Security Compass, a provider of tools for streamlining risk analysis, has appointed Rohit Sethi to be its CEO after receiving additional funding from FTV Capital. Security Compass founder and previous CEO Nish Balla will remain on the board of directors. Previously, Sethi was the COO for Security Compass.
The company declined to disclose the amount of funding provided, but Sethi said Security Compass is now in a better position to be more aggressive in terms of expanding the scope of its sales and marketing initiatives, including developing a channel partner ecosystem, now that the company is no longer operating on “bootstrap” basis.
Sethi said Security Compass will focus most of its efforts on organizations that are starting to embrace best DevSecOps processes. The SD Elements risk management tools provided by Security Compass are designed to collect data by integrating with source code repositories and asset management systems or pulling data from a project survey. Once that data is collected, SD Elements then applies advanced analytics to classify an application based on the risks discovered, in addition to generating recommendations concerning what remediation tasks to prioritize. Once those vulnerabilities are addressed, SD Elements will then verify the appropriate controls have been implemented.
Given all the potential issues, Sethi said SD Elements enables organizations to more efficiently prioritize their limited developer resources to improve their overall security posture. That capability should help narrow the divide between cybersecurity teams that want to address all vulnerabilities and developers seeking to strike a balance between fixing bugs and the need to write additional code faster.
Security Compass won’t be expanding into adjacent cybersecurity technologies anytime soon, Sethi said. Rather, the focus will be on adding more automation capabilities to make it easier to create workflows spanning DevSecOps processes.
While responsibility for remediating cybersecurity issues in application code is clearly shifting left toward developers, cybersecurity teams still play a critical role in identifying vulnerabilities. The challenge organizations now face is crafting a set of workflow processes around a set of best DevSecOps processes. Unfortunately, most of those processes today are constructed around spreadsheets that are manually shared and infrequently updated across development and cybersecurity teams.
The good news is awareness of how flawed existing processes are is rising. Business leaders are more focused on application security than ever. As such, the amount of budget being allocated to application security is rising. At the same time, however, business leaders also want their IT organizations to churn out more code faster than ever, and the more code there is being developed and deployed, the more difficult it becomes for cybersecurity teams to keep pace in identifying vulnerabilities. There simply are not enough cybersecurity professionals available to collect and analyze all the data required to assess their security posture. As a result, more organizations will need to invest in cybersecurity automation.
It may be a while before most organizations embrace pervasively a defined set of best DevSecOps practices. But that those that don’t aren’t likely to survive the onslaught of cybersecurity attacks coming their way.