Enterprise Risk Management and the ISV Conundrum: No One Gets Fired for Choosing IBMIndependent software vendors (ISVs) face a tough market. While small businesses and enterprises alike are always on the lookout for the next breakout software-as-a-service or on-premises solutions, they're not willing to risk security breaches just to get a step ahead. This means ISVs must make both software security and enterprise risk management key components of every product they develop, while competing in a market filled with tech giants and long-time security partners. Bottom line? There's a reason no one ever gets fired for buying IBM; is there a way for software vendors to get the best of both worlds?

Big Shoes

According to research firm Gartner, the security vendor market is dominated by big players with heavy footsteps. IBM, for example, ranked third in the world through 2013 with revenue over 1 billion dollars — only McAfee and Symantec did better. What's more, Big Blue has now partnered with Samsung and BlackBerry to create the "Secutablet," a partitioned mobile device that allows all calls, text messages and other activities to occur outside of any surveillance technology, even when that technology is implanted on the device itself.

In other words, IBM and similar firms are trying to tap both ends of the security market. Primarily, these large companies appeal to prospective buyers because they come with track records of outstanding security. Not necessarily innovative, not necessarily cutting-edge, but solid and reliable — enough to keep the wolves at bay. Meanwhile, new ventures like the partnership with BlackBerry suggest IBM is willing to innovate where required and reach out to the emerging, cloud-based IT market.

Enterprise Grade

So where does this leave ISVs? In many respects, caught between the drive for innovation and the need for standardization. Tech giants can afford to be boring and reliable — it's why investments in IBM are never frowned upon by C-suite executives. But independent software vendors are expected to push the envelope, sometimes at the cost of security. And there's the catch-22: Fast and loose security controls may deliver projects on time, on budget and chock-full of new features, but if they can't stand up to even basic security testing, then getting them to market is almost impossible. Spending big money on a corporate-class enterprise risk management and application security system, meanwhile, often comes with a prohibitively large cost.

The answer? Aim for the best of both worlds. A recent Forrester study found Veracode's cloud-based application security offering not only improved the "pass" rates of tested software — from 27 percent on the first try to 62 percent — but also significantly reduced the amount of time needed to detect security vulnerabilities. According to the operations manager of one surveyed ISV, "What Veracode can do in three or four days of scanning is at least a month of code review for our engineering team." Total time savings per year? Over $131,000.

Best of Both Worlds

ISVs can't be IBM, HP or Microsoft. But they can tap into the same kind of enterprise-grade security architecture that helps make these firms such popular choices among security-minded IT admins and C-suites. Customers want software that is innovative, well-coded and, above all, secure. This means security must be baked in from the very first line, never tacked on just before products are set to ship. Sure, no one ever gets fired for buying IBM, but a promotion isn't in the offering either. Veracode's cloud-based solution can help improve security at every stage of development and help buyers return to their organizations having chosen innovation over expectation.

Learn more about becoming a secure supplier by checking out Veracode's latest webinar.

Photo Source: Flickr

About Doug Bonderud

Doug Bonderud is a freelance writer passionate about the evolution of technology and its impact on companies, stakeholders and end-users alike. Want to know more? Follow Doug on Twitter.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.