 Hi everyone, welcome to this CUBE conversation. I'm John Furrier, host of theCUBE here in Palo Alto, California. We've got Sam Kasumi, co-founder and chief operating officer, security scorecard here remotely coming in. Thanks for coming on, Sam. Security Sam, thanks for coming on. Thank you, John. Thanks for having me. Love the security conversations. I love what you guys are doing. I think this idea of managed services, SASM, developers love it, operation teams love getting into tools easily and having values what you guys got with security scorecards. Let's get into it. We were talking before we came on. You guys have a unique solution around ratings, but also it's not your grandfather's pen test wannabe security app. Take us through what you guys are doing at security scorecard. Yeah, so just like you said, it's not a point in time assessment and it's similar to a traditional credit rating but also a little bit different. Can really think about it in three steps. In step one, what we're doing is we're doing threat intelligence data collection. We invest really heavily into R&D function. We never stop investing in R&D. We collect all of our own data across the entire IPv4 space, all of the different layers. Some of the data we collect is pretty straightforward. We might crawl a website like the example I was giving. We might crawl a website and see that the website says copyright 2005, but we know it's 2022. Now, while that signal isn't enough to go hack and break into the company, it's definitely a signal that someone might not be keeping things up to date. And if a hacker saw that, it might encourage them to dig deeper to more complex signals where we're running one of the largest DNS SQL infrastructures in the world. We're monitoring command and control malware and its behaviors. We're essentially collecting signals and vulnerabilities from the entire IPv4 space, the entire network layer, the entire web app layer, leaked credentials. Everything that we think about when we talk about the security onion, we collect data at each one of those layers of the onion. That's step one. And we can do all sorts of interesting insights and information and reports just out of that threat intel. Now, step two is really interesting. What we do is we go identify the attack surface area or what we call the digital footprint of any company in the world. So as a customer, you can simply type in the name of a company and we identify all of the domains, subdomains, subsidiaries, organizations that are identified on the internet that belong to that organization. So every digital asset of every company, we go out and we identify that and we update that every 24 hours. And step three is the rating. The rating is probabilistic and it's deterministic. The rating is a benchmark. We're looking at companies compared to their peers of similar size within the same industry. And we're looking at how they're performing. And it's probabilistic in the sense that companies that have an F are about seven to eight times more likely to experience a breach. We're an A through F scale. You universally understood Ds and Fs more likely to experience a breach. As we see less breaches. Now, like I was mentioning before, it doesn't mean that an F is always going to get hacked or an A can never get hacked. If a nation state targets an A, they're gonna eventually get in with enough persistence and budget. If the pizza shop on the corner has an F, they may never get hacked because no one cares. But natural correlation, more doors open to the house equals higher likelihood someone unauthorized is going to walk in. So it's really those three steps. The collection, we map it to the surface area of the company and then we produce a rating. Today we're rating about 12 million companies every single day. And how many people do you have as customers? We have 50,000 organizations using us, both free and paid. We have a freemium tier where just like Yelp or LinkedIn business profile, any company in the world has a right to go claim the score. We never extort companies to fix the score. We never charge a company to see the score or fix it. Any company in a world without paying as a send can go in, they can understand what we're seeing about them, what a hacker could see about their environment. And then we empower them with the tools to fix it. And they can fix it and the score will go up. Now companies pay us because they want enterprise capabilities. They want additional modules, insights, which we can talk about. But in total, there's about 50,000 companies that at any given point in time, they're monitoring about a million and a half organizations of the 12 million that we're rating. If you want to look at it. It sounds like Google search you got going on there. You got a lot of search and then you create relevance, a score, like a ranking. That's precisely it. And that's exactly why Google Ventures invested in us in our series B round and they're on our board. They looked and they said, wow, you guys are building like a Google search engine over some really impressive threat intelligence. And then you're distilling it into a score which anybody in the world can easily understand. Yeah. They obviously have PageRank which changed the organic search business in the late 90s, early 2000s and the rest is history, Edwards. So you got a lot of customer growth there potentially with the opt-in customer view, but you're looking at this from the outside in, you're looking at companies and saying, what's your security posture, getting a feel for what they got going on. And giving them scores. It sounds like it's not like a hacker proof. It's just more of an indicator for management and the needs. It's an indicator. It's an indicator because today when we go look at our vendors, business partners, third parties, we're flying blind. We have no idea how they're doing, how they're performing. So the status quo for the last 20 years has been performer risk assessments and a questionnaire asked for a pen test and audit evidence. We're trying to break that cycle, right? Nobody enjoys it. They're long tail. It's trust without verification. We don't really like that. So we think we can evolve beyond this point in time assessment and give a continuous view. Now, today, historically, we've been outside in, not intrusive, and we'll show you what a hacker can see about an environment. But we have some cool things percolating under the hood that give more of a 360 view outside, inside, and also a regulatory compliance view as well. Why is the compliance of the whole third party thing engaging that you're engaging with important? Because, I mean, obviously having some sort of way to say, who am I dealing with is important. I mean, we hear all kinds of things in the security landscape, oh, zero trust. And then we hear trust, supply chain software risk, for example, there's a huge trust factor there. I need to trust this tool or this container and then you got the zero trust. Don't trust anything and then you got trust and verify. So you have all these different models and postures and it just seems hard to keep up with. So- It's so hard. Take us through what that means, because I mean, I mean, pen tests, you know, sock reports, I mean, the clouds help with the sock report, but if you're doing agile, anything DevOps, you're basically, we need to do a pen test like every minute. It's impossible, right? You know, the market shifted to the cloud, right? We watched, and it still is, and that created a lot of complexity. Not to date myself, but when I was starting off as a security practitioner, the data center used to be in the basement and I would have lunch with the database administrator and we'd talk about how we were protecting the data. Those days are long gone. You know, we outsource a lot of our key business practices. We might use, you know, for example, ADP for a payroll provider or Dropbox to store our data, but we've shifted and we no longer know who that person is that's protecting our data. They're sitting in another company in another area unknown. And I think about 10, 15 years ago, CISOs had the realization, hey, wait a second, I'm relying on that third party to function and operate and protect my data, but I don't have any insight, visibility or control of the program. And we were recommended to use questionnaires and audit forms, and those are great, right? It's good hygiene, it's good practice. Get to know the people that are protecting your data, ask them the questions, get the evidence. The challenge is it's point in time, it's limited. Sometimes the information is inaccurate, not intentionally. I don't think people intentionally want to go lie, but you know, hey, if there's a $50 million deal we're trying to close and it's dependent on checking this one box, someone might bend a rule a little bit. I said on the cube publicly that I think, you know, pen test reports of being probably being fudged and dates being replicated because it's just too fast. And again, today's world is about velocity, undevelopers, trust on the code, right? So you got, you know, all kinds of trust issues. So I think verification, you know, the blue check mark on Twitter kind of thing going on, you're going to see a lot more of that. And I think this is just the beginning. I think what you guys are doing is scratching the surface. I think this outside in is a good first step, but that's not going to solve the internal problem. You're still coming to have a big surface areas, right? So you got more, you know, surface area expanding. I mean, IoT is coming and the edge is coming fast. Never mind hybrid on premise cloud. So, you know, what should organizations do to evaluate the risk and the third party, handshaking, verification scorecards? Is it like a free look here? Is it more depth to it? Do you double click on it? Take us through how this evolves. John, it's become so disparate and so complex, right? Because in addition to the market moving to the cloud, we're now completely decentralized. People are working from home or working hybrid, which adds more endpoints. Then what we've learned over time is that it's not just a third party problem because guess what? My third parties behind the scenes are also using third parties. So while I might be relying on them to process my customer's payment information, they're relying on 20 vendors behind the scene that I don't even know about. I might have an A, they might have an A. It's really important that we expand beyond that. So coming out of our innovation hub, we've developed a number of key capabilities that allow us to expand the value for the customer. One, you mentioned outside in is great, but it's limited, right? We can see what a hacker sees and that's helpful. It gives us pointers where to maybe go ask, double click, get comfort, but there's a whole nother world going on behind the firewall inside of an organization. And there might be a lot of good things going on that CISO security teams need to be rewarded for. So we built an inside module and component that allows teams to start plugging in the tools, the capabilities, eight keys to their cloud environments. And that can show anybody who's looking at the scorecard, it's almost like a, it's less like a credit score and more like a social platform where we can go and look at someone's profile and say, hey, how are things going on the inside? Do they have to factor off? Is other cloud instances configured correctly? And it's not a point in time. This is a live connection that's being made. This is any point in time we can validate that. The other component that we created is called an evidence locker. And in an evidence locker, it's like a secure vault in my scorecard. And it allows me to upload things that you don't really stand for or check for, right? Collateral compliance paperwork, SOC2 reports, those things that I always begrudgingly email, I don't want to share with people my trade secrets, my security policies, and have it sit on their exchange server. So instead of having to email the same documents out 300 times a month, I just upload them to my evidence locker. And what's great is now anybody following my scorecard can proactively see all the great things I'm doing. They see the outside view, they see the inside view, they see the compliance view, and now they have sort of the holy grail view of my environment and can have a more intelligent conversation. You know, access to data and access methods are an interesting innovation area around data. Lineage tracing is becoming a big thing. We're seeing that. I was just talking with the Snowflake co-founder the other day here in theCUBE about data access and they're building a proprietary mesh on top of the clouds to kind of figure out, hey, I don't want to give just some tool access to data because I don't know what's on the other side of those tools. Now they had a robust ecosystem. So I can see this whole vendor risk supply chain challenge around integration as a huge kind of problem space that you guys are attacking. What's your reaction to that? Yeah, integration is tricky because we want to be really particular about who we allow access into our environment or where we're punching holes in the firewall and piping data out of the environment. And that can quickly become unwieldy just with the control that we have. Now, if we give access to a third party, we then don't have any control over who they're sharing our information with. When I talk to CISOs today about this challenge, a lot of folks are scratching their head. A lot of folks treat this as a pet project. Like how do I control the larger span beyond just the third parties? How do I know that their software partners, their contractors that they're working with building their tools are doing a good job? And even if I know, meaning, John, you might send me a list of all of your vendors. I don't want to be the bad guy. I don't really have the right to go reach out to my vendors, vendors knocking on their door saying, hi, hi, I'm Sam. I'm working with John and he's your customer. And I need to make sure that you're protecting my data. It's an awkward chain of conversation. So we're building some tools that help the security teams hold the entire ecosystem accountable. We actually have a capability called automatic vendor discovery. We can go detect who are the vendors of a company based on the connections that we see, the inbound and outbound connections. And what often it ends up happening, John, is we're bringing to the attention to our customers awareness about inbound and outbound connections. They had no idea existed. There were the shadow IT and the ghost vendors that were signed without going through an assessment. We detect those connections and then they can go triage and reduce the risk accordingly. I think that risk assessment of vendors is key. I was just reading a story about this, about how it was a percentage. I think the number was pretty large of applications that aren't even being used that are still on in companies. And that becomes a safe haven for bad actors to kind of hang out and penetrate because they get overlooked because no one's using them. But they're still online. And so there's a whole, I call cleaning up the old dead applications that are still connected. It happens all the time. All the applications, and then those applications also have applications that are dead and applications that are alive. They also have users that are dead as well. So you have that problem at the application level, level at the user level. We also see a permutation of what you described, which is kind of artifacts, leftover artifacts due to configuration mistakes. So a company just put up a new data center, a satellite office in Singapore, and they hired a team to go install all the hardware. Somebody accidentally left an administrative portal exposed to the public internet. And nobody knew the internet works, the lights are on, the office is up and running, but there was something that was supposed to be turned off that was left turned on. So sometimes we bring the company's attention, and they say, that's not mine. That doesn't belong to me. And we're like, oh, will we see some reasons why we're, yeah. And they're like, oh, that was the contractor who set up the thing. They forgot to turn off the administrative portal with a default login credentials. So we shut off those doors, yeah. Yeah, Sam, this is really something that's not talked about a lot in the industry, that we've become so reliant on managed services and other people, CISOs, CIOs, and even all departments that have applications, even marketing departments, they've become reliant on agencies and other parties to do stuff for them, which inherently just increases the risk here of what they have. So they're inherently could be as secure as they could be, but yet exposed completely on the other side. That's right, there's a, we have so many virtual touch points, right? With our partners, our vendors, our managed service providers, suppliers, other third parties, and all the humans that are involved in that mix, it creates just a massive ripple effect. So everybody in a chain can be doing things right. And if there's one bad link, the whole chain breaks. I know it's like the cliche analogy, but it rings true. Supply change, trust again, trust you, trust with us. Let's see how those all reconcile. So Sam, I have to ask you, okay, you're a former CISO, you've seen many movies in the industry, co-founded this company, you're in the front lines, you've got some cool things happening. I can almost imagine the vision is a lot more than just providing a rating, a score. Sure, there's more vision around intelligence, automation. You mentioned vault, wallet, capabilities, exchanging keys, we heard at reinforce automated reasoning, that's metadata reasoning, you got all kinds of crypto and quantum. I mean, there's a lot going on that you can tap into. What's your vision where you see security scorecard going? The rating is, when we started the company, the rating was the thing that we sold. And it was a language that helped technical and non-technical folks to like level the playing field and talk about risk and use it to drive their strategy. Today, the rating just opens the door to that discussion and there's so much additional value. I think in the next one to two years, we're going to see the rating become standardized. It's going to be more frequently asked or even required or leveraged by key decision makers, right? When we're doing business, it's going to be like, hey, show me your scorecard. So I'm seeing the rating get baked more and more into the lexicon of risk. But beyond the rating, the goal is really to make a world a safer place, right? Help transform and rise the tide so all ships can lift. In order to do that, we have to help companies not only identify the risk, but also rectify the risk. So there's tools we build to really understand the full risk like we talked about. The inside, the outside, the fourth parties, the real ecosystem. Once we identified where all the Fs and bad things will then what, right? So a couple of things that we're doing. We've launched a pro-serve arm to help companies. Now, companies don't have to pay to fix the score. Anybody, like I said, can fix the score completely free of charge, but some companies need help. They ask us and they say, hey, I'm looking for a trusted advisor, a Sherpa, a guide to get me to a better place or they'll say, hey, I need some pen testing services. So we've augmented a service arm to help accelerate the remediation efforts. We're also partnered with different industries that use the rating as part of a larger picture. The cyber rating isn't the end-all be-all, right? When companies are assessing risk, they may be looking at financial ratings, ESG ratings, KYC, AML, cyber security, and they're trying to form a complete risk profile. So we go and we integrate into those decision points. Insurance companies, all the top insurers, reinsurers, brokers, are leveraging security scorecard as an ingredient to help underwrite for cyber liability insurance. It's not the only ingredient, but it helps them underwrite and identify the, help them price the risk so they can push out a policy faster. First policy is usually the one that's signed. So time to quote is an important metric. We help to accelerate that. We partner with credit rating agencies like Fitch, who are talking to board members, who are asking, hey, I need a third party independent verification of what my CISO is saying. So the CISO is presenting the rating, but so are the proxy advisors and the ratings companies to the board. So we're helping to inform the boards and evolve how they're thinking about cyber risk. We're helping with the insurance space. I think that, like you said, we're only scratching the surface. I can see today we have about 50,000 companies that are engaging in rating and there's no reason why it's not going to be in the millions in just the next couple of years here. And you got the capability to bring in more telemetry and see the new things, bring that into the index, bring that into the scorecard and then map that to potential any vulnerabilities. Bingo, yeah. But like you said, the old days, when you were dating yourself, you were in a glass room with a door lock and key and you can see who's two folks in there having lunch, talk database. No one's going to get hurt now. That's gone, right? So now you don't know who's out there and machines. So you got humans that you don't know and you got machines that are turning on and off services, putting containers out there. Who knows what's in those payloads? So a ton of surface area and complexity to weave through. I mean, only is going to get done with automation. It's the only way part of our vision includes not attempting to make a faster questionnaire but rid ourselves of the process altogether and get more into the continuous assessment mindset. Now, look, as a CISO, as a former CISO myself, I don't want another tool to log into, right? We already have 50 tools we log into every day. Folks don't need a 51st and that's not the intent. So what we've done is we've created today an automation suite. I call it set it and forget it. Like I'm probably dating myself but like those old infomercials folks. You look and you've got what? 50,000 vendors, business partners. Then behind there, there's another 100,000 that they're using. How are you going to keep track of all those folks? You're not going to log in every day. You're going to set rules and parameters about the things that you care about. And you care depending on the nature of the engagement. If we're exchanging sensitive data on the network layer, you might care about exposed database. If we're doing it on the app layer, you're going to look at application security vulnerabilities. So what our customers do is they go create rules that say, hey, if any of these companies in my tier one critical vendor watch list, if they have any of these parameters, if the score drops, if they drop below a B, if they have these issues, take these actions and the actions could be send them a questionnaire. We can send the questionnaire for you. You don't have to send pen and paper or forget about it. You're going to open your email and drag the Excel spreadsheet. Those days are over. We're done with that. We automate that. You don't want to send a questionnaire, send a report. Notify, we have integrations. Notify Slack, create a JIRA ticket, pipe it to service now. Whatever system of record system of intelligence, workflow tools companies are using, we write in and allow them to expedite the whole. We're trying to close the window, right? We want to close the window of the tag. And in order to do that, we have to bring the attention to the people as quickly as possible. That's not going to happen if someone logs in every day. So we've got the platform and then that automation capability on top of it. I love the vision. I love the utility of a scorecard, a verification mark, something that could be presented, credential, an image, social proof, to security and an ongoing way to monitor it, observe it, update it, add value. I think this is only going to be the beginning of what I would see as much more of a new way to think about credentialing companies. I think we're going to reach a point, John, where, and some of our customers are already doing this, they're publishing their scorecard in the public domain. Not with the technical details, but an abstracted view. And thought leaders, what they're doing is they're saying, hey, before you send me anything, look at my scorecard, securityscorecard.com slash security rating and then the name of their company. And it's there, it's in the public domain. If somebody Googles scorecard for certain companies, it's going to show up in the Google search results. They can mitigate probably 30, 40% of inbound requests by just pointing to that thing. So we want to give more of those tools, turn security from a reactive to a proactive motion. Great stuff, Sam, I love it. I'm going to make sure when you hit our site, our company, we've got camouflage sites, we're going to make sure you get the right ones. I'm sure we've got some copyright dates that are. We can navigate the decoys. We can navigate the decoys sites. Sam, thanks for coming on and looking forward to speaking more in depth on showcase. We have the upcoming Amazon startup showcase where you guys are going to be presenting. But I really appreciate this conversation. Thanks for sharing what you guys are working on. We really appreciate it. Thanks for coming on. Thank you so much, John. Thank you for having me. Okay, this is the CUBE Conversation here in Palo Alto, California. Coming in from New York City is the co-founder, Chief Operator of SecurityScorecard.com. I'm John Furrier. Thanks for watching.