Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week.
Gartner defines midsize enterprises as companies with less than $20 million in IT security budget. At that size, they have up to 30 people in IT, which means that 57 percent of this group do not have enough security staff to warrant a CISO. This means the CIO is accountable for cybersecurity in most midsize enterprises.
According to Gartner, midsize enterprises spend an average of $1,089 on IT security per employee. About 6 percent of the IT headcount is dedicated to security, so you have to have at least 17 people in IT before you start dedicating a full headcount to security. Below that water mark, it’s only partial headcounts. That’s a lot of security areas to cover for very little headcount, and you can completely forget about 24/7 coverage for security operations. To make things worse, the midsize enterprise is hit even harder by the InfoSec skill gap because they often cannot compete with Fortune 500 salaries and benefits.
Paul Furtado, Sr. Director Analyst at Gartner, recommends the following guidelines for addressing these challenges:
Before Paul joined Gartner, he spent decades working in the trenches in midsize enterprises. Most executive leaders ask why they should be spending dollars on security. I loved his response: “I’m not taking a dollar from you, I’m protecting the dollars for you” This is a great mind shift that I can absolutely see working with executives.
I also liked how he boiled down the basics of what a security program must do:
I often see security professionals over-rotate on the first item, which is most important to them. However, let’s not forget, items two and three are more important to everyone else in the business!
With very limited resources, you cannot do everything in-house. You need to outsource some of the work to be successful. Use cloud solutions and vendors that can supply you with specialized knowledge and round-the-clock coverage. As Paul summed it up: “We could do this ourselves, but it’s not a good use of our people.”
Paul summed up his recommendations as follows:
Of course, working in application security, number three resonated most with me, so I’d like to dig into this one a little and tie it back to all of his recommendations.
Key takeaways from Paul’s talk are that you cannot do everything in-house because of lack of headcount and skills shortage in InfoSec. Veracode can help you address both of these challenges.
Let’s get to lack of headcount first. Veracode is the only SaaS-native Leader in the Gartner 2019 Magic Quadrant for Application Security Testing, and we have been a Leader for six times in a row. As a midsize enterprise, you don’t have the time to set up and maintain an application security scanning infrastructure, especially if you have to support multiple geographic sites as well as high availability and scalability for critical DevOps teams. Using Veracode is like having DevSecOps on tap: You don’t have to set up any infrastructure so your developers can start scanning on day one.
Now let’s discuss skills shortage. If you only have a couple of InfoSec people on your team, you will struggle to offer specialized knowledge for developers who need help remediating specific vulnerabilities in their code, especially if your team covers a broad set of languages. At Veracode, we have a dedicated team of application security consultants that your developers can tap into to get help with their code. In addition, our security program managers can onboard your scrum teams onto our platform and help them automate the security scanning.
As a midsize enterprise, you are often subject to security scrutiny when selling to the Fortune 500, especially when the value you deliver to your customers involves software, either directly or indirectly. Veracode is the only application security testing vendor to offer the Veracode Verified Program, which helps you show your customers that you take security seriously. Many of our midsize enterprise customers even use their Veracode Verified logo as a competitive advantage. Check out some of these companies in the Veracode Verified Directory.
“You may not have the need today, but it’s well worth doing the research today.”