Sam Kassoumeh is the co-founder and chief operating officer (COO) of SecurityScorecard, a pioneering IT security company that has redefined the way organizations assess and manage cybersecurity risks. SecurityScorecard empowers organizations to gain deep insights into their IT security posture, as well as that of their third-and fourth-party vendors, which together enables SecurityScorecard to proactively identify and mitigate potential vulnerabilities in their customers’ IT environments.
As part of our founder interview series, Crew Capital’s Brandon Deer sat down with Sam to have a conversation about his journey from a young hacker enthusiast to a cybersecurity entrepreneur. They discussed his early days of learning about cybersecurity, frameworks for thinking through founding a business, his thoughts on security concepts like Zero Trust and shift-left, and where he sees opportunities for LLMs to play a role in security. Sam also shared book recommendations relevant to startups and business.
Watch also the video version of the interview!
The beginning-from curiosity to expertise
Sam’s journey into cybersecurity began during his middle school and high school years when he discovered the thrill of hacking and the excitement of pushing technology beyond its intended limits. This curiosity about understanding the inner workings of cyber threats was triggered in high school when a classroom Linux server was compromised with a rootkit.
He vividly recalls the moment, stating: “Just the idea that someone had some piece of software that allowed them to gain access into my server-it drove me insane. And I think that was the beginning of when I started getting deep into cybersecurity, like the passion and the drive to understand: How did they do that? How did they get in? What exactly happened in the system that wasn’t supposed to happen, which gave them access?”
During an era with limited formal education programs or courses in cybersecurity, Sam stresses the value and impact that self-driven learning had on him. This curiosity transformed into a valuable learning experience as Sam and his friends engaged in friendly hacking competitions and experiments, refining their skills while enjoying themselves and learning simultaneously. This blend of playful exploration and curiosity, made him delve into Unix and Linux systems, participate in meetups, spend weekends immersed in computer books at local bookstores, devouring knowledge about Cisco routers, operating systems, and coding.
He reflects on this phase, noting: “You know, that also turned into friends trolling each other. We’d guess each other’s passwords or run remote administration tools on each other’s computers. We used that as an opportunity to learn and also have fun at the same time.”
Solving problems and the path to entrepreneurship
Entrepreneurship was always part of Sam’s DNA. In high school, he started a computer consultancy, offering assistance in enhancing computer performance and troubleshooting issues. His early entrepreneurial spirit was nurtured by a supportive high school professor who encouraged him to carve his path. This spirit continued to flourish as he honed his skills in the tech industry.
”It was just a slow and consistent progression over probably 8-9 years of nonstop continuous learning and taking any opportunity I could to gain more knowledge and more insight around what cybersecurity meant, why it was such a big deal, and since then, it never really went away. It only got bigger and bigger and bigger,” Sam added.
Sam believes that while there are plenty of great ideas, people often overlook the everyday pain points and frustrations they experience with technology. He encourages new entrepreneurs to focus on their daily lives and compile a list of potential ideas that arise naturally, no matter how unusual they may seem.
Aspiring entrepreneurs should focus on solving problems that deeply resonate with them and keep them awake at night. The key is finding an idea that aligns with one’s core values and generates a profound passion for solving. While entrepreneurship presents challenges, it’s the unwavering commitment to solving a problem that motivates Sam every day.
“Finding that one idea that you’re so viscerally passionate about solving, I think, is key. I always encourage folks to keep going because starting a business is hard, and running a business is hard. It’s during the difficult times, in which the visceral understanding and passion for solving that one problem will get you out of bed every single morning. Whether it’s a great day or a difficult day, I am here because I experienced the problem that my business is solving-at such a visceral level, and it frustrated me so much.”
This drive to solve essential problems catalyzed the founding of SecurityScorecard. It all began when Sam crossed paths with his business partner, Aleksandr Yampolskiy, during their time at Gilt Group in New York. Together, they embarked on a mission to enhance cybersecurity risk management for organizations, ultimately giving birth to SecurityScorecard in 2014. Their mission was clear: to revolutionize cybersecurity risk management, making the world a safer place by enabling organizations to assess, mitigate, and communicate cybersecurity risks effectively.
“That’s actually how we started SecurityScorecard. I was losing sleep. I was worried that I was going to lose my job because of the negligence of a third-party vendor whose product I have in my IT environment, which I don’t own or operate, but it handles my sensitive data. So, how do I ensure that this vendor is at least as good as I am at handling my sensitive data? It is that type of experience, which sometimes creates scar tissue, but it eventually builds up, and it causes a change of state.”
The role of perseverance in SecurityScorecard’s early days
Sam highlights one of the most significant challenges encountered by many early-stage founders-fundraising. He and his co-founders were first-time entrepreneurs, juggling full-time jobs while aggressively seeking funding for their startup. The process was riddled with rejections, and a recurring theme emerged, which Sam calls “the dreaded ‘BUT.’”
“We were in the process of building a prototype while simultaneously embarking on fundraising endeavors, and it seemed like we couldn’t escape the ‘no’s. It wasn’t that people lacked belief in our idea; they often said, ‘That’s a truly fantastic idea, but…'”
Sam even recalls a pivotal moment when someone abruptly interrupted their pitch, remarking, “I think you guys are going to be terrible co-founders.”
The weight of continuous rejection took its toll, leading to a candid moment when the team began to question, “Is it worth it? Is it worth continuing despite getting told ‘no’ 30 times, 50 times, 100 times? While only getting perhaps just one or two ‘maybes’?”
However, their unyielding commitment spurred them to persevere. They established a deadline, resolutely determined to make it work. As Sam succinctly puts it: “You just need one ‘yes.’ It goes back to the essence of an entrepreneur’s mindset – the ability to pull oneself up by the bootstraps and declare, ‘By this date, come hell or high water, I will make it work, or I’ll chart a different course.’”
The growing impact of Generative AI in Cybersecurity
Sam discusses the growing impact of generative AI and large language models (LLMs) on the software industry, highlighting their integration into various applications, and noting that nearly every software now integrates some form of generative AI capability. These capabilities range from chatbots to developer tools and browser-based productivity enhancements. He acknowledges that AI and LLMs are tools in a transformative phase, currently experiencing both hype and exploration surrounding AI in cybersecurity, and he believes there is a need to categorize AI solutions more effectively.
Opportunities in security for implementing LLMs
Sam identifies three primary areas of focus for AI in cybersecurity:
Automating, orchestrating, and remediating alerts. “Security by nature is difficult to assess. It often requires humans in the loop, plus experience and gut instinct, to dig in. One of today’s major problems for cyber professionals is fatigue-too many tools, too many logs, and just too many bells and alarms ringing. And too much manual effort trying to understand and decipher what it all means. Plus, there are the unknown unknowns-the things that aren’t ringing any alarm bells or aren’t producing any logs that could also be a problem. AI will be able to increasingly help security teams understand what is happening and what to do about it.”
AI-assisted security assessments and code assessment. “We can apply LLMs and AI to accelerate areas of vendor assessment workflows that are typically very manual. Cybersecurity due diligence involves questionnaires and data exchange. Then there’s a human on the other end who’s got to go sift through all that information and try to form an opinion. I think we can accelerate that with AI, and potentially eliminate certain parts of the due diligence lifecycle.”
Securing LLMs and AI infrastructure. “The third one, I think, is going to be around actually securing the models themselves and securing the infrastructure that AI-assisted technology is running on. It’s still in super early stages and ripe for disruption. I’m not sure that we entirely understand what needs to be done there just yet, but I can see over time hackers targeting these LLMs because they’re often fed sensitive data.”
Sam’s take on what’s next for Zero Trust
Turning to Zero Trust, Sam offers a thought-provoking perspective. While he acknowledges its importance and the need for companies to move away from defaulting to trusted access for all employees, he also challenges the current state of Zero Trust tools in the market. In his view, many of these tools are overrated and over-marketed, often positioned as a one-size-fits-all solution to identity management.
Sam sees room for improvement for Zero Trust models to move toward more effective solutions with less marketing hype. “Zero Trust architecture is a great concept. It’s been around for a long time, and I believe it’s a correct concept that should be employed by companies, meaning we should not default to trusted access for all employees. However, there is a long way to go in truly securing Zero Trust. When it comes to hackers, there are still numerous pathways they can exploit, bypassing the controls marketed to CISOs today.”
The importance of developer-centric security
Another trend Sam highlights is the need for secure coding practices, often referred to as the “shift-left” movement, as it refers to the concept of shifting security “left” in the software development lifecycle.
Sam believes developer-centric security has been historically underserved, and despite emerging winners such as Snyk, he still sees significant opportunities for improvement and innovation in developer security.
“I think it’s a very underrated space, and we can do a lot more on the developer side for the DevOps guys, and for cultivating DevSecOps. There are solutions out there, but I think dev-centric security was so underserved for so long that we have a long way to go.”
Creating solutions, not just technology: a customer-centric approach
Reflecting on SecurityScorecard’s growth from a startup to an industry standard, Sam underscores the critical role of creating comprehensive solutions and gaining insight into customer needs that extend beyond technology.
By understanding the specific business outcomes that customers are working towards, startups can develop a much more comprehensive value proposition. This involves presenting your product as a solution that empowers customers to attain their objectives, whether it entails generating revenue, optimizing efficiency, or mitigating risk.
“Grab a couple of design partners and understand with deep empathy what’s going on in their business, understand the outcomes they’re working toward, and understand what they expect out of a free tool, versus what they would pay a lot of money for. That can help entrepreneurs hone in on the areas that matter. Then, just build. Build right next to that future customer, do regular check-ins, keep a tight feedback loop, and eventually, there’s going to be some breakthrough that takes place. There’s going to be an ‘aha!’ moment that will provide more clarity.”
This customer-centric approach led to industry recognition, with analysts like Gartner and Forrester playing pivotal roles in shaping market opinions and equipping their customers with transparency and trust in their ratings. “We worked with industry analysts to help gain mindshare. That was important. For example, we have partnered with the U.S. Chamber of Commerce to create the principles of Factor Analysis of Information Risk (FAIR) cybersecurity rating. So anybody playing in the space had some bumper guards and some guidelines because it’s not a regulated space like traditional ratings are by the Federal Communications Commission (FCC).”
Establishing trust and transparency as industry standards
In cybersecurity, trust is paramount. Sam explains that transparency was their chosen strategy, building trust by being open about the rating system and using a “glass box” approach. A trust portal was created to explain the system’s mechanics, promoting radical transparency for customers who used their product to make critical business decisions.
“Establishing trust, for us, meant being incredibly transparent with customers. We invested a lot of time building things like a trust portal, where we explain all of the mechanics of how a rating is produced so that when anybody asked, we could tell them the formula that we use for producing a rating, all the types of data we collect, and the cadence that we collect it. The trust we engendered among our customers helped us quite a bit in the early days to become a standard.”
Sam’s recommended reading list
Sam’s commitment to personal and professional growth shines through his love of reading habits and the valuable insights he attributes to books. Sam shares his belief in embracing imposter syndrome as a driving force for self-improvement. He sees it as a means to foster a mindset of humility and a thirst for knowledge.
Among his recommended titles, “Measure What Matters” by John Doers stands out as a must-read for its guidance on effectively tracking KPIs and OKRs, a challenge many companies face.
Sam also recommends “The Cold Start Problem,” by Andrew Chen, highlighting key learnings on rapid experimentation as a means to drive innovation.
Additionally, he mentions “Who Do You Want Your Customers To Become?” by Michael Schrage, which explores customer transformation and its impact on business success.
Lastly, Sam calls out “Amp It Up” by Frank Slootman for its focus on challenging norms, questioning the status quo, and preventing the bureaucracy trap as startups grow.