Grading Your Network’s Security Risk

Aleksandr Yampolskiy recalled this story as he addressed professors Ari Juels and Vitaliy Shmatikov’s Security and Privacy: Practice and Case Studies: 21 years ago, he had a tough choice to make, deciding between Cornell and NYU. He chose to attend NYU because he wanted to be close to his parents. Somewhat understandable, given that he was 14 at the time.

Yampolskiy had been interested in security since childhood. After NYU he matriculated at Yale, where he pursued cryptography. While he enjoyed his PhD program (“I learned how to do research, how to apply methodology from other disciplines and solve problems that no one has ever solved before”), he also found that he “really wanted to build things.”

After working at Microsoft, Oracle, and Goldman Sachs, it was at Gilt Groupe, where, as its first Chief Security Officer, he found himself pondering how it was that a fraudulent e-commerce company the retailer was about to contract with hadn’t been properly vetted — in fact, there wasn’t a proper way to do so. It was his aha! moment: “We spend millions of dollars to protect ourselves. But when it comes to Cloud services — our vendors, our partners — we have no idea how secure they are.”

In December 2013, SecurityScorecard launched, focusing on solving the Holy Grail of problems in security: how to measure it, while being unobtrusive and automatic. They had their work cut out for them. Even though most prospects were still filling out a 20-page questionnaire with pen and paper, Yampolskiy learned that changing entrenched business practices demanded more than just a better mousetrap.

Initially, Yampolskiy received emphatic support for his solution, but recalls not being able to get traction. He kept iterating in response to customer feedback, noting a hard-won lesson: “Until they pay you revenue — at least one dollar — you don’t know if you have a product.” Finally, though, he had a product, one that was well received, and one that customers actually paid for. VC Sequoia Capital expressed interest, leading a Series A round for $12.5 million.

Yampolskiy is clear why a higher standard of cybersecurity is essential. In the past we protected our companies as fortresses, but that mentality is now out of date. Today, your company is as vulnerable as anyone in your ecosystem. It can be exposed to vulnerability via a vendor’s neighbor, a staffer’s wireless home network, or even a partner’s Candy Crush opponent. No longer is the question if, but when.

SecurityScorecard’s solution is a three-stage process:

• Gathering thousands of signals every second — that’s terabytes of data across the entire Internet — to create a so-called “Threat Market” platform.
• Discovering “the digital essence of a company” (think Google.com, with its dozens of subdomains across the world).
• Benchmarking the security risk of companies against one another, gauging the cybersecurity of more than a 100,000 companies in the process.

Last month, SecurityScorecard released its 2016 Government Cybersecurity Report examining eighteen industries across America, from transportation to retail to healthcare to government. Who came up short? It was government that scored the lowest. Among the dot gov’s it was NASA and the U.S. Department of State that came in dead last. Looks like in SecurityScorecard — which hopes to grow from 60 employees to 85 this year — Yampolskiy has not only found a calling, but filled a need affecting the safety of us all.