- SecurityScorecard invented a way to measure another entity’s cybersecurity, using hundreds of data points.
- As of November 2021, the company has 1,700 paying customers, has rated 12 million companies, and has 25,000 freemium users.
- SecurityScorecard currently has $200 million in the bank and is looking for acquisitions
Entrepreneur Aleksandr Yampolskiy, Ph.D., learned first-hand the importance of timely cybersecurity evaluations. During a potential deal, he and his business partner Sam Kassoumeh patiently waited while their potential collaborator – a large financial provider – dragged its feet with a security questionnaire. Tired of waiting, they implemented some passive research methods on their own and discovered the company presented extensive security risks, such as unencrypted credit card data.
Being able to dodge the bullet that could have compromised their data pushed Yampolskiy and Kassoumeh to devise a way for companies to get a detailed, instant, accurate view of other entities’ security posture without waiting for permission or responses to their queries. Based on their efforts, New York-based, enterprise SaaS company SecurityScorecard was born in 2014.
Today, the company is dedicated to helping other business organizations understand and reduce the security risk by using the world’s most expansive and scalable security ratings platform. It’s the only service that continuously rates 2 million companies, and its patented technology is used by more than 1,000 organizations for third-party risk management, board reporting, cybersecurity underwriting, and self-monitoring.
In effect, the security rating score is analogous to a credit score. The higher the score, the less risky the potential engagement or investment.
On November 1st, Latka sat down for an interview with Yampolskiy to discuss the company’s growth into a 350-person organization with 1,700 customers, $71 million annual recurring revenue, and 115-percent net revenue retention.
Is an IPO next?
Zero to $5m in Revenue in 3 Years
When Yampolskiy and his team started SecurityScorecard, the market was already rife with security solutions. However, there were no effective key performance indicators (KPIs) that could accurately assess a company’s security performance, leaving companies without a way to accurately assess the cyber safety and risks other companies presented. This is particularly critical as more and more companies move to the cloud for data storage and migration.
His team, which has grown from 250 people to 350 in just the past year, developed a solution that is accessible to everyone.
“We invented a way to measure and communicate cybersecurity. It has become a crucial tool to communicate the risk to the board, as well as to measure suppliers, investment targets, and others,” he said. “We do have competitors in this space, but we rate the largest number of companies – Over 12 million. We have the broadest and deepest amount of coverage. We have a marketplace of apps and services, and nobody else compares to us in the rating space.”
From the very beginning, Yampolskiy’s focus – beyond creating a high-functioning, accurate product – was delivering one that effectively met customer needs with a good experience and significant value. Once SecurityScorecard launched in 2014, he and the team concentrated most of their efforts on incubating the product that today uses seven years’ worth of historical background to evaluate hundreds of outside data points that measure cybersecurity, such as simply assessing a copyright date at the bottom of a website. Most data points are more sophisticated.
This hard work paid off, he said. The company passed a $1 million run rate in 2015, and the success has continued.
$1 Billion Valuation
The company’s path to growth was simple. Customers pay an annual upfront subscription that can vary by the number of scorecards they want to monitor. Individual scorecards can be developed for suppliers, investment targets, or simply another company. The fee for monitoring a single scorecard is $5,000 per year.
But there’s no limit on the number of scorecards a customer can monitor, and the price per scorecard drops as the number of companies a customer monitors increases, Yampolskiy said. While some customers pay SecurityScorecard millions of dollars upfront, the average annual contract value (ACV) is $40,000, and the average revenue per user (ARPU) is $3,333.
It’s a strategy that has created sizable, consistent growth, he said. Not only has the company’s monthly recurring revenue (MRR) multiplied by more than 50 times in the past six years from $83,000 to $5.68 million, but its annual recurring revenue (ARR) has also ballooned:
- February 2015: $2.5 million
- April 2016: $6 million
- August 2017: $10 million
- June 2019: $30 million
- January 2020: $49.2 million
- January 2021: $71 million
The company has also been extremely successful with funding:
- 2013: $900,531 (Seed funding)
- 2015: $13.72 million (Series A)
- 2016: $20 million (Series B)
- 2017: $27.5 million (Series C)
- 2019: $50 million (Series D)
Q2 2021 OKRs: Inside The 1 Pager and Top 3 Goals
To continue SecurityScorecard’s growth as a premier SaaS company, Yampolskiy said, the company implemented an objective key results (OKRs) program. It’s an initiative that fosters internal goals for the organization that are aspirational, pushing the company toward efforts that ensure greater customer satisfaction. When executed correctly, the results of these OKRs should cascade and resonate throughout the rest of the company.
The company’s first attempt with OKRs was not successful, however. After initially failing with OKRs in 2017, he said, the company pivoted the next year to a different reporting style.
Today, every Monday, the company’s vice presidents meet and review the existing OKRs. They update progress from the week prior – what needed to get done and what was actually accomplished. It’s a strategy that creates social pressure to continue working toward OKRs, as well as accountability for progress, Yampolskiy said.
For example, for Quarter 2 of 2021, SecurityScorecard’s OKRs were straight-forward and produced measurable results:
OKR 1: Increase Contributory Data in the Platform
- More companies contributed publicly accessible data to the platform on the top 200 most followed organizations. Scorecard comments increased from 252 in Q1 to 600 in Q2.
- Increase in existing (paid and free) clients contributing private data from 363 companies to 1,000 organizations.
OKR 2: Enhance Customer Education and Onboarding
- Developed enhanced onboarding procedures and education to boost Pendo stickiness score to 45 percent by the end of the quarter.
- Certify 25 customers by end of the quarter by sufficiently building an onboarding and education team to create formal customer certification programs.
OKR 3: Build a Best-in-Class Marketplace
- Publish a press release announcing 5 or more new partners in their marketplace. Their data is integrated into the company’s scorecards.
- Position the marketplace (Integrate 360 Marketplace) as a lead generator. The number of customers mentioning the marketplace as a reason for signing on increased by 15 percent.
40-Year-Old Running $71m Business
Yampolskiy’s path to leading SecurityScorecard started from his experience as a chief information security officer at Gilt Groupe. It was in this role that he first recognized the need for a cybersecurity solution that could easily and accurately identify a company’s security holes and risks. Having these types of lapses in security is becoming increasingly dangerous as more and more companies become reliant on the cloud for managing their (and their customers’) data.
Today, Yampolskiy, a married father-of-two, focuses his professional efforts on perfecting a product that will both protect SecurityScorecard’s customers and give other organizations valuable insight into the effectiveness of their own security measures.
His vision, he said, is for SecurityScorecard to create an entirely new security language that can be used by chief risk officers, board members, chief financial officers, and regulators. Scorecards, he said, must become part of the everyday dialogue.
“Just like they bake into contracts 99.9 percent up-time requirements, we want people to start baking into contracts minimum scorecard requirements,” he said.
The ultimate goal, he added, is for all company leaders who play an active role in maintaining a company’s security to take advantage of the insights SecurityScorecard offers. In doing so, they can help manage and quantify risk.
Growth Tactics Drive 12m Free Reports, 23k Freemium Users, 1700 Paying Customers
At present, SecurityScorecard maintains information on 12 million companies in its data set. Overall, the organization boasts 1,700 paying customers who use their scorecards to rate other entities when making business decisions. Based on the ACV, that puts the company at $71 million in ARR, on track to finish 2021 with a $73 million run rate ($5.68 million projected revenue in December).
However, the company’s client reach is far greater than its paying customers. They’re leveraging those entities to grow their pipeline.
In fact, those 1,700 paying customers have actually parlayed into more than 25,000 “freemium” users. These are basically referral customers. Paying clients can invite any other company into the pipeline for free. Typically, they do so as a way to encourage their potential collaborators to prove their security score prior to sealing any business deals, Yampolskiy explained. It’s a continuous cycle as more and more clients are funneled into the freemium service, spreading much like a spider’s web.
“We believe every company in the world should have their own scorecard,” he said. “So, we’re focused on making sure that every company out there has access to a tool for free. They can sign up for free. They don’t need to pay anything, and they can control their reputation.”
In addition to this referral-type model, Yampolskiy said SecurityScorecard had extensively invested in customer education and onboarding efforts that can help with net retention. Paying for and reviewing a security rating is not valuable unless the customer understands what they are seeing in the evaluation.
10 Customers Pay More Than $1m
To bring added value to customers, SecurityScorecard created an onboarding and education team. This group is dedicated to helping customers understand the scorecards they receive. They learn how to use it, how to effectively communicate the findings to their board, and how to hold their suppliers accountable.
Using Pendo, a products-analytics app that helps companies determine how well a service product resonates with clients, SecurityScorecard determined their onboarding and education efforts were “sticky,” meaning they were well received and effective across the board.
Conversely, SecurityScorecard allows companies that are evaluated to provide feedback on their score, as well as take steps to improve it. Companies that are assessed can provide additional existing data – much like proprietor feedback on Yelp – that can influence or provide context around their scores.
“We believe strongly that our job is to help companies improve their score. Outside scores have limitations, and companies need to have a way to provide commentary,” Yampolskiy said. “We believe we need to create opportunities where we give companies a score, and they are able to improve what influences it by providing inside-out data, inside-out feedback. That’s important for us to really foster inside-out communication.”
As a result of these efforts, customers see extensive value in the service SecurityScorecard provides. Today, Yampolskiy said, more than 10 clients, including government, insurance, and private equity firms pay SecurityScorecard more than $1 million annually to evaluate their clients and potential partners. In fact, some private equity firms use the tool to monitor 10,000 scorecards to keep tabs on investments.
Hitting $70m in Revenue and a $1b Valuation – What’s Next?
In 2019, SecurityScorecard raised $50 million of venture capital at a valuation of $340 million. This year, the company raised $180 million at a $1 billion valuation. Where is the company headed in 2022?
According to Yampolskiy, the company is on track to either triple or quadruple the valuation of the company yet again. That puts the organization on course to potentially take the company public with an IPO.
“There are lots of interesting tailwinds in our favor right now,” he said. “Whenever you go public, you want to tell a story of growth – a story of potential, of upside. I think from a growth perspective, we’re doing fine.”
Currently, their growth and net retention are hovering between 115 percent and 120 percent. The goal, he said, is to grow it by an additional 10 percent. Their gross margins are also solid, between 75 percent and 80 percent, he added.
To be competitive in public markets, he’ll need to show 6-8 months of cohort data where net dollar retention (NDR) is above 130%.
$200 Million in the Bank
With $200 million in the bank currently, SecurityScorecard is in a strong position to move methodically and purposefully, Yampolskiy said. The company is well funded, so the focus is on optimizing the company and increasing both shareholder and customer value.
Although the specter of an IPO tantalizingly hangs in the future, there is no rush to make that move within the next year. Within the next 18 months to 24 months, it could become a more realistic consideration.
In the meantime, he said, the team will continue to concentrate on winning more customers from its competitors and building out new products that will be successful with cross-selling or upselling. The goal, he said, is to continue to create a better, more innovative product line.
“We’re sitting on plenty of cash,” he explained. “We beat competitors a lot. A lot of the time, we’re taking customers away from them. We’re growing a lot faster than they are.”
The firm grew 40% TTM from a $50m run rate in Dec 2020 to a $71m run rate today.
Can SecurityScorecard Beat BitSight and Their $400m in Funding?
Currently, SecurityScorecard’s primary competitor BitSight is in a strong financial position. The company is growing 20 percent year-over-year with a $100 million ARR. They have also outraised SecurityScorecard $400 million to $290 million.
In contrast, however, SecurityScorecard has a 40 percent growth rate. According to Yampolskiy, the company has also been wiser and more efficient with its money. In that vein, the company does have a strategy to outperform its competitors in the coming years.
It plays into the fact that the security rating market fulfills a need for cybersecurity, and it’s growing. Customers continually want more products that take security to the next level.
Successful execution to match and surpass BitSight, he said, will require creating additional products to cross sell and upsell. These products will be able to deliver more to the customer base, further solidifying SecurityScorecard’s mission of providing added value to their customers on a consistent basis.
“There are many, many companies who switch over to us. When we ask them ‘Why did you switch?’, they say, ‘No.1, your product just has a lot more value,” he explained. “It’s all about the customer – you need to deliver value for the customer. The most important chair in the room is occupied by the customer.”
Alongside Atlas, the inside-out component, Integrate 350 (marketplace of apps and services), as well as Radius, the outside-in component, the company is also pivoting to create other modules in an effort to drive expansion revenue. These efforts involve actively pursuing additional modules that have been requested by their customers.
“At the end of the day, it’s all about the customer value. That’s what it’s all about,” he said. “I’m not sitting and thinking, ‘How do I optimize the metric?’ I’m thinking, ‘How do I deliver more value to my existing customers because if you deliver more value to your existing customers, they’re going to love you, and they’re going to be loyal.”
Based on the efforts to create and produce more modules, Yampolskiy said, he anticipates SecurityScorecard growing by 50 percent in 2022 and breaking a $100m run rate.
Will we see an S1 filing in Q4 next year?