Dell Leads $12M Investment in Security Assessments Firm RiskRecon

It’s hard enough for businesses and organizations to secure their own networks against cyber attackers. But with the rise of cloud computing and increased outsourcing of business operations to third parties, companies must also worry about the cyber defenses of vendors and partners who have access to their sensitive data and other digital assets.

Just ask Target, for example. The retailer’s high-profile data breach in 2013 was traced back to network credentials stolen from a contractor, reportedly a provider of refrigeration and heating and air conditioning systems.

But monitoring the security level of vendors can be a dizzying proposition, especially for large enterprises who might work with hundreds or thousands of partners located around the world.

Entrepreneurs and investors see an opportunity to solve this problem with software that can cull publicly accessible data to evaluate the cyber defenses of thousands of businesses and organizations. The goal is to provide information that customers can use to make business decisions and pinpoint weak spots where they should work with vendors to shore up their security.

RiskRecon is one of the players in this emerging sector of the broader cybersecurity industry, and today the startup got a boost from a $12 million Series A funding round. The investment was led by Dell Technologies Capital, with contributions from F-Prime Capital Partners and General Catalyst Partners, which led RiskRecon’s $3 million seed round.

The new money will go toward product development and sales and marketing, says RiskRecon founder and CEO Kelly White.

Cybersecurity “risk is moving out to the third parties, but the instrumentation necessary to manage that risk is still lacking in most enterprises,” White says. “What RiskRecon is doing is providing deep transparency into the IT landscape and the security performance of any enterprise that a company transacts with. We do this automatically, at scale, so that companies can cover hundreds and even thousands of vendors to get that transparency that they need in order to hold their partners accountable to good IT and security standards.”

Kelly White

White says RiskRecon accomplishes this with software and algorithms that find the systems that an organization operates on the Internet—Web pages, e-mail servers, and so on—and analyzes the publicly available information about those assets, such as what version of software they’re running and how their security protocols are configured. RiskRecon measures more than 40 security criteria, White says.

For example, it might point out that a vendor is running outdated software and should consider strengthening its software patching procedures, he says. It can also be used to determine if any vendors might be vulnerable to specific cyber threats, such as the recent bug found in the open-source software Apache Struts.

RiskRecon was founded in 2015 and has 30 employees. They’re located at its headquarters in Salt Lake City, UT—a growing tech hub where White and his company’s engineering and operations teams are based—and in Boston, where the sales and marketing team works, he says.

RiskRecon has gotten the most traction among customers in financial services, insurance, and healthcare, White says. He declined to share company revenues, so it’s hard to know how well RiskRecon’s business is doing.

The company is up against better-funded competitors who have been at this longer. Security ratings firm BitSight Technologies got started in 2011 and has raised $95 million in venture capital. The Cambridge, MA-based company was aiming to generate over $30 million in sales in 2016, a BitSight executive told Xconomy in September. There’s also New York-based SecurityScorecard, which was founded in 2013 and has raised over $34 million from investors, according to SEC filings.

White doesn’t sound worried about the competition, and he thinks there’s plenty of room in this emerging field for multiple successful companies.

“I think this is a young space,” White says. “RiskRecon is at the right place at the right time.”

Trending on Xconomy