A rare glimpse into the mind of cryptographer and CEO of SecurityScorecard, Aleksandr Yampolskiy

How a virus-infected video game in the 80s led to a Ph.D. in cryptography from Yale University, a cybersecurity moon-shot, and a new universal language for cybersecurity.

With a twinkle in his eye, Dr. Yampolskiy, Founder and CEO of SecurityScorecard, tells his story while sipping on black coffee from a paper cup at the Computer History Museum in Mountain View, California.

Aleksandr’s fascination with cybersecurity started early. “When I was twelve years old, a friend of mine brought me a video game, Prince of Persia. He had purposely infected it with a virus, so I decided to get back at him. I started reading everything I could find about cybersecurity. I learned how to make viruses in 8086 Assembly language. I learned how to break and encrypt code, how to infiltrate computers, and how to protect them. That’s how it started."

Grad school and early career

Born in Moscow, Aleksandr immigrated to the US when he was 14, and continued to pursue his passion for cybersecurity. In 2006, he completed a Ph.D. in cryptography at Yale University. Grad school was a great time for Aleksandr – he grew into a certain mindset and learned a particular way of thinking that emphasized how to do research, how to analyze different situations, and how to solve problems.

AY: “There was a joke about me in school – if you give Aleksandr two months to do something, for example, assemble a cardboard box, he probably won’t do it, but if you give him two days he’ll build a cardboard-box factory.”

Having found, through his studies, a passion for building secure online solutions, Aleksandr started his career at Microsoft. He then moved on to Oracle, where he built their identity federation system. Later, at Goldman Sachs, he oversaw the building of the systems that now manage all identification entitlements. Every time you type a password or authorize a stock trade, you are using the system Aleksandr built. After Goldman Sachs, Aleksandr was hired as Chief Security Officer for Gilt Groupe, a rapidly growing e-commerce company at the time. He joined them when they were 200 people; when he left they were 2,500 people.    

Starting up SecurityScorecard

AY: “The problem that we are solving today at SecurityScorecard is the problem I had as a Chief Security Officer – every couple of weeks a member of the marketing team would show up and tell me,  ‘Alex, good news – we figured out how to make more money, but we will have to share all of our customer data with another vendor.’ That always made me feel like I could lose my job due to circumstances outside of my control if that vendor was negligent.“

Aleksandr started SecurityScorecard in the beginning of 2014 with the idea that it must be possible to reduce the security posture of a company to a grade. He believed that there must be signals from outside, which could be picked up non-intrusively, and which would indicate how well a company is doing on security. The company’s security posture could then be assigned a letter grade: A, B, C, D or F. Turns out that this was possible. Today, four years later, SecurityScorecard has over 130 people headquartered in New York, and hundreds of happy clients.

AY: “We want to create a new language for how people talk about security; that’s our ultimate mission. People don’t know how to measure security; it’s still very subjective to this day, and it’s hard to answer questions like, ‘If I invest $5M into a firewall, how much more secure does my company become?’ I want to create a simple answer to that question. It’s as much about developing a new language as it is about providing a good security solution. I envision a society where people talk about cybersecurity using our scorecards as the default way to measure security levels. It’s been really encouraging to see this getting picked up externally; for example, I just noticed a top US law firm using our scorecards to rate cyber diligence for all of their M&A transactions. Another example I stumbled upon recently is an S&P 100, publicly traded insurance company with more than 50.000 employees, which is using our scorecards for reporting to the board on the efficacy of their security programs.”


Aleksandr catches-up with Nir Erez, the CEO of Moovit, at NGP Capital’s portfolio gathering in San Francisco

A problem-solver at heart

AY: “What drives me is solving really hard problems and delivering value though those solutions. That’s what gets me out of bed. I thrive in an environment where I get to build something on scarce resources and be creative at the same time. It’s both painful and exciting, but the thrill is comparable to nothing else.

“I love innovation. I love solving problems that people tell me I can’t solve. I have done it since school. In fact, I can’t resist it; my mind just gravitates towards it. In graduate school, I worked on a type of a homomorphic encryption that had been an open problem for twenty years. I tried to solve it for two years by myself, but I could not do it, I just could not get there… But I did know what type of knowledge would be important to solving the problem. So, I went to a conference in Switzerland and met up with an elliptical curve researcher who helped me solve it; he became my co-author. That process gave me insights into the power of collaboration. No matter how smart you are, you can’t always solve problems by yourself.

In college, Aleksandr competed in chess professionally, and he still plays quite a bit. He is a fast player, and occasionally find himself playing chess online.

AY: “In chess, the queen is the strongest chess piece. You have others of course – knights, bishops, rooks and so on – but the common mistake beginners make is using the queen to protect too many other pieces, essentially overworking a single resource, and not making good use of these pieces. When you use your strongest piece to cover the work other pieces should be doing, you are not developing your army harmoniously. The same goes for an organization. As a CEO, you need to think about whether you have the right people in the right places. Do you have the right individuals, with the right capabilities and the right personalities, to scale and win the game in the end? I have found that if you hire well, your team, working together, should be able to solve 95% of the company’s problems for you.”  

20 years from now, Aleksandr is most likely going to be doing another start-up dedicated to solving other problems. But for now, when he is not working on cryptography problems, you can find him appreciating fine art in one of New York’s many galleries, or in Union Square park, playing a game of chess after work.


The SecurityScorecard team outside the office in New York