Time To Market or Time For Better Security? Which Side Will Win?

Has Security Become A Greater Priority Than A Product Launch?

“Look, people, we need to get this product out now.”

“Sir, we haven’t finished pen-testing the latest beta code.”

“Pen-test? We don’t have time to practice our writing skills; we need this out now. I promised the board and our investors that we will be a hit at the show next week.”

“Sir, the product will not survive a day in the wild.”

“Huh, I don’t plan to go fishing with the darn thing! Make it happen, people.”

Many early successes in the Internet age came about by companies coming to market first with their version of the “next great thing.” Time to market meant the product sort of could have worked as is the clients didn’t seem to mind a half-baked solution.

Yes, this did happen. Many underfunded VC-backed companies only had enough funding for the initial launch of the internet-saving device and enough cash to sponsor the company field to Las Vegas. If the company had a successful launch and captured enough market buzz, Cisco or someone else would acquire them within six months.

These “slingshot” startups were more incubators and less about solving real-world business problems. These startups did serve a valuable purpose in many industry prospects, just not for the clients.

While the CEO and COO touted sales up 245% since the initial launch. (Mind you, during the initial launch, many products were sold at a 90% discount just to get in the door)

What Changed?

How did the tables finally turn? When did security become top of mind ahead of the high-speed slingshot launch of beta at best product?

When corporations began to see their new solutions getting pounded from cybersecurity attacks within minutes of the public launch., fromscript kiddies to full-blown DDOS attacks, organizations watched their well-manicured brands tumble even before their launch day media circus was over.

All the conspicuous hacker groups have already flooded the internet airwaves with their latest conquest of destruction.

As an about-face, the next day, these slingshots needed to back to the drawing board and begin to review their SDLC (Software development life cycle) and see where they to embed critical security components along with a strategy for the products to “survive” beyond the initial day of release. Companies discovered in many cases, they would have to re-develop and re-write code to accommodate security controls and functionality. Some companies folded up and closed their doors because the cost and effort became too great.

CEOs and CIOs know that security and product confidence make the brand. Customer confidence is built around security, reliability, and confidentially in data protection. Having the privilege to work for four startups in my career, I can see differences in culture between these companies and their DNA around security on day-one security versus when we get a chance mindset.

Many corporates have moved their development houses to a DevOps model promoting security within every sprint culture. This step revolutionized software development and integrated security, supporting the rapid deployment strategy. Many clients continue to integrate white-box, gray-box, and black-box pen testing in various stages of the Agile development cycle.

Companies choosing this agile sprint approach tend to receive early positive peering reviews, clients more winning to trust a 1.0 product and the channeling willingness to onboard a new vendor within their sales strategy.

Security is about the brand, not just the product.

Until next time,

John