Businesses are depending more and more on third parties, but managing a complex web of vendors can create massive risk. In the privacy world, even vendors that don’t typically have access to an organization’s network can also wreak havoc. Who would have thought that an HVAC company would have been part of one of the most well-known data breaches in recent years?
On top of increased risk, companies also face civil and regulatory liability with their vendors. Plus, with the obligations in the upcoming General Data Protection Regulation, companies could face as much as four percent of their annual global turnover. We’re not just talking bad press here, an insecure vendor can do real damage to a company’s bottom line.
Startups are recognizing this opportunity in the marketplace and are utilizing proprietary technology to fill the gap. Venture capitalists are also recognizing the market need and backing it up with cash.
One such startup, SecurityScorecard, recently received a whopping $20 million in series B funding from Google Ventures. In a sense, it is what it sounds like: The company analyzes and rates vendors’ security posture based on a range of security criteria. SecurityScorecard then provides that easy-to-digest information to its clients so they can better assess the risk for every one of their vendors.
Co-founded by two information security veterans, SecurityScorecard now comprises more than 50 staffers with a variety of backgrounds, including those with expertise in threat-intelligence, malware reverse engineering, and data science.
SecurityScorecard co-founder and Chief Operating Officer Sam Kassoumeh said vendor security issues kept percolating to the top when he was in infosecurity. He said his team was good at managing infosecurity in-house, but looking into the security profile of vendors was much more difficult.
“This was a frustrating challenge and a problem that grew bigger year by year,” Kassoumeh told Privacy Tech in a phone interview. “Twenty years ago, companies did things in a vacuum, but over time, interdependencies among companies have grown.” Now, many companies exercise their due diligence by giving their vendors a detailed questionnaire. Yet, it’s difficult for companies to validate the information, and even audit reports can be out of date quickly, as they’re only a snapshot in time.
“Large companies may have as many as 40,000 or 50,000 contracts with vendors,” Kassoumeh pointed out. “That’s a lot of risk to have on the table.”
SecurityScorecard aims to make this process easier and more secure. Kassoumeh said his company can assess the security of a vendor instantly and non-intrusively by using a combination of public information and its proprietary web crawlers. “We’re not simulating a hacker attack,” he pointed out. “We collect information across the internet and dark web to find signals of risk.” SecurityScorecard then places that information into a database to create a risk-profile map.
“We benchmark companies,” he said. “We derive an A through F letter grade based on the security hygiene of a company.” This allows companies to quickly assess which vendors to work with, and which ones to avoid.
The work of SecurityScorecard is not intended to shame the bad vendors, either. Kassoumeh said some vendors are now coming to SecurityScorecard to see how they can improve their security posture. He said, at first, vendors might be defensive, and go through a period of denial, but then after a walk through, they come around and actually appreciate the assessment and end up improving their security protections.
He said the process is actually bringing security practitioners from different organizations together. “CISOs often get frustrated at the loss of control of their company’s data as more organizations move to vendors in the cloud,” said Kassoumeh. “They don’t know who is protecting their data. We’re giving some of that control back,” he said.
Kassoumeh said SecurityScorecard can be a powerful tool for privacy pros as well. “It’s like a high-level snapshot of any company.” He said for those who are interested, SecurityScorecard offers a quick assessment of a particular vendor and then follows up with a demonstration from a SecurityScorecard team member to help go over the vendor scorecard.
At a more deeper level, SecurityScorecard can then assess all of a given organization’s vendors to create a vendor risk-management map. They can then map the vendors to different regulatory regimes — say a NIST standard or HIPAA, for example. Kassoumeh also said their vendor assessment can also gauge how likely a given company will undergo a breach.
He also said SecurityScorecard can be useful for companies large and small. For the larger businesses, mapping 40,000 to 50,000 vendor contracts may be a key need, while smaller companies — that very well may be vendors themselves — can use SecurityScorecard to determine its security posture.
Companies are also beginning to use SecurityScorecard in mergers and acquisition deals, Kassoumeh said. “Our service is used by M&A teams to complete their due diligence.” He also said insurance companies selling cyberinsurance are also taking advantage of the startup. He said it helps them determine how much to charge for their insurance policies and build actuarial models for long-term risk.
Google, for one, has recognized the promise of SecurityScorecard. “They saw what we were doing,” said Kassoumeh, “they saw the threat market and how we are kind of like a Google for cybersecurity.”
“Up until two years ago, people thought there was no solution to vendor risk-management (outside of lengthy questionnaires), but we’ve redefined it to show there is a better way.”
Top image courtesy of SecurityScorecard