Security Scorecard
About 11 years ago, Alex Heid was hired as Chief Security Officer at Guild Group, a rapidly growing e-commerce fashion startup scaling from hundreds to 2,000 people. His boss, Kevin Ryan (founder of Business Insider and MongoDB), challenged him with a blunt critique: "You're not doing a good job. I don't hear enough people complaining about you." This feedback—that impact requires visible friction—became foundational to Heid's thinking. More importantly, it sparked a realization: cybersecurity was the only industry with zero KPIs. You could invest a million dollars in security technology but couldn't answer whether you'd become 1%, 2%, or 10% safer. As companies became interconnected, the problem worsened—65% of data breaches were caused by negligent third parties outside a company's control. This gap became the seed for Security Scorecard's vision: create a "security score" like credit scores, reducing non-intrusive data points into a single, actionable metric for any company globally.
The journey wasn't obvious. When Heid and his business partner approached prospective customers as a two-person team with zero revenue, they received a lukewarm reception—a critical lesson. The idea wasn't obvious to the market, which paradoxically meant it was timely. Over nine years, the company evolved to 600 employees in 46 countries, but early decisions revealed surprising truths. In 2015, Heid spent four months and millions on a "bridge multiplier" feature using Kolmogorov-Smirnov complexity to compute portfolio similarity—a mathematically elegant solution that flopped because only Heid could pitch it. His sales team couldn't understand it. Meanwhile, a developer named Josh coded a simple widget on a weekend without being asked: put the security scores on a website, let people request their score by email, and follow up with marketing. This unasked-for experiment became the company's number-one lead generation tool—still delivering results today. The lesson: cheap, quick experimentation beats great ideas; constraints breed creativity.
Security Scorecard's early traction came from recognizing what jobs customers were actually trying to do. Rather than thinking product-first ("we have security scores"), Heid adopted a jobs-to-be-done lens. Customers didn't buy scores to own a metric—they bought them to justify budgets, convince boards they were doing their jobs, or decide whether to trust a vendor. This reframing expanded the company's aperture. The simple widget that Josh built became the Trojan horse: prospects could instantly see their score, creating both a lead magnet and proof of value. Over time, the company learned to embed its solution so deeply into customer workflows that it became indispensable—a system of record, integrations, and brand loyalty all reinforced by relentless customer obsession.
Heid's largest structural innovation was embedding customer obsession into company culture. Every executive meeting started with 20 minutes of customer stories before discussing OKRs or roadblocks. Every executive was mandated to talk to customers—not optional. The most important chair was an empty one, representing the customer. The company hired, fired, and promoted based on customer engagement. When a smart, talented executive showed a weak customer calendar, Heid moved her to a different role despite the short-term disruption cost. This ruthlessness paid off: it signaled that customer obsession wasn't PR, it was operational reality.
The other critical insight: the "deadliest competitor" isn't other startups or adjacent solutions—it's doing nothing. Before Security Scorecard, enterprises survived without quantified cyber risk. The company had to transform customers into believers in security scoring. This meant making the intangible tangible. Heid recently released Cyber Risk Quantification, which expresses risk in dollar terms. Product-centric teams see a number. Job-centric teams see a budget justification tool or board proof point. This mindset shift unlocked customer transformation and deeper stickiness.
Nine years after launch, Security Scorecard has scaled to 600 employees across 46 countries, serving thousands of companies including 9 of the top 10 pharmaceutical firms, leading banks, and all top insurance companies. The company exceeded $100M in annual run rate last year and is projected to grow by at least 50% this year. Heid credits this success to three principles: (1) betting on people who take risks and have a healthy disregard for the impossible (he's now an angel investor in Josh, his original developer, who founded a customer success startup); (2) building a culture where cheap experiments trump grand ideas; and (3) relentlessly focusing on the jobs customers need done, not the features being built. Heid's parting wisdom: "Your most unhappy customers are your greatest source of learning."
- •The founder identified a genuine market gap where no quantitative metrics existed for security decisions, allowing Security Scorecard to create an entirely new category rather than compete in an existing one.
- •Product-led growth through a simple, self-service widget that let prospects instantly see their own score eliminated sales friction and turned product usage itself into the primary customer acquisition engine.
- •Reframing the customer problem from 'owning a security metric' to 'justifying budgets and building trust with stakeholders' revealed the true job-to-be-done and expanded addressable use cases beyond the obvious.
- •Cheap, rapid experimentation by individual contributors (Josh's weekend widget) outperformed expensive, mathematically sophisticated solutions that only leadership could explain, proving market fit trumps feature complexity.
- 1.Start by identifying an industry where the core outcome is unmeasured or unmeasurable, then design a simple, quantifiable scoring system that reduces complexity into a single actionable metric customers can understand immediately.
- 2.Build a self-service proof-of-value experience (like the security score widget) that prospects can try without talking to sales, allowing the product itself to generate leads and demonstrate value before any sales conversation occurs.
- 3.Map customer problems to the underlying jobs-to-be-done rather than your feature set—interview customers about what they're actually trying to accomplish (budget justification, vendor trust, board credibility) and design solutions around those jobs, not your product.
- 4.Run low-cost, low-friction experiments by individual team members without formal product approval, then measure which experiments drive actual customer acquisition and double down on cheap winners rather than investing heavily in complex solutions.
Similar Companies
247.ai
$25.0M/mo247.ai, founded by PV Cannon in 2000, is an AI-powered customer service automation platform serving over 150 enterprise customers with $300M+ in ARR. The company raised only $20M from Sequoia (2003) and bootstrap, achieving 10% net profit margins while maintaining a 12-month CAC payback period and 100% net revenue retention. Despite a security breach setback around 2018, 247.ai has recovered and recently achieved 20% new revenue booking growth in their best quarter.
iCIMS
$13.3M/moiCIMS is a bootstrapped SaaS provider founded in 1999 that dominates the talent acquisition software market as the #2 player, serving 3,500 enterprise customers with an average monthly spend of $4,000. The company exited 2017 with $160M ARR and is targeting 25%+ annual growth while maintaining profitability, recently acquiring Text Recruit to expand into candidate messaging and recruitment advertising.
Zoom
$12.0M/moZoom is a freemium SaaS video conferencing platform founded by Eric Yuan in July 2011 after he left Cisco to build a next-generation collaboration solution. The company has grown to 850,000+ paying customers across individual, SMB, and enterprise segments, generating over $12M in monthly recurring revenue with approximately 100% year-over-year growth. Rather than focusing on customer stickiness or aggressive growth targets, Zoom emphasizes customer happiness and organic word-of-mouth acquisition, which has proven highly effective in driving viral adoption.
Madwire
$10.0M/moMadwire is a comprehensive SaaS platform for small businesses (1-100 employees) that combines CRM, payments, invoicing, billing, e-commerce, and multi-channel marketing tools in a single platform. Founded in 2009, the company has grown to $120M ARR serving 20,000 customers with an average revenue per user of $500/month, while maintaining strong unit economics ($3,000-$4,000 CAC with 3-month payback) and recently turning profitable with a focus on reaching 15-20% EBITDA margins. The company is exploring an IPO within 12-18 months without having raised substantial capital beyond an initial $7.5M.
SwiftPage
$7.0M/moSwiftPage is a CRM and marketing automation platform founded in 2001 that targets small businesses. Under CEO John Oshel's leadership since 2012, the company scaled from 60,000 customers with $26.2M revenue in 2015 to 84,000 customers today with an estimated ARR of $36M+, maintaining 1.5% monthly logo churn and a 6-7 month payback period with a sub-$500 CAC.