Transcript
Hi Mike Matchett with Small World Big Data. We are here at RSAC 2025. We are going around and talking to all the most exciting cybersecurity vendors. One of the hot topics that I've been noticing is how do you secure your supply chain? There's a couple different interpretations of supply chain, but we have Jason here today from Security Scorecard, who's going to start to tell us about what you guys do about securing supply chains. First, just explain a little bit about what kind of supply chains we're talking about. Sure. We're talking about the vendors that organizations typically bring in to do business with their organization as part of a new vendor. You generally have to fill out a questionnaire and be assessed in order to become a new vendor to an organization. So we're talking about the collection of all the known vendors that an organization has, and how to understand the cyber resilience of them, and how to identify which are the most risky, which are most likely to cause a breach. Now, I've been around this community a lot, and it does seem like compliance covers some of that, where you ask all your vendors to fill out forms and certify that they do certain different activities, that they do data protection, and that they have other things. Is that kind of what you're scoring? Uh, not exactly. So we've actually pivoted from that. Essentially, we help organizations identify what the actual likelihood of breach is for an organization. So with a questionnaire, oftentimes you talk to a CISO here and a questionnaire will say they'll say a questionnaire never stopped a breach. And the reality is it's a point in time assessment, self-attestation, if you will, of your compliance with regulations or a framework. What we're doing is not trusting essentially what people self attest to. And we're helping organizations get an idea of what's really exploitable at any given time. And this goes up so so in the supply chain there's organizations above you and below you. Does a particular company that wants to do this have to enroll those organizations directly in the program? No. So we start by understanding the entire attack surface. So for our customer call it Bank of America. We want to understand how many vendors they're doing business with. Typically they may not understand all of the vendors that they are. So we give them with automatic vendor discovery, we give them a better view of the entire attack surface of their supply chain. And then we're going to give them some tiering recommendations. Oftentimes they tier based off whether they're sharing data or how important it is to the continuity of the business. But we look at it from a likelihood of breach standpoint. So we give them a risk scoring associated with how likely it is that these vendors are to be breached. And then we help them remediate. So we do entire attack surface. We use threat intelligence to help contextualize or understand or prioritize what's most exploitable and being used by threat actors today. And then we help remediate by actually doing vendor callouts and actually giving them targeted tasks to go close. All right. So someone's using this scorecard. It's kind of like for this CISO reporting to the board of directors. Or is it a lower level kind of scorecard that's used more monthly, operationally or even tactically? I'm getting I'm getting the impression this is a little bit more coming down the stack. It's absolutely coming down the stack. So security ratings have existed for a long time. We've been we have been a data platform providing security ratings for 12 years. We're a leader in the magic, all the magic quadrants for ratings. But at the end of the day, ratings are just a tool. It's like a credit score. It's tells a bank roughly, right, how how credit worthy you might be, but it's not the basis of which they're going to offer you $1 million for, you know, to lend for your for your home. So what we've done is we've turned ratings on its on its head. Instead of just giving you an idea of how cyber resilient you are as a tool, so that you can then go manage your own vendor network, we're actually helping as a managed service, manage vendors ourselves, and instead of just reporting to the board, this is how many vendors we have with this kind of score. We're actually operationalizing it into real time. So being able to understand what to do right now in order to change. So it's a SoC mindset, if you will, to an age old problem of cyber resilience. Right. Really extending that SOC, which has traditionally been inward looking or at least perimeter facing to something that's helping you look both up and down. I mean, people are just extending not only to the edge with their remote workforce and IoT and all sorts of that. But when we look at the number of SaaS apps that are being used, the number of third parties developing software, AI coming along, embedding AI models, huge risk factor. Probably. Exactly. And when you talk to a CISO, they'll say, we have a very good handle on how to do the four walls in XDR and all the combination of a number of tools have given them really good visibility to what's anomalous in the four walls. And with cloud security, with applications, payloads, APIs going to the cloud, Wiz and other companies have helped organizations evolve cloud detection and response so they can understand what's maybe misappropriated or what, what permissions are in place or open open ports or whatnot. What we're doing is we're taking the Wild West approach. We're basically saying the things they want to control and have gotten better at controlling. They can't control with the supply chain. And so we're giving them visibility and actionability on this entire third, fourth and ninth party. Uh uh uh uh uh. Sea of vendors. Yeah. I mean, that that that supply chain could go on for any number of generations, so to speak, up and down. Right. So. So if a CISO says I can't control I periodic self-attestation like a questionnaire is not protecting me. If I can't control that vendor, how can I control their vendors? Right. And so we're giving that sort of extended extended visibility and actionability on what we believe is the most exploitable. Uh, if. You looked around at this show and there's a lot of people at this show and you want to give them one really good piece of advice on what to do, uh, vis a vis, uh, getting a hand on the supply chain. What would that be? It's to get. The traditional third party risk management team, which oftentimes reports to A to a to legal or GRC, or they report to risk or purchasing even to get that person in the same room with a SoC and ask them some very basic questions. How confident are you that the traditional questionnaire assessment process makes you safer for an organization? How confident are you that you know how many vendors are actually exposing you to risk? Is this hard to get people who are focused on compliance, to talk to people who are focused on monitoring in the SOC? It's almost a question you don't have to answer because we know it's hard. No, it's it's amazing actually getting them to talk to one another. They understand that there's a massive gap between them. They can only bridge it usually with more and more people, or they try and bridge it with with AI or some other form of automation. But there truly is a better path to operationalizing third party risk in the same way that a CISO would operate operationalize their SOC. Right. And you really have to bring security into almost a real time mindset to have any effect. Today. Things are just moving so fast. The threat's evolving fast zero days. So oftentimes averaging a zero day a week now right. And the third party, the board wants to know this new zero day that I just read about on the news. How does that how how many third parties have that. I almost want to say like, how do you multiply zero by anything, right? That's exactly. Right. So we can we can produce actionable, um, plan based on a zero day as soon as, as soon as there's a check for it, as soon as there's a check from a hacker's mentality on a vulnerability in a zero day vulnerability, we can report back right away which vendors are are affected by that, and we can begin the course of action. Traditionally, that means you you trigger an audit or you trigger an assessment or you send a questionnaire. For us, it's very targeted feedback that we're giving them. And one of the things that I think is really interesting is we now have so many customers under our managed service that we have commonality with vendors. So if there's a zero day affected by one of these companies, that's a third party vendor to our customers, we can go after them with a with a different buying power, if you will, to getting them to fix or remediate this issue. So I mean, that's 12 of your customers have the same issue with you, which is this CVE is is available on this unpatched server at this time being exploited by this threat actor. I mean, that's interesting that you start to graph out the supply chains for many different organizations and they start to web together. Well, we call it we call it a clearinghouse model. And we continue to evolve on this. But the idea is that oftentimes the companies don't even know who to reach out when they do want to reach out, like so a zero day comes along, they don't know who the current contact is for that vendor that they have. Right. Because they last time they contacted him was when they sent him a questionnaire 14 months ago. And so we are acting as a clearinghouse for remediation of third party risk. I mean, that's awesome. I think we could talk about this for hours yet, Jason. Thank you. But if someone wants to learn a bit more about what you guys are up to, you've got a website or some resource. Securityscorecard .io. M y name is Jason Doris. Jason.Doris@securityscorecard.io. All right. Mike Matchett from Small World Big Data. See you at the next booth. Take care.
