The Rising Need for Fractional AppSec Teams in Small Companies

The Challenges Faced by Small Companies in Software Security

One of the fundamental principles of secure-by-design software development is to integrate security concerns right from the start. However, for small companies that build software, accessing and affording the necessary application security expertise can be a significant challenge. As a result, these companies often develop and release software without giving much thought to security. By the time these startups grow big enough to hire application security professionals, it is often too late to implement secure-by-design practices, as their software stack has already accumulated a substantial amount of security technical debt.

Kymberlee Price, who has extensive experience in product security and application security teams, explains that small businesses struggle to compete with larger companies for experienced application security professionals. These professionals are in high demand and are often hired by tech giants like Microsoft, Amazon, Apple, and Google. Small companies do not have the resources to compete in this market, leaving them at a disadvantage when it comes to securing their software.

Solving the Problem with Fractional Security Consulting

In an attempt to level the software security playing field for startups and smaller businesses, Kymberlee Price and Jon Callas have launched Zatik, a fractional security consulting firm. Zatik aims to help companies access unicorn-level application security expertise on a part-time basis, allowing them to establish and implement a security program.

While virtual Chief Information Security Officers (CISOs), who typically focus on enterprise and compliance issues, are prevalent in the market, Zatik takes a different approach. The firm concentrates on building products securely by design, integrating security controls into the DevOps pipeline, Continuous Integration/Continuous Deployment (CI/CD), and other relevant areas.

For early-stage companies, Zatik offers a comprehensive package to build an entire cybersecurity program. Price and Callas assist these companies in securing the developer experience and providing recommendations and introductions to other partners, as needed. As Zatik scales, the founders plan to bring in more staff and rely on a network of partners to offer expertise in specific areas.

The Significance of Security-by-Design Ethos

Zatik’s ultimate goal is to help smaller companies develop a security-by-design ethos right from the outset. By getting involved in these companies’ early stages, Zatik ensures that security is ingrained in their growth and is part of their DNA. This approach differs from traditional security approaches, where security teams arrive later and impose changes on established practices.

Kymberlee Price believes that working with small companies presents an opportunity to make a significant impact on security in the tech world. The engineers hired and managed by these companies will have a solid foundation in secure-by-design practices, making it the norm rather than an afterthought.

Editorial: Bridging the Gap with Fractional Teams

The emergence of fractional security consulting firms like Zatik is a promising development in the field of cybersecurity. These firms address the gap between the need for application security expertise and the limited resources available to small businesses.

Startups and smaller companies often struggle to allocate enough resources towards building a robust security program. Full-time security professionals are not always necessary, especially in the early stages. Fractional teams allow these businesses to access highly skilled experts on a part-time basis, addressing their immediate needs and evolving with their growth.

However, it is crucial for companies utilizing fractional security teams to understand that security should not be an afterthought or a temporary measure. It is essential to integrate security-by-design practices into the fabric of product development from the very beginning.

Additionally, while fractional teams provide valuable expertise, it is essential for organizations to cultivate security awareness within their own teams. All employees, especially developers, should understand the importance of security and be encouraged to incorporate security practices into their work. This will ensure that security is not solely reliant on external consultants but becomes an intrinsic part of the company culture.

Conclusion: Nurturing a Culture of Secure-by-Design

The demand for application security professionals is high, and small companies face significant challenges in accessing and affording this expertise. Fractional security consulting firms like Zatik present a viable solution by providing access to unicorn-level AppSec expertise on a part-time basis.

By developing a security-by-design ethos from the start, small companies can establish a strong foundation for their software’s security. It is crucial for businesses to embrace this approach, working closely with fractional teams to integrate security practices into their development process.

Ultimately, the success of secure-by-design software development lies in nurturing a culture where everyone involved, from developers to executives, considers security a priority. Only through comprehensive and consistent efforts can smaller companies effectively mitigate security risks and protect themselves and their customers in an increasingly challenging and interconnected digital environment.