Security Scoreboard - "Yelp" for Enterprise Security Products?

Security Scoreboard assembles user-generated reviews of information security products with the goal of helping enterprises select infosec vendors. The idea reminds me of sites such as Yelp and Angie’s List, which collect and distribute feedback about products and services from real-world customers.

It’s great to see an effort to bring transparency into the world of enterprise security purchases. Security Scoreboard is looking to provide additional data points for the process enterprises follow when evaluating and selecting information security products, services and vendors.

It’s an endeavor from which the security community can truly benefit if Security Scoreboard is able to capture and maintain the attention of high-quality reviewers. The challenges that Security Scoreboard will need to overcome include:

Generating sufficient interest from the user community that would contribute accurate product reviews. One way to accomplish this—I am just brainstorming—might involve introducing social networking features to the site (Quora did this well), providing top reviewers perks (like Yelp), or perhaps even paying some contributors for their reviews (a bit like Amazon Vine).

Obtaining accurate and detailed reviews from the users. If the site’s users provide few details in their review or if they don’t put thought into how they rank products, the advice provided by Security Scoreboard will not be useful. This will probably involve ranking reviews and reviewers. Perhaps the company can build a reputation system that will assign higher significance to more trusted users. Maybe it can also tap into a source of social reputation data, such as Klout rank. (Again, I’m just throwing ideas around.)

[Providing users with the information necessary to make purchasing decisions.]{} The complexity of enterprise products and services make it hard to evaluate their effectiveness. One person’s negative experiences might not be relevant for another person, for instance. Security Scoreboard might need to think beyond a model based on average user ratings to provide accurate and actionable advice. (Perhaps something like Netflix’ recommendations engine?)

Getting support of security analysts and vendors to increase momentum. Traditional analyst firms, who provide vendor or product recommendations might be threatened by the site’s goals and persuade their customers against using Security Scoreboard. Similarly, product vendors might not like seeing negative feedback on the site. (Remember how disgruntled store owners accused Yelp of extortion?) Security Scoreboard will need to put effort into a ranking and commenting system that is seen as being fair by the various members of the security product ecosystem.

Security Scoreboard has an opportunity to improve the way we purchase enterprise security products and services and, as the side effect, provide vendors with incentives to improve their offerings to capture the minds and hearts of their customers. To accomplish this, Security Scoreboard has a lot of work to do to build a community, expand the features of its current website and fine-tune a business model. The company’s recently-received initial funding round should help it move forward with its plans.

Update: For a few more notes about Security Scoreboard, read the thoughts that Anton Chuvakin and Dave Shackleford shared about it.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →