If you’re a Veracode customer, there’s a good chance that you’ve heard of – or maybe even work with – a Veracode security program manager (SPM). For those of you who might not know, SPMs help you define the goals of your application security program, onboard your team, answer any questions about Veracode products, and work with your teams to ensure that your program stays on track and continues to mature.
If you’re just kicking off your relationship with your program manager, you might be wondering what to expect on your initial calls, and how you can make the most out of the time you spend interacting with each other. Here are a few things you should keep in mind:
How are you developing software?
To realize the value of your investment, we need to understand how your development process works. Right off the bat, your security program manager will want to talk about your existing tech stack (aka – the technology you’re currently using to make your software). There’s a good chance that your organization could be in a different place at the time of your kickoff call compared to where it was when your sales cycle closed. Yes, your account executive will tell your program manager all that he or she knows about your status at the time of closing, but in case anything does change, it’s better to hear everything straight from the horse’s mouth. Helping us understand the size of your software footprint is also key – are you licensed for 10 apps, but have a total of 300, or 3,000? How are they governed from a development and security standpoint? Having everyone on the same page on these basics is a good first step towards maturing your AppSec program.
Who are the key players?
You should also have a clear idea of what your organizational layout is, as well as who the key players are on the development and security sides. Your SPM will know who your key players are, but they likely won’t have met them and interacted with them as much as the account executive has. In addition, if your sales cycle has been particularly long, it’s possible the key players have changed. Be prepared to fill your security program manager in on everyone who has a stake in your AppSec program on the development AND security sides of your organization. Additionally, if there’s any turnover within your company down the line, knowing everyone who’s involved will ensure that SPMs have multiple stakeholders with program context who they can go to in order to keep momentum.
SPMs will also want to know the informal structure of your organization, or the “politics.” It can be helpful to know if your development and security teams are on the same page when it comes to the priority level of AppSec, or if they get along at all! The more insight your SPM has into your organization, the better prepared you can be – as a team – to work together moving forward.
Align your goals and expectations appropriately
Often, the goals that customers set up with Veracode and the goals within their own organizations tend to be two different things. Establish a list of realistic goals, and be prepared to take incremental steps to get there. Rome wasn’t built in a day, and neither is a fully mature application security program.
Once you have your manageable goals, establish who is responsible for each one, and how they’re going to be held accountable for meeting each goal. You’ll need to establish clear channels of communication and accountability internally – for example, when you’re coming up with a plan to remediate flaws, engage development and product management as soon as you have flaw scopes. Make sure that the amount of remediation you’re targeting is realistic for the desired deadline, and let development know about the remediation resources available in the Veracode platform and in the Services organization in case they get stuck. Your SPM can absolutely help you have that conversation!
When it comes to expectations, have an understanding of the driver behind why Veracode was purchased. In some cases, your buyer might not communicate the driving factor to the person running the program – maybe you! Regardless of which end you’re on, make sure that your internal plan is well-communicated with everyone who’s involved across the organization.
At the end of the day, we want you to be successful in your application security journey. By keeping these tips in mind, you’re already one step closer to success. You can find out more by talking to other Veracode customers about how they’ve found success with their application security programs in the Veracode Community.