyber posture,” COO and cofounder Sam Kassoumeh added. “We have shown that companies with a bad score (i.e. “F”) are 7.7 times more likely to be breached than companies with a good score.”

Ratings are given out on a category basis, so a company may receive an average “medium severity” grade for their patching cadence and DNS Health, but a “high severity” rating for their network security, for example.

Above: SecurityScorecard: Ratings

The score is really just the tip of the iceberg though, and SecurityScorecard offers additional tools and services based on this metric, including enterprise risk management that helps establish vulnerabilities in IT infrastructure and analytics that enable businesses to “operate with a situational awareness of the cyber risk landscape and make business decisions with more confidence,” Kassoumeh said.

External combustion

While businesses can invest all the money in the world into shoring up their internal defenses, they have limited control over companies they do business with — data breaches caused by third-party compromises have been a growing problem. Perhaps the most obvious recent example was the SolarWinds supply chain attack, in which a flaw in the company’s Orion network management software was used as a vehicle to spread malicious code to nearly 18,000 of its customers, including government agencies and tech titans like Microsoft, which revealed at the time that hackers had downloaded source code for Azure and Exchange. Microsoft president Brad Smith called it the “largest and most sophisticated attack the world has ever seen.”

SecurityScorecard recently published its own investigations into the Exchange attack, noting that while it was not as extensive as first feared, it was still far-reaching.

“Using our proprietary technology to scan the internet for vulnerable public-facing Microsoft Exchange servers revealed 2,500-18,000 vulnerable servers worldwide, a majority of which are in Europe, the Middle East, and Africa,” Kassoumeh said. “We also discovered the vast majority of the victims were located in the United States and Germany, demonstrating a strong degree of intentionality by the perpetrators.”

Cloudburst

The problem SecurityScorecard is trying to fix is not a new one, of course — Kassoumeh and Yampolskiy first had the idea for SecurityScorecard while working on security for an ecommerce website around a decade ago. But in the intervening years, the technological landscape has increasingly focused on the cloud, which has made the issue more urgent.

“Sam and I had the idea for security ratings back in 2013 when we were trying to understand the risks posed by our extended ecosystem of vendors and business partners, in addition to trying to report our own cybersecurity health to our board of directors,” Yampolskiy said. “This problem has only become more acute as companies became more interconnected and moved to the cloud.”

Indeed, cloud infrastructure spending has gone through the roof over the past year, driven in large part by the rapid…