Building a billion-dollar cybersecurity company

[00:00:01] Chris Sienko: Today on Cyber Work, I'm very, very happy to be speaking to Sam King, CEO of Veracode. Sam is an icon in the realms of secure coding and application security. And she took time to speak with both me and Infosec CEO, Jack Koziol, about her own cybersecurity journey, the president's directive on software security, and so, so many more topics. You really, really don't want to miss this one, folks. It's all coming your way on Cyber Work.

First, I want to point your attention to an all new ebook published by Infosec. It's titled Developing Cybersecurity Talent and Teams. And it's free to read if you just go to infosecinstitute.com/ebook. It collects practical team development ideas for industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase, and more. Did I mention it's free? Well, it is. Just go to infosecinstitute.com/ebook. Go get your copy and start learning today. And now without further ado, let's begin the show.

[00:01:03] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talked with a different industry thought leader about cybersecurity trends, where those trends affect the work of infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Sam King is the Chief Executive Officer of Veracode and a recognized expert in cybersecurity, DevSecOps, and business management. A founding member of Veracode, Sam has played a significant role in the company's growth trajectory over the past 15 years, helping to mature it from a small startup to a company with a billion dollar plus valuation. Under her leadership, Veracode has been recognized with several industry distinctions including a seven-time consecutive leader in the Gartner Magic Quadrant, leader in the Forrester SAST Wave, and a Gartner Peer Insights Customer Choice for application security.

Sam has been a keynote speaker at events such as Gartner Security Summit, RSA and, The Executive Women's Forum on topics ranging from cybersecurity to empowering women and creating diverse and resilient corporate cultures. She has been profiled in business publications such as The Huffington Post, CNN Money, Financial Times, Infosecurity Magazine, and the Boston Globe. Sam received her master's of Science and engineering in computer and information science from the University of Pennsylvania. She earned her BS in computer science from University of Strathclyde in Glasgow, Scotland, where she earned the prestigious Charles Babbage award, awarded as a student with the highest academic achievement in the graduating class. She currently sits on the board of Progress Software, and is also a member of the board of trustees for the Massachusetts Technology Leadership Council, where she was a charter member of the 2030 Challenge. A tech compact for social justice in efforts to bring more diversity to the local workforce. And also joining me today, Infosec CEO and founder, Jack Koziol. Hi, Jack. How are you doing?

[00:02:49] Jack Koziol: Doing great, Chris. Great to be on your show again.

[00:02:52] CS: And, Sam, thank you very much for being our guest today on CyberWork. Thanks for joining us.

[00:02:56] Sam King: Thank you for having me, Chris.

[00:03:00] CS: Yeah, Jack and I both had some questions for Sam today. But I'd like to start with where we start all of our interviews, which is we'd like to learn a little bit about Sam's experience and personal journey in cybersecurity. So Sam, your background in computer and tech goes back a long, long way, including master's in computer science and even before that. So clearly, your love of computers and tech have been with you for a long time. When did you first know that computers and security was the thing you wanted to do with your life? And what was the initial draw?

[00:03:28] SK: Yeah. So I have been in computers and technology for a long time. And I think it was actually my high school in India, where I grew up, where, to be totally honest, the only room in my high school that had air conditioning was the computer room. And that was the initial draw, is that for some time period, I get to be an air conditioned room. And computer seemed kind of cool. So I signed up for the computer class. Got to spend some time out of the heat in an air conditioned room, which was very nice. And as I learned more about the subject, it really intrigued me. The possibilities of what you can do with this technology really intrigued me. And so that's how I got my start in computers. And I chose to pursue a degree in computer science, which then led to another degree in computer science. And once I got my masters, I really was very ready to put that to real work. And so then I got a job as a consultant doing systems integration project for a lot of our clients. And then the move to security came later, several years into my career in technology. And this was right around 2000, 2001. Somebody that I had worked with had gone on to found a security company, and they hired me at that security company. And I previously had no knowledge of what security was all about, but it seemed like an interesting field. And so I joined that company. And here we are.

[00:05:06] CS: I always think of that sort of era of security as still being kind of the Wild West in terms of – It seems like the career and the position and the process of it was kind of being built all around you like. What was it like to be on the ground floor of something that people really didn't give all that much thought to you in the same way before that?

[00:05:24] SK: I have to say, when I first moved from this systems integration firm that I was working for, to a security company, the cultural difference between the two was so stark and almost a little overwhelming. And here's what I mean, by the time I left my systems integration consulting company, I had moved into project management. And we were developing ecommerce, web applications for customers, and a lot of retail companies that were getting into e commerce at that time, and so on. And it was all about creativity. It was about getting out functionality fast, having an engaging user experience. We didn't really talk or know much about security, right? We were all about delivering amazing experiences through these ecommerce platforms in these applications on behalf of the customers that we were serving.

And, occasionally, right as we were getting ready to deliver the project to the customer, someone might say, “Hey, has security been taken care off?” And we're like, “Sure. What do you mean by that?”

[00:06:32] CS: As long as there’s no follow-up questions. Yes.

[00:06:33] JK: Right. And so we weren't educated on the topic. And so when this person that I knew started this company and reached out to me to see if I would be interested in joining, I was like, “Security is this thing that people are starting to ask questions about. It's probably going to be important, but I don't really know what it is about. So let me go experience that.” And then when I joined this security company, there were some phenomenally experienced information security professionals that had come up through the compliance and risk management ranks. I think this was still a little bit before you saw sort of mainstream developers and technologists move into security. This was more the realm of compliance and risk management at that time still. And their considerations were so different than the developers that I was hanging out with. Their considerations were managing risk. And they were always planning out all the scenarios in which things could go wrong.

Meanwhile, we were talking about how do we make the web application and the website more engaging. And like the conversations were totally different. And so that's what I mean by a really stark cultural difference between what was top of mind for the people that were creating these applications, and then when I started to hang out with the people that were concerned about security.

[00:07:54] CS: Yeah. Now, like you were saying that like these were all sort of new concerns at the time, and you're sort of swimming in this sort of soup of like let's all just figure this out on the fly. Can you think of like some specific moments where you like finished a certain project or implemented a certain process where you’re like, “Okay, this is starting to come together into a real process.” Do you have like stepping stone moments like that where you said, “I really like doing this.”

[00:08:23] SK: I'll tell you about probably the first official conversation I had with a customer after officially joining an information security cybersecurity company. At which point, I have to admit, I did not know really anything about security, right? But I happened to get left alone with a customer. And the project that I was going to be managing was to develop an incident response plan for this customer. And I had read the briefing before I went to the meeting. So, of course, I had some sense for what we're talking about here and what the customer's concerns are. And the person said to me, “So how do you go about developing this incident response plan?” And I was thinking, “Boy, I wish they had asked me this question when my colleague who's a lot more knowledgeable than I am at this moment was also in the room.” But I had come from a consulting background. So I thought I'll take a shot at this.

And I said to them, “Listen, today's technically my first day on the job, but here's more or less what we're going to look to do. We're going to try to first understand what your concerns are in this regard. What does your current state look like with what do you consider to be an incident? How do you respond to it? Where do you believe the gaps are? We're going to go talk to your key stakeholders in the company. Who else gets involved in this process? And then we'll develop a point of view on this is what your current state looks like. This is what your objectives are in terms of developing a better incident response plan, and we will come back with some recommendations and some approaches on how you can close the gap between your present state and where you'd like to be. And we'll take various constituencies, concerns, considerations desires into account as we do this, and we'll stay closely connected with you as we go through this process.” They're like, “That sounds great.” And I thought, “Okay, maybe I can do this security thing.” Because, ultimately, what I realized was while it feels like this dark, mysterious art, especially to people that were new to security at the time, and there's this body of knowledge, and regulations, and compliance, and terminology, and all of these things and jargon that sits behind it. At the end of the day, it's a business problem. You're trying to meet a business need for an organization. It happens to be to manage risk. In this case, it was how do you respond to an incident in a way that keeps the organization functioning, and so on? And so if you approach it from that perspective, okay, you can learn the domain while you continue to help meet the business requirements that customers have.

[00:11:06] CS: Yeah, that's got to be exciting and really feel like you've sort of broken through to something new. Jack, did you have any sort of similar things happen in those sort of wild west days where you felt like you had sort of like broken through and figured this stuff out in a way that you hadn't expected before?

[00:11:23] JK: Yeah. I mean, my whole career, and before my career was in cyber. So it wasn't called that then. I mean, it wasn't even really a profession I think when I got into it, and never really kind of had that realization. But I’m just curious. Sam, was there a point when you realize that this was an industry that was going to grow and become what it is today where you have the President of the United States repeatedly talking about cybersecurity as a top national concern? I mean, I feel like earlier in my career it was something that nobody – I had to explain to people what I did, and nobody really understood what it was. And my first boss, when I was working at a bank, he told me, “There’ll never be more than one technical information security person at the bank. There's not going to be much of a career here for you if you want to advance or do anything else. So you better think of some career options, kid.” So I don't know if there was like an inflection point in your career where you were like, “Wow! This is really something. This industry is going to grow.”

[00:12:40] SK: Yeah. I would say that first year, after I joined the cyber security company, was instructive for me. Because when I first joined that company, like I said, it was a pretty stark difference in just the culture and the considerations that were top of mind of the people that you were working with, right? Like I felt like I'd gone from the world of creating technology to now the word of like protecting ourselves in the context of those technology platforms, and it felt very different. And it took a while to sort of bridge that gap. And honestly, we can do the work today to bridge that gap between people that are creating technology and people that have responsibility for securing technology.

But over the course of that year, what I learned was, “Look, we are going to keep making use of more and more technology. There’s going to be more software in the world, more applications in the world. We are going to be more connected than we've been in the past. And just on the basis of the growth that we were seeing in our own business, you could tell that this was going to stay a problem for some time, and therefore this was going to stay an area of need for some time, right?

And so I think when I first joined, like the first 30 days. I'm trying to figure out what is this security thing? And how does one be successful at it? And by the end of that first year, I had had enough interactions with both security professionals, people that had CISSPs and other degrees and accreditation in security and customers that didn't know anything about security to know that there's a need here, and that we're going to need talented people to go fulfilling that need.

[00:14:27] CS: Yeah. Now, I wanted to – We're very excited, of course, to get Sam as a guest today, because Veracode is certainly an incredibly well-respected and very much talked about company, and we really want to get your insights. And we're really so glad you could be here today. So to start with, I wanted to sort of talk about what are some of the initiatives, projects or changes you've implemented with Veracode as CEO that you're the most proud of and things that you're excited to talk about with Veracode in 2021 here?

[00:14:58] SK: Yeah. Well, the first thing that I'll say that we're really proud of is, in your intro, Chris, you had said that we are leaders in the Magic Quadrant seven years running. Well, actually, it's eight now. So we were named as a leader in the Magic Quadrant again when the Magic Quadrant was released just a couple of weeks ago.

[00:15:17] CS: Congratulations.

[00:15:18] SK: Thank you. That is something we're very proud of as a team to be a leader eight years in a running. And, recently, I was speaking with the CISO of a large healthcare organization. And I was describing to them that we've been named leaders 8th year in a running. The comment that they made to me was, “A lot of times what you see in our industry is you see companies come into the picture or have some very innovative technology, really capitalize on it.” But then as they get to some degree of scale, that innovative spirit maybe becomes less strong, and maybe you start taking what you're doing for granted a little bit. And you see people slip, right? And so to stay in that leadership position over eight years is something that we take very seriously and we're proud of, and it's just a great testament to how dedicated our team is to the mission of software security, which everyone at Veracode really, really cares about. And it's just an absolute privilege to work with that team every single day. So that's something that we're very proud of.

And then if I think about 2021. I mean, Jack, you were saying, did you think that the President of the United States would have a document around cybersecurity when you're thinking about that when you join security? Probably not. But I was also not really thinking that a document that is from the president's office will have words like static analysis, dynamic analysis, and software composition analysis either, right. And yet those words are present. And something like 25% of the executive order is devoted to this topic of software supply chain security.

So the thing that our team gets very excited about is that a topic that we have been driving awareness around four years since our founding in 2006 and our founder, Chris Wysopal, even prior to that, and a topic that we've been studying and supporting people in for that period, is now getting broad-based attention. And a statement is being made that this is important. It's of existential importance, because our lives are playing out in the digitalsphere more than anywhere else, especially given what we've gone through this last year. And therefore, this is something that is going to be taken seriously.

And the way that the federal government is going to approach their software procurement invariably is going to create a little bit of a domino effect, we believe, in how organizations in general start to think about what kind of software they're using. Where is it coming from? Whether the providers have done diligence on security, and so on and so forth. So I think this is a very exciting moment in time where there's this confluence of everything becoming digital, and this big recognition in light of what has happened, that this is important, that this is a piece of the fabric of our digital lives that we have to shore up better.

And so for us, we think of this as really you're going from sort of application security to software security. And what do I mean by that? Like it used to be that you could draw really clean lines around what an application is, right? And now we use API's and we use open source code, and you got containers, and you have infrastructure as code where code is being used to articulate what kind of infrastructure you want to have, configurations you want to have. And we think that it really is about bringing security to software in whatever form it presents itself, and making it easy and easy for developers to use, but not forgetting about the needs of the security team either. Because I think what I learned on day one in this space is still true today, which is that there are multiple constituencies that come into the picture when you're talking about a topic like cybersecurity, when you're talking about software security. You've got developers that are creating it. You've got the open source community that creates so much software that gets so much reuse. And then you have security and compliance people, and now businesses and boards that have to attest to the security of the software they're producing.

So we're really excited about thinking about how do we take what we have been doing and just keep showing up in places where developers and code is and making it so easy for people to integrate this into their software development lifecycle, that if this is the right thing to do and it's the easy thing to do, why wouldn't you do it? And oh, by the way, now, the federal government is going to require that you do it too if you want to sell to them. So that's the opportunity that lies ahead for us that gets us very excited.

[00:19:52] CS: Yeah. Speaking to the executive report, I mean, I pardon me if I sort of contextualize this a little bit. We have some listeners who are just sort of getting their feet wet in cyber security. But to just to contextualize, you wrote an open letter to the Boston Business Journal. And you said of the recent executive order in cybersecurity that, “The recent colonial pipeline hack, which had a severe impact on the day-to-day lives of citizens across many states in the US, is evidence enough that the nation's approach to cyber defense needs improvement and urgently so.” You also noted that, “The executive order is finally shining a light on the software development process,” as you just said, “and highlighting how building security directly into the software development lifecycle, or not, has far reaching effects. And the administration's making clear that it is time to strengthen our standards on cyber security and step up our collective secure software development process.” You obviously said this is a transformative moment. Can we talk a little bit about the order itself? What are your thoughts on the language and scope of it? Do you think it went far enough? It could have gone farther? Or is it just the fact that it's out there is worthwhile enough?

[00:20:58] SK: So I think the fact that it's out there is incredibly worthwhile. It's been a long time coming up. Our founder, Chris Wysopal, I think it was 23 years ago that he testified in front of Congress when he was part of the think tank, L0pht, to talk about the risks associated with the Internet at large and technology, more broadly speaking. And so eight years after that, he started Veracode. And I joined him, and we've been talking about this topic for a long time. So for those of us that have been in this space, I think it's been a long time coming. But the fact that it is here is, I think, a noteworthy event for sure.

Now, I see it as in the process. And here's what I mean by that. The executive order calls on NIST as an example to develop more detailed standards around software supply chain security, and it calls on other bodies to develop standards and procedures and protocols around other things that are mentioned in the executive order, right? The creation of an institution similar to the Transportation Safety Board is an example for cybersecurity, right? The concept of how do you think about labeling for software, the way you think about labeling for other goods that we consume on a daily basis? How do you think about verifying software? I think these are all ideas, great ideas, that have been surfaced as part of this executive order, but that the full definition of these ideas is going to be carried forward to those organizations. And this being one of them that is named in there.

I also think that calling out the fact that this is going to take partnership between the public sector, the private sector and academia, is really important, right? Because we've got people across multiple realms of the world that we are in approaching cybersecurity in different ways. You've got people that work in government agencies, in the US or anywhere else, that have the mission of their agency. You've got private organizations that may be for-profit or nonprofit that have the mission of their organization that you're pursuing. You have academia that is interested in studying this topic more deeply and treating the future technologists on what they should be doing from a security standpoint. So I think bringing about these multiple players in the cybersecurity space together to then put together our best practices and come up with what the standard should be that we should adopt moving forward I think is another really good call for this to make. So we are working with these organizations to share what we've learned over the years doing this for 15 plus years here. And what are some of the best practices that we have come upon that we can share with everybody else that they can take advantage of. So I think that the fact that this has come about is a strong statement. I think we are going to see a take full definition as these other organizations do the work that's been called upon for them to do.

[00:23:56] CS: Right. And I think that comes down to – That's the sort of the test of any strong statement like that is whether people actually implement on it or actually do their part of it.

[00:24:09] SK: Exactly. Exactly.

[00:24:11] JK: Sam, you kind of touched on a little bit there. I’m a little curious. You mentioned licensing or labeling of software. Are you proposing that you think the federal government should be doing some sort of labeling or licensing of software when it comes to security? Do you think that's a role?

[00:24:32] SK: No. What I'm getting at is when – So we have this program, for example, that we call Verified at Veravode, where the Verified program will work with software providers, and we'll take a look at what are the software development methodologies they're using with respect to security. How are they testing their applications? What kinds of tests are they adopting? What is their policy around what does good look like from a security standpoint? So that then we can say we have looked at this organization, this application, and we are giving them the verified status, because what that conveys to us is that they're taking these aspects of secure software development seriously. They have these kinds of policies in place, and so on and so forth. And that provides a degree of assurance, right? That provides a degree of assurance to the person that is buying that software.

And, really, what I found is that, for those that are looking to sell their software, it becomes a business requirement to demonstrate to the people that want to buy that software, that they take security seriously, and that they have taken the necessary steps to ensure that the software that they're delivering to them meets those standards. And so there's almost a commercial motivation to go do that. And so I don't think that we necessarily need like a body that goes and does this. But I think the fact that we are raising awareness to say, “Look, software is getting consumed in prolific ways.” And there should be this understanding between people that are producing software, people that are consuming software, as to what you are getting, and what do the practices around the development of that software look like. I think that in and of itself is going to create the motivation for these organizations to go do more in this area.

[00:26:23] JK: And I think that's an interesting take. I mean, so privately, private company can provide their label. But I always think like a toy company can sell a toy that like electrifies children and fundamentally fails. There's Underwriters Lab. There's Consumer Protection Bureau. There're all these things out there. But you can sell a router that is fundamentally flawed, and someone can go plug that into a bank, or a hospital, or whatever. I feel like there should be some government oversight in this to some degree. I don't know what the right answer is there. But –

[00:27:01] SK: Yeah. And I think what's emerging, if you look at the executive order, and especially if you think about the standards that are going to be created here is, if you can create a standard of this is what good looks like, and then someone can give you assurance that I adhere to that standard. That's good, right? Because we've stipulated to the fact that the standard is good. And I can demonstrate to you that the practices that I follow and this particular application meets these standards. That gives you a degree of comfort around what you're buying. Now, software doesn't stay still, right? Constantly, you've got a new release. And it's constantly evolving, constantly changing. So this is not a one and done. That's why both the practices that you're using for your software development lifecycle as well as what you can attest to for any given piece of code, a combination of those two things is important.

By the way, what is also important is equipping the people that are creating the software are developers with the right knowledge and the right tools to do this, right? Because the best form of prevention is to not have that vulnerability get into the code to begin with. So let's go tell them what good looks like. And developers have pride of ownership. They will write better code when we train them on that.

[00:28:15] JK: Where do you draw the line between what languages and frameworks should be doing in terms of security and third-party security assessment, static analysis, dynamic analysis tool should be doing? And then what should just be developer skill in terms of secure coding ability? I mean, I think that’s something that many organizations struggle with is where to draw those lines.

[00:28:41] SK: Yeah. So I think the developer skills piece to me is a pretty basic piece, right? Where I feel like if you're an organization that is writing code that's going to be used for a critical process that's going to transact critical data that, for your organization, provides any kind of an attack surface, you want to make sure that the developers that are creating that code have the right skill set around how to write secure code, right? And so I think that that's a pretty fundamental thing.

It's amazing to me that I have – earlier we talked about the fact that I have two degrees in computer science, and I got those degrees a while back. But I don't have a single course in both, the bachelor's or master's curriculum, that talk to me about how to write secure code. Now, that is changing. A lot of university programs are incorporating how to write secure code. We've done our part here. We actually did a program called Hacker Games where we ran a contest for eight universities across the US and the UK and developers of the future. We gave them the opportunity to come in and compete with each other on who can find and fix the most vulnerabilities over a certain time period. We gave $50,000 in charitable donations to the institutions of the organizations that won. So we did all of that, because we believe that equipping developers with the right skills and the right knowledge is pretty fundamental. And we should do that ranking as part of our educational curriculums. But if not, certainly, as these developers start their professional careers, right?

And then there's the concept of trust, but verify, right? So how much should a language or a framework innately have? To a certain extent, that's going to be dependent on the developers of those languages and frameworks. And to say that everyone is much more aware of what kind of security vulnerabilities continue to persist even when you go to newer languages, right? I think everyone knows that. And so as awareness around that increases, you would expect that as people come up with new frameworks and new languages, they're keeping security in mind in the way they are thinking about architecting it. But at the same time, just because that's the case, you still have to verify what actually came to be in this piece of code when this piece of open source code got combined with that custom code, which calls into that API, which then gets put into a container and gets deployed over there, in my AWS, infrastructure, etc. So I don't think that it's any one thing. It's a combination of these things. Because there's the core skill set of people that write the code. There's the awareness and responsibility that people that are creating these technology platforms are increasingly having as a result of what we're living through. And then there is the verification process. Let's make sure that as multiple pieces of code came together, that we can attest to the security of that.

[00:31:53] CS: It folds nicely into your – Veracode released its state of application security report recently, which as you expect, had some concerning info, but also suggested the state of AppSec was maybe moving in the right directions. 74% of apps were found to have some sort of flaw, but less than 25% had critical flaws and less than 5% were flaws that could be actively exploited, if I'm reading that right. So does that fit in at all with your findings? Or do you feel that people – That things are moving in the right direction? Obviously, this executive order will probably shine more light on the importance of these sorts of things.

[00:32:31] SK: Yeah. I think the executive order is important. Don't get me wrong. We talked earlier about the fact that it makes a bold statement. I think that some of the good progress that's been made around software security, frankly, precedes the executive order. I think the move to DevOps, a lot of people were concerned around, “Hey, as we move to DevOps, that could mean that more insecure code just gets deployed faster now, right?” We're increasing speed of code delivery and we're delivering [inaudible 00:33:02]. What’s going to happen with this?

And what I started to see was a very interesting shift where it used to be that you would do security testing late in the development lifecycle. You're ready to deploy the code, then someone from security comes around and says, “Hey, wait a minute. You can deploy it. We got to test it.” You test it. You find a bunch of issues, and you go back and you say, “Oh, sorry. We can’t deploy it. We got to go fix those issues.” It's frustrating for the security team. It's frustrating for the developers. So on and so forth, right?

And so then you started to see security saying, “Okay, let's integrate security testing into the software development lifecycle. Right when a developer is writing a line of code, they're in their IDE, what can we do there? Then CI/CD pipeline comes together. What can we do there?” So that you discover these problems earlier, right? And you're not discovering these problems pre-deployment at such a late stage when everyone is stressed out and it creates a negative experience for everyone. And that is the way that we've professed you do it do, right? You scan early. You scan often. NIST has data that they've put out over the years where it's 30 times less expensive to find and fix these vulnerabilities earlier in the development lifecycle than if you're tackling something in production. So all of that makes sense.

But the interesting thing that I saw with the move to DevOps is DevOps was a movement that was getting adoption and a lot of momentum behind it inside development organizations, and wasn't necessarily something that the security teams had created or were pushing, right? Like it was gaining momentum in and of itself inside development organizations, because what development organizations realized was that we want to have efficiency and better operations of this code when it's going to run in production. And so we want to break the silos between development and operations. And I think therein was an opportunity for the security team to say, “If we're going to go and change our practices and our philosophies around how we think of developing and deploying code, then why don't we also include security as part of those new practices that were coming out of it?”

So I personally saw DevOps turn into DevSecOps, or SecDevOps, or whatever combination of those three things you want to call it. I saw that transition occur quite quickly, at least from a philosophical standpoint, which is that DevOps shouldn’t really be DevOps. It should be DevSecOps. If we're going to go change the way we develop and deploy code, let's also plug security in and at the same time. And I think that was a great opportunity. So even before the executive order came up, which is now saying, “Look, this is a matter of existential importance,” I think there was a movement afoot in the world of technology, in the world of development, that already was creating a really good vehicle for security to get plugged in and acceleration of security testing, right?

So now coming back to the state of software security report that you were referencing, I mean, we've definitely seen progress over the years. 25% of applications having a critical flaw is a number that is better than what we used to see in the early days. And I think it's because there's been 15 plus years of awareness around the types of vulnerabilities that will get you in trouble that can be highly exploited, training around those, and so on and so forth.

And then the other thing that we see is, “Okay, so that's good that those numbers are coming down.” It still takes people several months to fix these vulnerabilities and reduce the backlog of these vulnerabilities. So what can we do to improve that, right? One thing that we've already talked about is education. So the better educated the developer community is on security, they're going to write better code. You're going to have fewer things to fix to begin with, right? So I think that's becoming increasingly important. But then there are certain practices as well that we found to see a positive correlation with the amount of time it takes to fix. If you're scanning frequently, which really means that you've plugged this into your development lifecycle, into your CI/CD pipeline, it's part of how code gets written and deployed, it's going to take you three weeks less to fix half of the vulnerabilities that are discovered than if you are scanning infrequently. So frequent scanning is a good practice to adopt, right?

[00:37:26] CS: Yeah. And it doesn't add more time. It takes time off and it’s ultimately more efficient. Yeah. Because I think that’s –

[00:37:31] SK: Exactly. Ultimately makes you more efficient. Yeah. If you have a more mature program, where you have multiple testing techniques that you are bringing to bear, half of these flaws you'll fix 24 days faster is I think what [inaudible 00:37:45], right? So because you're looking at it in multiple ways, it gives you more assurance around, “Yes, this really matters. And I have to go fix this. And this one is manageable perhaps, right? It makes it more pragmatic.” And automation matters. If you are doing this in an automated fashion where you have part of your build process, you call into these testing technologies to be static, or whatever it is, and you've got this tightly plugged in such that a developer doesn't have to take a manual step to go do this, you've automated this, that's also going to cause you to fix these vulnerabilities faster. So it's not just that you find them in a more efficient way. It actually helps with the outcome of getting to secure software.

[00:38:27] CS: Right. Yeah. And I imagine a lot of it is just sort of reticence about changing the way you've always done it or whatever. If you here, “Yeah, this is going to actually make your software safer, and faster, and more efficient,” like you would you would think that people would be like breaking down the doors to sort of make the change. But I imagine there's just a lot of, “Well, oh.”

[00:38:50] SK: There is. There is. And I think this is where the concept I was talking about earlier around building a bridge between the development organization and the security organization is really important. So like one of the things that we talk to customers about a lot and encourage as we work with them is like we want to make sure that the security team is plugged in with the architects inside the organization with the leaders in the development community that might be thinking about that next framework, that next language, that next technology platform they're going to adopt if security has visibility at the time when those technologies are being explored. Nevermind like after they've already been deployed, and now we're trying to play catch-up. Then you can have a conversation right up front, where as you are designing the use of these new technology platforms, the same time you can design all of these practices that we know lead to reduced time to fix these vulnerabilities. How do I automate if I'm going to use this technology stack? How do I make sure that I have more frequent scanning? And so on.

[00:39:58] CS: Yeah. The name of our show is Cyber Work. And we like to focus on the work of cybersecurity, not just the practice. So I'd love to talk, have you talk to our listeners, many of whom are just starting their cybersecurity journey and maybe are watching this because they are interested in getting involved in AppSec or software development. How would you get started in application security in 2021? What are the sort of stepping stones that you would take now? Is computer science still a good starting point? Do you learn yourself? Where would you get started do you think if you started in 2021?

[00:40:33] SK: Yeah. Good question. So I actually happen to think that we narrow the talent pool for ourselves in cybersecurity too much if we have an over emphasis on STEM. And I know that could say, well, you had a bachelor's in computer science and a master's in computer science. So, okay. But you the first security company I joined, the CEO of that security company was a woman whose degree was in English. My predecessor at Veracode, I think his degree was in psychology, right? So I have clearly seen people that come out of the STEM field have incredibly successful careers inside cybersecurity. So the reason why I say like let's not over emphasize on STEM as a background is because we know that there's a talent shortage in cybersecurity. Then you overemphasize on STEM, you narrow the pool even further. What if we could broaden the types of backgrounds and domains and degree types we could attract into cybersecurity? The domain is something that can be taught over time, right? Because in any organization, you need great marketeers, you need great salespeople, you need people that are going to support the employees in that organization in a wonderful way, and you need great technologists that are going to develop really innovative technology. But it takes all those pieces coming together. So I think that's an opportunity for us to say, “If you have a degree in English, but you're interested in cybersecurity, maybe you can join in this particular role. And then if you want to go down a technical path, here's a training curriculum that we can put together that maybe moves you over the technical path. Or maybe you want to stay in the path that you were in and have incredible contributions in security.” So I just wanted to get that out there, because I think that that creates an opportunity for us to deal with this issue around talent shortage.

In terms of what you can do to get started is – I mean, there's a lot of great material that is out there. There are organizations like OWASP. And Veracode has a community edition of our security labs capability, which is what trains developers on how to write secure code. It's a very hands-on way on how to write your code and what kinds of vulnerabilities exist in code, and so forth. So I think if you have an interest in this area, there's a lot of great information, great content in the public domain, that you can go access and get yourself smart on. And then I'm willing to bet that every security company and every application security company on the planet has more roles than they can fill in their organizations. I know our customers have people that they're looking to bring on board in their teams to manage their programs, and so on. And even if you think you don't have the direct domain experience, like go find some role in – Go apply for a role in a cybersecurity company or an application security company even if it doesn't have to do exactly what the technology aspects of what that company does, gets your foot in the door. And if you demonstrate your desire to learn and you're fired up about this category and this space, then it gives you a place where you're going to be surrounded by other people that know this that you can learn over time.

[00:43:47] CS: Yeah. Now, we are always talking about the skills gap and the human resource gap and so forth. Can you talk about some common mistakes that candidates make in trying to apply for jobs in your department or vice versa? Can you talk about the ways that job listings are maybe sort of overwritten in ways that no one wants to apply for it because they feel like they're out of their depth? I think we hear so much about they're just being this great disparity between, “Oh, I couldn't ever do that?” And they're like, “Why won't anyone apply to this? Anyone could do this.”

[00:44:27] SK: Right. Right. Right. Yeah. It's a great question. I think I'd go back to don't over-amp either on the hiring side or the candidate side on the technology requirements, the technical skill set and experience, whether you’ve done exactly that before or not. There are a lot of roles that we hire for at Veracode where I am not looking at exactly what your technical background is vis-à-vis application security. I'm actually looking at how good are you at communicating with customers? How good are you at communicating? Period. How collaborative are you? How much out of the box thinking can you do? When there are challenging issues, how do you handle yourself? Do you just persevere through it or you kind of give up? There are a lot of these aspects of how you do what you do that we pay attention to.

Now, obviously, if I'm looking for a role in our security research team, I'm not going to hire someone that doesn't know how to do security research, right? So not every role is like that. But there are a lot of roles where you are looking at those aptitude areas more so than the actual domain knowledge. So I think as long as both the hiring side can have more flexibility and just open their minds more to those possibilities, and the candidates can do that as well in terms of like, “Yeah, why can't I go try for this?” I think that I think we can address some of those problems.

I came across a chief information security officer for a state government one time. I had the opportunity to meet her at RSA. And her job just prior to that role, she was in PR. And I thought, “That's not a bad background to have.” Because she focused a lot on communication, and she focused a lot on – And she reported that being able to bring people together to drive consensus on complicated ethical problems, or complicated policy decisions around cybersecurity, actually was a great benefit to the organization.

[00:46:49] CS: Yeah. So at the CISO level, a lot of times you're doing sort of PR to the board telling them what needs to change and so forth.

[00:46:58] SK: Evangelizing, right? Evangelism and getting everybody in the organization on board that security is not just security's job. It’s a big part of that job. So if you have a skill set that allows you to do that more effectively, you can be very successful.

[00:47:12] CS: Yeah. Now, in your bio you noted that you've worked to bring more women and diverse candidates into the tech workforce, which is something we always like talking about here on the show, as well as working with the Working Mothers Organization. And I'd love to hear more about this. What are some effective ways to bring more women and diverse candidates? And diverse in many ways, sexual orientation, gender identity, neuro diversity, differently abled? What are some of the ways that you've seen that have been really exciting and really sort of like widen the field and brought more interesting diverse candidates into the field?

[00:47:46] SK: Yeah. So I think you have to commit yourself to focusing on it, right? Because this is another one of these where you were describing earlier, Chris, like how can we don't have more people like this? And then you like over-amp on those kinds of descriptions? And how come you don't have more people? Like you can get into that kind of a situation here as well. And so you could say, “Oh, my gosh! Diversity is so hard to achieve. Can we really do it?” That can become a self-fulfilling prophecy. And then it stays hard to achieve, right? So I think part of it is committing to focus on it. So what are some of the ways in which we focused on it? You referenced in my intro that I'm on the board of trustees of Mass TLC. That's an organization that has taken the topic of diversity and inclusion very seriously.

Last year, a number of technology companies in Massachusetts came together and signed up to the Social Justice Charter, Veracode did too, where we committed our organizations to do various kinds of practices in this area of tracking our data, sharing our data, providing charitable donations to organizations that were looking to further the representation of the underrepresented minorities and diverse candidates in the technology industry. So that's something that we did from an organizational perspective. We do measure our data. So we look at it over a time period. We look at it on the basis of gender. We look at it on the basis of ethnicity. And even when we look at it and we say, “Gosh! We have to do better.” The fact that we're looking at it creates those moments, which says we have to keep doing better.

Now, I'm proud to say that on our executive team, we are 40% female, right? So that's, I think, a bigger number than I've seen in the executive ranks of a lot of cybersecurity companies. So we're proud of that. And we want to make sure that that's reflected throughout the organization. We also have – We build it at a grassroots level as well. So I described to you some things that we're doing organizationally, but we also have a diversity and inclusion team that's very active in doing events that raise awareness around certain aspects of this, right?

We have hackathons that we do as part of our company culture. And a very important part of hackathon is raising funds for charities that our employees believe in. And the hackathon that we did late last year, Resilient Coders was an organization that we raised raise money for where they try to get youth from black communities, Latin-X communities to get representation in technology. So those are the things that we do. And then hiring. We work with our recruiters and say, “Look, we want to have a diverse slate.” And like you make that clear to the recruiters upfront so that their exploration process, their selection process can take that into account, and that you kind of force yourself in them to speak to a more diverse slate.

[00:50:58] JK: Just kind of also talking about work and those parts, you're kind of touching on company culture, that DEI is important at Veracdoe. I guess if you can just think more generally back to what we were discussing earlier in the conversation was that Veracode has maintained its edge, its innovative edge. And a lot of security companies, the return on capital hasn't been that great, because they created a solution to address a specific threat. And then something new comes along, the better mousetrap is invented. Can you talk about Veracode’s culture has maintained that innovative edge over many years and through many different owners and all that? I'd be really curious to hear about that.

[00:51:49] SK: Yeah. So, first of all, I think we picked a good problem to solve. It's a big problem to solve. I mean, who doesn't have software? And there's a lot to be done around software security, especially as software keeps evolving. You were talking to me earlier about new platforms, new technologies coming out. So I think we picked a good area, right? So let's start with that.

And then associated with that, what I found since I joined the company after Chris founded it in 2006, is that people are really passionate about our mission. Like people really care about solving the software security problem. And there are so many moments in time in our history where that mission feels so – It takes on a life that's almost bigger than ourselves. And so as an example, last year, one of our customers in the healthcare space, we were helping them with some of their applications that were doing contact racing for COVID, right? We were helping them it's an applications that were subsequently going to support vaccine distributions in the United States. That makes you feel like you're connected to a big crisis that humanity was going through and you're serving to improve things for the world at large, right?

So one thing that has served us well is that our team has that passion, and that we can connect the work that we do for our customers to that passion, right? So keeping that very much in the forefront of our minds as we have evolved as an organization. We've been a private company. We were a part of a public company. We're a private company again. We've gone through various revenue bands, valuation bands. But one thing that has stayed the same through that whole time is the passion that people have for this, which keeps people connected.

And then I think the other thing is we find vulnerabilities and flaws for what we do. So one of the things that we're also always doing is constructive feedback to ourselves. So let's have the confidence of someone that is a leader 8th time in a running in the Gartner Magic Quadrant, but let's also have the humility of someone that recognizes that it's always changing in technology. It's always changing insecurity. So never get too comfortable. Never get too complacent. And just constantly be striving for more. I think those are philosophies that have held us well as we've gone through our various evolutions.

[00:54:23] JK: Fantastic response. I love that. Thank you.

[00:54:25] CS: So as we wrap up today, we're getting that on the hour here, and this has been great. And we could talk to you for hours and hours. But I want to send you on your way and not take up too much of your more of your time. But as we wrap up today, we see a lot of we see a lot of comments in our YouTube videos, and obviously no one writes to you when things are going great. But sometimes there's a lot of despair. I don't know where to start. Or I'm stuck in my job. Or I don't really know how to make that next step. Do you have any advice or recommendations for people who might feel like maybe they're in a help desk role or they're in a particular area of cybersecurity that they feel isn't working out for them. Do you have any advice for people who want to sort of either get into cybersecurity after doing another thing or push themselves into a new direction if they feel like they're on the wrong path at the moment?

[00:55:17] SK: So, remember, we talked earlier about how much shortage of talent and resources there is in this category? I remind everyone of that, because that is the opportunity for people, right? Like if you're feeling like I can't get into this space. No one's going to give me a shot. Or I can't go beyond this level, or what have you. The advice that I would give them is make an attempt. And ask for feedback if the answer is no. Like, “Okay. I get that I'm not ready right now. But what kinds of things do I need to know? Do I need to demonstrate that will get me ready, right?” Because then you show a growth mindset. You show initiative.

And given how much dearth of talent there is and dearth of resources there is in our category, like maybe like right out the gate you may not be there. But if you show a willingness to learn, and you ask the question, there're so many opportunities in the sector that people can absolutely move forward and make progress. So it's about trying and learning.

[00:56:23] CS: That's great. All right. I think we're going to end it on that. Jack, do you have any last thoughts, or questions, or anything you want to wrap on?

[00:56:31] JK: No. Thanks so much for being on the podcast. It was super informative. And I think our audience is really going to get a lot out of this one.

[00:56:38] SK: Thank you for having me. It was great chatting with both of you.

[00:56:41] CS: Alright, I have one last question. It's incredibly challenging. It's for all the marbles. If our listeners want to know more about Veracode or Sam King, where can they go online?

[00:56:49] SK: I'd recommend people go to our website, veracode.com, where they can also see all the job postings we have open we're looking to fill.

[00:56:57] CS: Alright. Sam, Jack, thank you so much for joining us today on Cyber Work. This is so much fun.

[00:57:03] SK: Thank you for having me.

[00:57:04] CS: And as always, thank you to everyone who is listening today either at home, or at work, or at work from home. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video and our YouTube page and on audio wherever find podcasts are downloaded. Thank you once again to Sam King of Veracode, and Jack Koziol of Infosec. And thank you all again for watching and listen. Talk to you next week.