Nokia is evaluating and developing its suppliers’ cybersecurity capabilities with the help of SecurityScorecard – a rapidly growing, NGP Capital-backed, growth-stage company that disrupts the cybersecurity space through transparency and trust.
“Think of us as credit ratings for the cybersecurity space,” Matthew MacKenna, VP of EMEA at SecurityScorecard, starts.
Organizations today are particularly challenged by new regulations and new supply mandates. They need to have an understanding, not only of their own risk, but also of the risks in the supply chain and from the vendors they work with.
SecurityScorecard has built a simple rating mechanism – with grades from A to F. Because it is similar to school grading, this gives companies a familiar, common baseline from which to understand their cybersecurity risks.
“Where SecurityScorecard comes into play is in giving organizations a view of how the world sees them from the outside – not just what their security looks like, but how they are exposing themselves to the Internet, and what their reputation looks like to the outside world,” Matthew MacKenna describes.
"Where SecurityScorecard comes into play is in giving organizations a view of how the world sees them from the outside."
SecurityScorecard has been growing rapidly since it was founded in 2013. Based in New York, with locations in Germany, France, Portugal, the Nordics, Singapore, and the UK, the company just completed a D-Series funding round and has taken in about $110 M of funding to date. With more than 800 customers around world, including big brands such as Pinterest and Pepsico, SecurityScorecard has doubled their revenue every year since they were founded.
Reducing risk efficiently
Nokia became a customer in 2018, working with SecurityScorecard in different ways. One of the first goals was to better evaluate and develop the cybersecurity capabilities of Nokia’s suppliers.
“SecurityScorecard allows us to effectively monitor all of our key suppliers and to better understand the maturity of their security programs using independent data. These are things that are extremely hard to do well, with reasonable cost, in any big company with thousands of suppliers. Using SecurityScorecard has clearly improved the speed of our response to security incidents in our supply chain, as well as our ability to take preventative actions in areas that really matter,” Antero Päivänsalo, Chief Information Security Officer at Nokia, explains.
"Using SecurityScorecard has clearly improved the speed of our response to security incidents in our supply chain, as well as our ability to take preventative actions in areas that really matter."
Through SecurityScorecard’s trust and transparency portal, Nokia can go to SecurityScorecard’s website and see how many of their vendors are engaged with the platform, and how many issues SecurityScorecard is detecting around the world.
But it’s not just monitoring – SecurityScorecard engages in a dialogue with these vendors in a transparent, digital, and automated way, helping to identify and mitigate the risks Nokia’s vendors might be facing that could also impact Nokia.
When Nokia invites a vendor in, that vendor can see their own scorecard, look at the details of what SecurityScorecard has detected, and generate a “score plan” that gives them a proactive approach for decreasing their cyber risk. They can then take actions to remediate those issues and quickly see the progress they’ve made to improve their cyber risk profile.
“We’ve been very happy with the SecurityScorecard team supporting us. They’ve gone out of their way to help us speed up our deployment, build more effective processes and better understand the data this service provides,” Päivänsalo concludes.
SecurityScorecard’s Matthew MacKenna is also pleased with the collaboration: “Nokia as a customer has been an excellent reference for SecurityScorecard. By improving the cyber risk profiles for both Nokia and their vendor partners, we have gained a lot of credibility throughout Europe and beyond.”
From security to trust
Working with their investor, NGP Capital, has also helped SecurityScorecard grow their business.
“It has been an exceptional experience for us to be investors and partners with SecurityScorecard. Unlike many of the entrepreneurial teams we meet, the team at SecurityScorecard cares intensely about the customer experience and the value their customers get from the platform. The company has invested consistently in their technology, with the deepest and broadest coverage among global companies. It takes minutes to onboard a new company and profile its ratings. Working closely with SecurityScorecard, we are helping them scale up their team globally to support more leading customers like Nokia,” said Upal Basu, Member of the SecurityScorecard Board of Directors and a Partner at NGP Capital.
"Working closely with SecurityScorecard we are helping them scale up their team globally to support more leading customers like Nokia."
SecurityScorecard meets with the NGP Capital team on regular basis to discuss how things are developing in the business and brainstorm about the connections at NGP Capital and Nokia that they can leverage in order to introduce cybersecurity ratings to those companies.
SecurityScorecard’s vision is to create a common cybersecurity language for companies and their partners that helps them communicate, understand, and improve each other’s security posture. “For executive teams who may not be technical, being able to quickly hone in on the most important risk areas is critical,” Matthew MacKenna explains.
One of the key trends SecurityScorecard sees is significant growth in the importance of trust and reputation in the marketplace.
Siloed approaches don’t work in the cybersecurity industry, according to MacKenna: “There is a host of bad actors out there, ranging from nation-states and organized cyber crime businesses to kids hacking for fun. Many of them are well funded, nimble, and make their reputations on efforts to do things like steal IPR, ruin companies, or disrupt infrastructure or even whole economies. There are also non-malicious actors, who, by doing something as innocuous as leaving a port open or forgetting to update a security certificate, can have an even more detrimental effect on a company’s security.“
"Siloed approaches don’t work in the cybersecurity."
MacKenna sees that it is critical going forward that companies understand the need to integrate into a larger security ecosystem that includes everyone – peers, partners, suppliers, customers, and competitors. “Over time, the discussion will become less and less about security and more and more about trust. The key questions will become, ‘Can I trust this partner?’ ‘Can I work with this organization?’“
In the photo: Matthew McKenna, VP of EMEA at SecurityScorecard