Ellis Rosenzweig – CyberGRX

That data breaches are invasive, expensive and frightening is not news. What’s less known is that some of the worst breaches—including the 2013 theft of data from the Target retail chain—are not a result of direct hacks.

Instead, hackers can work their way into a corporate network or database through their vendors or third parties. In the case of Target, hackers gained access to payment card information and other data belonging to 41 million people, and the retail chain paid $18.5 million to settle a multistate claim. The hack? Target network credentials were stolen from a HVAC company–a third-party–that worked with Target.

As general counsel at Denver-based CyberGRX, Ellis Rosenzweig is not only attuned to the nature and cause of cyber breaches, he handles the legal affairs for a company devoted to enabling businesses to manage their third-party cyberrisk.

“We are helping companies solve a problem that no one really has a handle on,” Rosenzweig explains. “A company CISO likely has a full plate dealing with their own data security, and when you add an expanding ecosystem of third parties, your risk profile increases exponentially as your attack surface grows.”

Tracing the links

Third-party cyberrisk management is a critical component of any organization’s security, but many third-party programs are plagued with the outdated and inefficient process of filling out manual and laborious spreadsheets, which Rosenzweig says drains resources and provides little insight.

CyberGRX brings efficiency, scalability, and accuracy to third-party programs with its Exchange concept, which also adds assessment data and analytics.

Simply put, by identifying gaps that exist in a vendor’s data security controls, and the likelihood that those gaps could be exploited, CyberGRX’s solution enables businesses to quickly identify which of their vendors pose the greatest risk so they can apply the appropriate level of due diligence to determine what areas require remediation.

“Most of our customers are large companies, Fortune 500 types,” Rosenzweig says. “We’ve found they have the resources and budget to allocate time and money to this problem.”

Third-party cyberrisk management was not invented by the company, but Rosenzweig says CyberGRX is changing the way this ever-increasing risk is managed. A key component of the solution, the CyberGRX Exchange allows the company to gather benchmarking data on both customers and their vendors while streamlining the third-party cyberrisk assessment.

The Exchange eliminates any need to send out static spreadsheets to be filled in every year. The innovative delivery model provides a variety of benefits, including scale, speed and shared costs, Rosenzweig adds. Once an assessment is on the Exchange, customers can simply request access to it, without having to wait for the traditional spreadsheet process. Third parties can control that access as well as share their completed assessment with upstream partners, in both cases reducing time spent on redundant assessment requests.

“The Exchange is a force multiplier,” Rosenzweig says. “It makes the third-party cyberrisk management process more efficient and effective for businesses and their third parties.”

There from the start

CyberGRX was a lure for Rosenzweig because he has always enjoyed working with early stage companies needing legal advice to scale their businesses.

“The startup scene in Denver is thriving,” he says of the local business culture. “There is ample opportunity for people interested in learning and growing in their careers.”

CyberGRX launched in early 2016 and in May 2017 Rosenzweig was the first attorney hired. He went to work standardizing contracts by creating templates, handling company transactions, structuring the corporate governance, and taking part in overall strategic decision-making.

Protecting intellectual property has been an emphasis, too, he adds, but a big initial challenge was negotiating agreements that struck a balance between growing the company and not giving away the store to large-scale clients.

While structure is needed as startups and early stage companies burgeon, Rosenzweig says it is not always welcomed.

“When you come into an early stage company, nobody wants process,” he says. “You are starting with an idea, and the first rule of business is to stay in business. You may take risks initially that you may not take when you reach $100 million in annual recurring revenue.”

Rocky Mountain home

It never seemed a risk for Rosenzweig to make Colorado his home, he says.

“I came and stayed because of the outdoors culture and the business culture,” he says.

Born in Chicago, Rosenzweig, 45, earned his bachelor’s in English literature and political science from Bucknell University in Pennsylvania. In 2003, he earned his Juris Doctor from the Sturm College of Law at the University of Denver.

His father and grandfather were also attorneys, and while he considers himself a logical thinker, Rosenzweig said he wasn’t initially sure he’d pursue a law career.

His affinity for early stage companies began when he was an associate attorney at Holland & Hart in Denver, where he helped early stage businesses, advising on all matters from formation to exit, raising money from investors all the way through to a buyout or initial public offering.

“You help solve issues, and they are not always legally related,” he says. “The other thing I like is the ability to mentor other people. I’ve been doing this for 15 years or so, and I enjoy passing the knowledge and experience on to others.”

The energy and vibe of a startup culture provide excitement, and Rosenzweig says the uniqueness of the product offered at CyberGRX is why he wanted to be part of the company’s growth.

“The thing that strikes me the most is the problem-solving nature of the job; the company is solving a problem for our customers and what I do is help solve problems for the company,” he says. “It’s a fulfilling way for me to spend my time every day.”