The Security Interviews: Alex Yampolskiy, SecurityScorecard
Alex Yampolskiy conceived the idea for risk management specialist SecurityScorecard after getting stung by a SaaS supplier that was being cavalier with its customer data. He tells his story to Computer Weekly
If he wasn’t running SecurityScorecard, says Alex Yampolskiy, he would probably be sitting in a park in New York City, playing chess. New York has been his home for many years, since his Russian-Ukrainian family emigrated to the US when he was a teenager.
Even as a teen, the chess prodigy had already been bitten by the cyber security bug. Yampolskiy’s journey into security began when he was 12, when a friend slipped him a 3.5in floppy disk containing a copy of the classic videogame Prince of Persia. And a virus.
“I guess nowadays people don’t remember what floppy disks are. But when I popped it into my computer and infected it with a virus, I was like, I need to figure out what the heck this is. How do you make computers misbehave? I wanted to get back at my friend,” he says.
“And I started learning how to crack, how to break into computers. And then I really fell in love with cyber security.”
Once in the US, Yampolskiy was able to pursue his interest. He went off to college and later obtained his PhD in cryptography from Yale University, where he spent five years finishing his thesis, along the way conducting research into concepts that are now part of blockchain technology.
“I wanted to build things and make them come to life instead of just publishing academic papers, so I went into the industry,” says Yampolskiy. “I worked at companies like Oracle and Goldman Sachs. And then I became chief security officer [CSO] at a company called Gilt Groupe [a US-based members-only online retailer], which is where the idea of SecurityScorecard was born.”
In fact, the business had its genesis amid a procurement exercise at Gilt Groupe during Yampolskiy’s tenure as CSO.
He explains: “My marketing team signed up for this software-as-a-service [SaaS] product to help mitigate e-commerce fraud – when you are a retailer and you sell goods online, people will use fraudulent cards to steal from you, so we signed up for this product.
“However,” he continues, “for it to be effective, we had to share information about all our customers, which made me feel uneasy, so we had them go through an attestation. They filled out a lengthy pen-and-paper questionnaire – they said they were doing a great job.”
“I realised I could be doing a great job, I could be working hard as a CSO, and yet I could lose my job due to circumstances outside my control. That was a big revelation”
Alex Yampolskiy, SecurityScorecard
Eager to move forward, the organisation signed on the dotted line, but just as the integration process began, it hit a major snag.
“We discovered, to my dismay, unencrypted credit card data on their systems belonging to other customers,” he says. “That, to me, was a big wake-up call. I realised I could be doing a great job, I could be working hard as a CSO, and yet I could lose my job due to circumstances outside my control. That was a big revelation!”
Unquantified dependencies
In the summer of 2013, Yampolskiy and his business partner began to think in more depth about the myriad dependencies on third parties that exist within the average enterprise, and how widely documents and data are shared – legal paperwork goes to a law firm, taxes to an accountant, your own files to a cloud storage service, and so on.
Any one of these dependencies, says Yampolskiy, could be the one that results in a cyber security incident that gets your organisation on the front page of a national newspaper, and yet there have historically been no key performance indicators (KPIs) in the security world that could be used to effectively judge what third-party risk looks like.
“You go to a doctor, they measure your blood pressure. You drive a car, you have a speedometer. For security, you get nothing. Why can’t there be a KPI to measure and quantify risk? That was the insight that led to us beginning to incubate SecurityScorecard,” he says.
How it works
At its core, the SecurityScorecard platform is a database of companies scored by various cyber risk factors, giving users insights into the security postures and risk profiles of any organisation they do business with, or care to run a search on.
How are these scores calculated? First, SecurityScorecard looks at the attack surface of an organisation from without, using non-intrusive scanning methods to collect signals about organisations.
“Just like you can walk in the neighbourhood and see a broken window or graffiti on the wall, you can deduce without walking into a house that maybe it’s not been well maintained on the inside. Similarly, for companies, there are hundreds of signals you can pick up non-intrusively,” says Yampolskiy.
“A simple example would be, you look at a website, and you see on the bottom of the site, ‘copyright 2005’. Well, it’s 2024, right? So it’s not a vulnerability, you can’t exploit it, but you just determined that they’re not updating the website proactively [so] how diligent are they going to be in resisting an attack of another sort?”
To this information it then applies a statistical model based on almost a decade of historical data to benchmark the organisation against others in its peer group, arriving at a final score. The algorithm it uses is published publicly, Yampolskiy being a big advocate for transparency in how the organisation operates.
The effort and resources needed to build this up have been significant, and it’s an ongoing challenge, says Yampolskiy. “We have 600 people in the company, and about 35% to 40% of them are in research and development. We’ve built a technology over the past nine years that collects billions of signals every day.
“For example, we run one of the largest malware sinkholes in the world, where we capture signals about what machines are infected worldwide – and we’ve got to make sure it’s accurate and trustworthy. It requires a lot of engineering effort. It’s not easy to build this type of technology.”
And is the data accurate? Apparently so. “We have demonstrated – and companies like Marsh McLennan, for example, have proven – that companies with a bad score are eight times more likely to suffer a data breach than those with a good score,” he says.
But the service doesn’t stop there. “We don’t just give you a score and say good luck. We also give you recommendations on how you can become more resilient, [and] we allow you to take the scores and insights and integrate them into workflows,” says Yampolskiy.
“We have demonstrated that companies with a bad score are eight times more likely to suffer a data breach than those with a good score”
Aleksandr Yampolskiy, SecurityScorecard
SecurityScorecard integrates with over 100 other platforms to enable users to establish and define all kinds of different elements of their risk profiles – for example, regulatory compliance with the General Data Protection Regulation (GDPR) or equivalent state-level regulations in the US – and, crucially, understand security issues and discrepancies among their suppliers that need to be factored into their risk planning.
Ever-increasing threats
When SecurityScorecard first got off the starting blocks almost 10 years ago, the world of cyber security looked very different to how it does today. We have moved from a world where security was considered very much the domain of technical experts and people steeped in hacker culture, to one where ransomware attacks make primetime TV news bulletins and security is a topic for dinner party conversation.
For Yampolskiy, three core trends are contributing to this. First, the attack surface has become vastly more complex and interconnected. Second, there has been an explosion in third-party risk – the firm’s own statistics show that almost 30% of all breaches now originate through a third party. Third, threat actors have access to a more sophisticated and cheaper variety of weaponry, from distributed denial-of-service (DDoS) attacks procurable for a few dollars, to zero days starting in the thousands.
“We cannot change the fact that the world became more complex. We cannot change the fact that attackers became more sophisticated,” says Yampolskiy.
“What we can influence is that most companies are still focusing on robustness instead of resilience. They’re trying to prevent an adversary from breaking in instead of flipping the assumption and saying, sooner or later, with enough effort, the adversary is going to get in, [so] how do I make it as hard as possible for them?”
The view that addressing third-party risk forms part of this shift towards resilience is one that many share. With an eye on the future, Yampolskiy is hopeful that as organisations move towards a resilience-focused security practice, SecurityScorecard’s KPI-backed methodology will ultimately help them make a more appropriate purchasing decision, instead of just turning a firehose on the problem.
Future developments
SecurityScorecard is also ramping up services that can sit alongside and enhance its ratings system, something customers have been asking it for. After all, quantifying your security risk and that of your partner and supplier ecosystem will only get you so far – and you’re probably still going to get attacked at some point.
“I’m quite excited also about not just giving you security ratings to measure, but also giving you solutions,” says Yampolskiy.
“A big focus, a big push for us right now is how to expand from ratings to solutions. We now have a business unit that does tabletop exercises where we come and train your executive team. We have a unit that does forensics, so if your computer gets hacked or you are infected with ransomware, we can help you.”
Yampolskiy is particularly interested in helping bridge the long-acknowledged communication gap between security teams and their board-level leaders.
“Boards and the CISOs lack a common language. Board members are from Mars, and CISOs are from Venus”
Aleksandr Yampolskiy, SecurityScorecard
“Boards and the CISOs lack a common language. Board members are from Mars, and CISOs are from Venus,” he says.
“A CISO often speaks in a technical language, technical jargon, so he might say, ‘I deployed Akamai Prolexic on 124.1.1.3/24 to mitigate endpoint attacks’, and the board member has no idea what the CISO just said. The CISO should have said, ‘I’ve implemented denial-of-service prevention. It cost me $200,000 and will save us $3m in outages’.
“There’s also an onus on board members to learn more about cyber security. If you’re a board member and during a meeting, you ask, ‘What’s gross margin?’, you’re going to get a tap on your shoulder and a break where people are going to say, ‘You really need to learn more about financials, you need to know what gross margin is’. But if a board member asks, ‘What’s a denial-of-service attack?’ nobody cares. It’s normal. It’s expected.
“Unfortunately, board members are not entirely technically literate, and that has to change – it’s already changing. So we’re seeing more engaged boards, we’re seeing boards standardise on risk measuring and reporting, and we’re seeing boards adopt security ratings like ours to vet what they’re doing. The world is changing in a positive direction in cyber security.”
Read more from the CW Security Interviews series
Effective cyber security must lead to cyber resilience – that is, the ability to anticipate, protect against, withstand and recover from any adverse condition, disruption or compromise, as Kyndryl’s security practice leader explains.
In October 2023, Rebecca Taylor of the SecureWorks Counter Threat Unit was recognised at the annual Security Serious Unsung Heroes Awards for her work. Computer Weekly caught up with her to talk mentoring, cyber career development and diversity.
