At RSAC 2025, theCUBE's Dave Vellante sits down with Jason Thompson, COO of SecurityScorecard, to look at the shifting world of supply chain security. Thompson unpacks how SecurityScorecard is evolving its strategy to tackle emerging threats, blending cybersecurity ratings with real-time detection and response to protect today’s complex ecosystems.
Thompson highlights SecurityScorecard’s focus on supply chain detection response, a critical pivot as global cybersecurity threats escalate. The conversation explores how real-time action, not just visibility, is redefining third-party risk management and strengthening organizational defenses in an increasingly interconnected digital landscape.
The discussion zeroes in on how supply chain attacks amplify the urgency for automation and faster incident response. SecurityScorecard is working to reduce exposure windows and help companies stay ahead of risks, according to Thompson.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Jason Thompson, SecurityScorecard
At RSAC 2025, theCUBE Research’s Dave Vellante sits down with Jason Thompson, COO of SecurityScorecard, to look at the shifting world of supply chain security. Thompson unpacks how SecurityScorecard is evolving its strategy to tackle emerging threats, blending cybersecurity ratings with real-time detection and response to protect today’s complex ecosystems.
Thompson highlights SecurityScorecard’s focus on supply chain detection response, a critical pivot as global cybersecurity threats escalate. The conversation explores how real-time action, not just visibility, is redefining third-party risk management and strengthening organizational defenses in an increasingly interconnected digital landscape.
The discussion zeroes in on how supply chain attacks amplify the urgency for automation and faster incident response. SecurityScorecard is working to reduce exposure windows and help companies stay ahead of risks, according to Thompson.
At RSAC 2025, theCUBE's Dave Vellante sits down with Jason Thompson, CMO & COO of SecurityScorecard, to look at the shifting world of supply chain security. Thompson unpacks how SecurityScorecard is evolving its strategy to tackle emerging threats, blending cybersecurity ratings with real-time detection and response to protect today’s complex ecosystems.
Thompson highlights SecurityScorecard’s focus on supply chain detection response, a critical pivot as global cybersecurity threats escalate. The conversation explores how real-time action, not just vis...Read more
exploreKeep Exploring
What factors determine the ideal product or solution for an organization's vendor management and risk monitoring needs, particularly in relation to different levels of maturity in their approach?add
What type of model is the MAX product similar to, in comparison to CrowdStrike's MetaService model?add
What is the company offering at RSAC and where is their booth located?add
>> Hey everybody. Welcome back to Moscone West. You're watching theCUBE's
continuous coverage of RSAC 2025. My name is Dave Vellante. John Furrier is here, as
well as Jackie McGuire and John Oltsik, the whole Cube team. We're really excited to have
Jason Thompson in the house, he's the Chief Strategy
Officer at Security Scorecard. Jason,
welcome. Good to see you. >> Good to see you as well,
Dave. Very great to be here.
Dave Vellante
>> Yeah, thank you for taking some time.
Jason Thompson
>> I mean, everybody knows Security
Scorecard as you guys kind of do the A to F ratings, but we were just talking
how much more you do, but give us the update on
the company and your role. >> Sure. So we've been moving
more towards supply chain
Jason Thompson
>> detection response, which is
a natural growth story for us. From our core of the ratings, we basically are looking at the
issue, specific type issues, findings that you have
in your supply chain, and then we take a detection
response approach to that, much like XDR and MDR and apply response actions
to those detections. So companies right now
are getting stuck at, hey, I see there's something
bad happening in my supply chain, but now what do I do with it? Even a simple first step,
like who do I contact, becomes a really difficult
thing for companies to do because they don't know
who is the right contact. So from our perspective,
if we can facilitate that and eliminate that friction,
that becomes highly beneficial for organizations so they can
actually resolve those issues.
Dave Vellante
>> Yeah, it's like drilling
for oil in the old days. No, no, no. Oh, yeah. Okay. So you're running around trying
to figure out where the root of the problem is, and you
guys can compress that. So step back, we were talking off camera, I said was SolarWinds kind
of the catalyst of this. You were like, yeah,
well the supply chain's been a problem for a long time. It's just, you didn't say this, but I guess I'll finish the sentence. It's like, okay, that hit the news and it was an insidious attack and one really kind of novel
that we hadn't seen before. Although Log4J like you
said, and many others. So take us through the history, if you will, of the supply
chain attacks from a threat standpoint, how has that evolved?
Jason Thompson
>> Well, it's getting worse, first of all, and two, when something happens,
take CrowdStrike's issue that they had, which wasn't cyber related, but when that happened,
everyone wanted to know where in my supply chain is this? How is this going to impact me? What are the implications
for our business? So if you apply that
same issue of an outage to a cyber security attack of
which there's many instances of that, all of a sudden you realize that there is this huge
impact across the entire multiple industries across the globe that could pitch potentially
impact an organization. So from that perspective,
companies want to know where are these risks living
inside of my organization or outside of my organization
in the supply chain that are going to be connected to me? How do I identify those
and how do I resolve those? The issue that I think you
see hundreds of millions and potentially billions of dollars worth of investment into trying
to solve this problem. It hasn't really gotten to the point where you can actually get to remediation. Remediation is the key. So if
I can just identify an issue and say over and over again, hey, there's a bad thing happening,
a high vulnerability, a CV that's very high scoring, that's a issue for an organization, but
what do I do about that? That becomes the next issue
of how do I connect the dots to the people in the organization that is my supplier that can
actually resolve that issue. And if you can't do that, you actually can't do a full
detection response framework. You can't complete that task.
Dave Vellante
>> So you hear these catchy
phrases like peacetime and wartime security.
Jason Thompson
>> Yes.
- So is this peacetime
Dave Vellante
>> before the war hits or is it when the bombs are dropping, they're calling you? Where
do you fit in that spectrum? >> When you think of
ratings, that is really more
Jason Thompson
>> of a risk management
approach of saying, I'm going to put something in a
bucket of A, B, C, D, F. I'm going to try to reduce my risk. If you look at supply
chain detection response, just like MDR, XDR,
cloud detection response, that really is more wartime,
something's gone boom. Now I've got to go. I've had
to take an action on that. So by applying both of
those things through a single platform or a single approach, we both have the risk management approach, but also we see third
party risk management and vendor risk management more
and more focusing on the SOC and security operations. We've got to bridge the two together because right
now they're separate. Third party risk management and vendor risk management has tended to be more administratively focused and is not focusing as much on
actually resolving the risk. The SOC is aware of this, the threat intelligence folks
are aware of these issues, but they don't know how to unlock the path to get that resolved. So they're kind of stuck.
If we can bridge those two together and then create a connection path to those partners, at that
point, we're actually going to resolve or begin to resolve the supply chain
issues out that are out there.
Dave Vellante
>> So that's the difference between traditional third party
risk management approaches and what you guys are doing is
you're actually taking action or at least demonstrating
how to take action. So how does it validate that, double click on that if you would?
Jason Thompson
>> So our first product in
that area is our MAX product. So that's been out there for
about a year and a quarter. That's our fastest
growing product right now. So that takes the same data and telemetry we have in the
security ratings platform, the scorecard platform,
and we actually put a managed service on top of that. So that managed service
group will actually reach out to the vendor and work
to remediate issues. So you reach out to a vendor, let's say it's some
small packaging supplier, they don't even have a security team. You reach out to them and
they say, I don't know if that's ours and I don't
know what to do about it. That's if you can find
the person to talk to. So you've got to have
somebody on the other side that can help them resolve that issue. So that response action alone, that actually is the component that reduces the risk significantly. If you just leave that as a
risk that I've identified, but you don't take any action off of that, that's going to get exploited. When that gets exploited,
then it's going to start to impact your own organization, potentially your supply chain, and that could be a critical vendor. There are critical vendors
that are very small vendors for large companies that have
very little cybersecurity capability and they have
no ability to resolve that. Internal organizations, if
you think about the macro, every single company today has to develop their own
vendor risk management protocols and teams. They do not have sufficient
staffing, especially now with cuts and layoffs to
make sure that they're able to support that function and they don't have the
technical capability to reach out to all of these vendors
to go resolve that. That's where we come in from
the response side of that. So that's where supply chain
detection response comes in. We're starting off with a managed service. We'll be announcing
something later this year around a product on that
that will be designed to facilitate a better
connection between the suppliers and customers, but that
is the secret sauce. That is how we're going
to make supply chain cybersecurity and cyber risk. How we're
going to reduce that. >> How does the resolution work?
Dave Vellante
>> Is it automated? Is it human in the loop? Is it a combination? Is the industry moving
toward greater automation?
Jason Thompson
>> Greater automation is going to be key. I mean, right now you're
at a point where we wait for a customer to find an issue
in a supplier's environment, and then the supplier reacts to the customer's questionnaire. That's a pretty bad way to
do cyber risk considering that data is already available. So we actually have ESM solutions. We have footprinting solutions
where you can actually say to a vendor, you can proactively
see what's going on here, but a lot of companies
don't either know to do that or they don't have that in place. So you still have this sort
of like the issue's been identified, the customer finds
it, then they're going back and forth, back and forth with the vendor to go ahead and resolve this. In the meantime, the bad guy
already sees this, right? So this is the time. This
is your exposure time. And so what we're trying
to do is get to the point where we can actually shrink
that exposure time down so that the vendor sees this immediately and then can report back and
say, we solved the issue even before you sent us a questionnaire and said, hey, what's this issue? We report back to you that that's been resolved and it's done. That's the panacea. If
we can get to the point where we have agentic AI doing that back and forth, that's even better because at that point we remove a lot of the administrative work
that you have to put in place to communicate back and forth. We're not quite there
yet. We're probably five to seven years away from that, but that's where we want to get to.
Dave Vellante
>> Thank you for that, by the way, because I've said the same thing. Because it's a data problem,
you've got to actually solve that before you can actually
trust that an agent is going to go act on your behalf. But talk about the IP that
you have in Security Scorecard and the relationship
between your traditional A to F across factors like network and security, DNS health,
all that other stuff that you guys do, and how you apply that to the supply chain problem and then new innovations
that you had to develop.
Jason Thompson
>> So right now it's
similar data sets, right? It's just used in a different way. If you think about the risk
management component, you start with the score and you work your way down. From a detection response
perspective, you start with the issue and then you
work with the most severe issue that has the greatest business impact and you work your way down. You're trying to eliminate those risks, and if you have an
incident, then you've got to respond to that incident as well. So they're similar. They're using the same
underlying IP and data set. So for us, it's actually
just flipping the cards and saying for the ratings use case, for the risk management use
case, we start with the score for the security operations
folks, we start with the issues, and this has always been
sort of a little bit of a pull in the market because the SOC has not
always loved the rating side because we're starting with the score. So if I come up to you and say, hey, Dave, you've got a D, right? And you said- >> What do you mean?
Jason Thompson
>> Yeah, exactly. What do you mean?
Dave Vellante
>> Okay, so the risk management
folks want to know that. They want to know, how do
I easily categorize this? Just like a credit score, just
like if you went to a lender, they want to know if you're a 650 or a 720 and that's going to price
your cost for your loan, your interest rate and this perspective of the SOC is very different. The SOC wants to know what is the thing that's going to get me popped today? How do I die today? And as an industry or as a market, we have
not done a great job of talking to the SOC and
showing them that telemetry. Now we're starting to do that and they're going like, oh, this is actually really valuable for us. We actually want to know
what's happening here. And if you start looking
at compliance requirements and how organizations are looking at this, so go off into Europe,
which obviously leads with regulation way before the United States
does, they've already got... We've got customers that are
major financials in Europe where the national
government is reaching out to these financials saying to them, we're monitoring your supply chain, and by the way, we saw this and
need you to take care of it. And that's fitting into this DORA framework that they're building out there. That's saying you've got to
know what your third parties and fourth parties and beyond are doing, and you're legally responsible for that. That's going to come stateside
too, it'll also hit Asia. But from a security perspective,
beyond just compliance, those are really critical things because now people know
like, hey, got to take control of these
supply chain issues and you've got to move this closer and closer to security
operations because it is a life or death kind of scenario
for most organizations.
Dave Vellante
>> So it was a TAM expansion for you without the product risk.
Jason Thompson
>> Correct.
- Right. I mean, you kind
Dave Vellante
>> of already have the product market fit because you know the persona wants this. In fact, it's a more receptive persona, is what you're saying.
Jason Thompson
>> Exactly. Really taking
that same data set and exposing it in a different way and to a different use case. One of the things that
allowed us to do this, we acquired a company
called LIFARS, which was a professional services firm
that did instant response and things that we've been working more closely tied to the SOC. And that crew, when they looked
at the data, they came back and said, hey, there's a use case for this on the security operations side, and if you do this, this
becomes very valuable. And all of a sudden we show that to folks and they said, yeah,
so from the standpoint of being efficiently moving
into an additional adjacency, and I think it's a bit
of a blue ocean too, because there's really no one else there. If you go around here, you see
at RSA, there's many acronyms that are used over and over again. I think ours will be the only one that says supply chain detection response. And if you think about how
that fits into the overall picture, XDR, that core,
cloud detection response, that next layer out that final frontier is really supply chain detection response.
Dave Vellante
>> Okay, as a strategy person, you got to think about at least roughly the size of these markets and are
you going to have to... How do you think about the overall TAM? How does it compare to say,
XDR and your previous business?
Jason Thompson
>> So we look at endpoints
from the outside in, EDR looks at it from the
inside out, so inverted. That's smaller than EDR because you're going
to have more endpoints, servers, things like that internally. It would be in the billions if you fully extrapolated this market out. I think it fits into the
XDR market very nicely. So we're looking to partner
with XDR solution providers. We also are developing this
as a partner-first approach. So we're talking to the
biggest of the big as far as partners, service delivery
partners, cybersecurity partners, you can imagine who those are,
all the way to organizations that are doing service
delivery and also re-sell. So there's a large
community out there of folks who are already doing
detection response with XDR. They're also doing third-party
risk. It's very inefficient. They're really excited about
using this as an engine for their continued business as well.
Dave Vellante
>> We just did a survey with our partners Enterprise
Technology Research. And they had a question in there. It wasn't a small, it was 500 N, not tiny, big enough. Just last week they released the results. And the question is, how has
rising geopolitical tensions and cyber threats
influenced your company's cybersecurity budget? And 43% said they've changed
their spending habits because of threats. And then a large percentage,
I think it was like a third, said, they've actually already
seen heightened attacks related to the change
in geopolitical tension. So I think of the pyramid.
You got nation-states, you got organized crime,
you got hackers. AI is helping the bottom end
of the pyramid, the top end of the pyramid is super sophisticated, throw in supply chain,
and it's just a mess. It's chaos. And so in a way, these uncertainties sort of must be a tailwind for your business.
Jason Thompson
>> I think so. I mean, if you
look at, especially today as we start to see some of the challenges to the global supply chain, we start to realize even if you shift from, say U. S and China, China shifts back to Europe, your supply chain's still connected. And so it is a web and I don't think you're
going to sever that web. And so that creates a lot of
complexity for organizations to understand where is
that piece of software that is going to cause a problem for me? Where is it coming from, potentially. What nation-state is it coming from? Does it have vulnerabilities? All those things live out there
in a very dynamic ecosystem that is very challenging for
organizations to get ahold of.
Dave Vellante
>> Right? I mean, I saw in
Financial Times last week that Apple's going to move the production of 60 million iPhones to India. Okay, well, interesting. I mean, that's Apple, so I'm
sure they've got resources to secure this, but these
small businesses don't. And if they have to
change their supply chains to different suppliers,
different software supply chain. And so how do I engage with you? What's the engagement model?
Jason Thompson
>> As far as if you're a buyer from me? >> Yeah. How do I buy from
you? What am I buying?
Dave Vellante
>> Who's your you ICP?
Jason Thompson
>> ICP can range and it's a little bit different depending on the product type. So we see a maturity curve in place. So organizations that are at the lower end of the maturity curve are
likely going to be using ratings and questionnaires, basic blocking and tackling things they need to do. As organizations get more mature, and we're seeing this in the
heavily regulated industries. They want our max product,
they want our SCB product line. That is for organizations
that need to make sure that, especially within their
most critical vendors, that those are monitored and managed 24/7, if there's
an issue, it's being addressed and they can reduce the time of any kind of vulnerability exposure. If there's ransomware
present, they're notified of it and they can make decisions. So it kind of depends. We have solutions for each organization based
upon where they're at. Not everyone's going to start with MAX. Some will start with basic ratings, some will start with questionnaires. Some will start with a
productized version of MAX, which is our SCBR product. That is done purposefully. Because even if you look
across the globe in APAC for instance, they're still
in that early adoption phase for the basics. When you get into heavily
regulated industries in North America and Europe, they're
saying, we need something that's supercharged to make
sure that 24 by seven, this is managed just like we do with XDR and DR.
Dave Vellante
>> And size of company that you sell to?
Jason Thompson
>> Size, it can vary. So we've got thousands of companies that are using our premium version, which is they can access
their own scorecard for free all the way up to the
biggest banks in the world. So it depends. For our SCBR products,
we've started to sort of test the model top of market, and then we're coming
down to meet the needs, probably working more with the MSSP and other service providers on that. But our core product line, which is our ratings product line, that can be used across any
industry or any company size.
Dave Vellante
>> And it's a combination
of service and software, or is it pure software or pure service?
Jason Thompson
>> The MAX product is more of a think of CrowdStrike's MetaService model. So that is a very similar
model to CrowdStrike Complete, where you've got something at the very top where you'd want a manage
service to run that for you. And we have a self-serve
product lines as well, so you can do that as
a self-serve as well. We find that a lot of
organizations now are looking for something around
a co-managed solution. The external telemetry ends up being a bit esoteric for a lot of
organizations to understand. This is true with risk
intelligence, threat intelligence. The Internet's a wild place. And so when you look at something and you have a specific
amount of knowledge about how to take an action on that
and to identify what that is, a lot of organizations want to be able to pick up the red phone and say, hey, Security Scorecard, we
need your help with this. And they want a co-managed environment for some of these as well. So we flex to meet the needs
of what the companies want.
Dave Vellante
>> So what do you got going
on here at RSAC, ? >> threw the
extra letter in there, so
Jason Thompson
>> we've got a booth here, so we're
exhibiting, we've got a ton of great meetings with
partners and customers. It's a great event every year for us.
Dave Vellante
>> Where's your booth? Is it north, south?
Jason Thompson
>> I think it's on West.
- Okay.
Dave Vellante
>> Yeah, it's West. So a
good-sized booth and stop by.
Jason Thompson
>> We've got some cool stuff there and cool giveaways,
T-shirts, things like that. But most importantly, you
can demo the MAX product. So if anyone's looking for a supply chain detection response solution, or you're interested in
taking your third-party risk and vendor risk management to
the next level, bridging that with your security
operations, it's a great place to stop by and just
learn a little bit more.
Dave Vellante
>> Very cool. Well, Jason,
thanks for stopping by and sharing a little bit
about Security Scorecard and good luck in the future. >> All right, thank you.
Dave Vellante
>> Great to have you on.
Jason Thompson
>> All right, and thank you for watching. This is Dave Vellante.
You're watching RSAC 2025, theCUBE'S coverage. John Furrier's here,
myself, Dave Vellante. We're right back right
after this short break.
Dave Vellante