OneTrust_Square Banner_300x250_DD_ROS_01_19
This startup offers a vendor-risk management solution

Businesses are depending more and more on third parties, but managing a complex web of vendors can create massive risk. In the privacy world, even vendors that don’t typically have access to an organization’s network can also wreak havoc. Who would have thought that an HVAC company would have been part of one of the most well-known data breaches in recent years?

On top of increased risk, companies also face civil and regulatory liability with their vendors. Plus, with the obligations in the upcoming General Data Protection Regulation, companies could face as much as four percent of their annual global turnover. We’re not just talking bad press here, an insecure vendor can do real damage to a company’s bottom line.

Startups are recognizing this opportunity in the marketplace and are utilizing proprietary technology to fill the gap. Venture capitalists are also recognizing the market need and backing it up with cash.

One such startup, SecurityScorecard, recently received a whopping $20 million in series B funding from Google Ventures. In a sense, it is what it sounds like: The company analyzes and rates vendors’ security posture based on a range of security criteria. SecurityScorecard then provides that easy-to-digest information to its clients so they can better assess the risk for every one of their vendors.

Co-founded by two information security veterans, SecurityScorecard now comprises more than 50 staffers with a variety of backgrounds, including those with expertise in threat-intelligence, malware reverse engineering, and data science.

“Twenty years ago, companies did things in a vacuum, but over time, interdependencies among companies have grown.” 

SecurityScorecard co-founder and Chief Operating Officer Sam Kassoumeh said vendor security issues kept percolating to the top when he was in infosecurity. He said his team was good at managing infosecurity in-house, but looking into the security profile of vendors was much more difficult.

“This was a frustrating challenge and a problem that grew bigger year by year,” Kassoumeh told Privacy Tech in a phone interview. “Twenty years ago, companies did things in a vacuum, but over time, interdependencies among companies have grown.” Now, many companies exercise their due diligence by giving their vendors a detailed questionnaire. Yet, it’s difficult for companies to validate the information, and even audit reports can be out of date quickly, as they’re only a snapshot in time. 

“Large companies may have as many as 40,000 or 50,000 contracts with vendors,” Kassoumeh pointed out. “That’s a lot of risk to have on the table.”

Image taken from SecurityScorecard website

Image taken from SecurityScorecard website

SecurityScorecard aims to make this process easier and more secure. Kassoumeh said his company can assess the security of a vendor instantly and non-intrusively by using a combination of public information and its proprietary web crawlers. “We’re not simulating a hacker attack,” he pointed out. “We collect information across the internet and dark web to find signals of risk.” SecurityScorecard then places that information into a database to create a risk-profile map.

“We benchmark companies,” he said. “We derive an A through F letter grade based on the security hygiene of a company.” This allows companies to quickly assess which vendors to work with, and which ones to avoid.

The work of SecurityScorecard is not intended to shame the bad vendors, either. Kassoumeh said some vendors are now coming to SecurityScorecard to see how they can improve their security posture. He said, at first, vendors might be defensive, and go through a period of denial, but then after a walk through, they come around and actually appreciate the assessment and end up improving their security protections. 

He said the process is actually bringing security practitioners from different organizations together. “CISOs often get frustrated at the loss of control of their company’s data as more organizations move to vendors in the cloud,” said Kassoumeh. “They don’t know who is protecting their data. We’re giving some of that control back,” he said. 

Kassoumeh said SecurityScorecard can be a powerful tool for privacy pros as well. “It’s like a high-level snapshot of any company.” He said for those who are interested, SecurityScorecard offers a quick assessment of a particular vendor and then follows up with a demonstration from a SecurityScorecard team member to help go over the vendor scorecard.

Image taken from SecurityScorecard website

Image taken from SecurityScorecard website

At a more deeper level, SecurityScorecard can then assess all of a given organization’s vendors to create a vendor risk-management map. They can then map the vendors to different regulatory regimes — say a NIST standard or HIPAA, for example. Kassoumeh also said their vendor assessment can also gauge how likely a given company will undergo a breach.

He also said SecurityScorecard can be useful for companies large and small. For the larger businesses, mapping 40,000 to 50,000 vendor contracts may be a key need, while smaller companies — that very well may be vendors themselves — can use SecurityScorecard to determine its security posture.

Companies are also beginning to use SecurityScorecard in mergers and acquisition deals, Kassoumeh said. “Our service is used by M&A teams to complete their due diligence.” He also said insurance companies selling cyberinsurance are also taking advantage of the startup. He said it helps them determine how much to charge for their insurance policies and build actuarial models for long-term risk.

Google, for one, has recognized the promise of SecurityScorecard. “They saw what we were doing,” said Kassoumeh, “they saw the threat market and how we are kind of like a Google for cybersecurity.”

“Up until two years ago, people thought there was no solution to vendor risk-management (outside of lengthy questionnaires), but we’ve redefined it to show there is a better way.” 

Top image courtesy of SecurityScorecard

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»