IT and the economy – Ounce Labs

by Steve Ragan - May 5 2009, 17:55

Previously, in a series of articles set to run the month of May, The Tech Herald asked vendors to comment about what they are seeing with regard to the economy. Continuing the discussion, Gary Jackson, President and CEO of Ounce Labs, spoke to us about how application security is a top priority despite tightened budgets and how a new pricing model, introduced in 2008, is helping its existing and prospective customer base.

Since 2002, Ounce Labs has acquired clients such as the DOD, GAO, Apache, GMAC, and others, by focusing on locating security vulnerabilities within the source code of networked applications.

What Ounce does is identify vulnerable applications, on several levels, then, based on granular risk assessment, prioritizes those applications depending on how business critical they are. Once that's done, it helps with remediation of the vulnerabilities by offering detailed advice. The product demos on the company Web site offer more detailed information.

You can view them here based on three security roles: Executive, Analyst, or Developer.

TTH (The Tech Herald): Has the economy and fear concerning the economy impacted your business at all?

GJ (Gary Jackson): We have definitely been seeing the effects of that fear, but for us, it has turned out to be more positive than negative. Belt-tightening brings with it prioritization of spending, and we are finding that security, and application security in particular, remains a top item… If there has been a downside, it is that the initial projects tend to have a smaller budget associated with them. As a result, some of the initial deals are also smaller, but are simple to price and deliver with our new pricing and licensing model.

TTH: If it has, what are five initiatives you implemented to help manage the impact?

GJ: Adjusted the license and pricing model to allow organization to get started with a smaller initial investment – although we had done this prior to the economic fallout as a way to better address the needs of our end customers.

Worked with a security consulting firms to deliver “Assessment as a Service” for those companies that need to secure a single application, quickly, and with a fixed cost. This helps them with internal justification for the investment, and ensures their short term success with the project.

Focus on education. Using Source Code Scanning to make your environment secure is a relatively new process for most companies. They need to know best practices, and what results are realistic. We are working hard to create familiarity with the problem, our product, and the process through which they can really leverage the value of the suite and their own expertise. 

Changed our marketing initiatives to a more viral approach, again focusing on education through training videos, blogs, and participating in the security social networks. With more work and less budget, we have seen that the asynchronous consumption of product information and the self-serve personalities of these highly tasked teams are making them ideal candidates for a new and more open sales strategy.

Adjusted engineering priorities to target ease of deployment and rapid results. Once the client gets through that first small project, they routinely return with an expectation of fast expansion to other teams or applications. The engineering team has focused on simplifying that scaling, in order to realize that second purchase as quickly as possible on the heels of the first.

TTH: If it has not, why? What are you doing to take advantage of this sudden fortune as others feel the heat?

GJ: I think that it has not impacted us as negatively because we were already along the path of accomplishing much of this change when the real difficulties began to set into the market.  We began talking to clients and analysts about the new pricing and licensing in August, so that we were in a good position for the stronger period of downturn.  It was rewarding to see that the product's functionality was being seen as more appropriate in the market, and that the pricing and licensing was more than just an added benefit, it was the enabler of some deals that could easily have slipped.

TTH: Has the economy impacted your vertical markets?

GJ: The economy has certainly affected the IT spending patterns of the financial services and retail sectors, where we are doing a great deal of business in security, audit, and compliance. Again security continues to receive higher priority, and there is an additional focus on reducing fixed costs, which has caused an increase in business for our partners, among whom are both large and boutique service providers.

We are finding that the fact that we partnered with many security consultancies that have other practices to offer is giving us a real advantage over some competing vendors who are doing most of the services themselves. While our area of security is very important, particularly to us, the ability of an Ounce certified partner to also perform penetration tests, or system updates, or forensics, has expanded our partners' efforts in those verticals while it has increased our exposure.

TTH: How are your customers looking at security and how are you helping them lower costs while still giving them what they are looking for?

GJ: Fortunately for us – and our customers – we had already started the process of addressing cost last year when we announced that we were radically revising our pricing and licensing model. Clearly the current economic conditions are impacting our customers’ budgets, but businesses also recognize the importance of maintaining and improving their security systems despite the economic downturn.

We decided that we wouldn’t sit by passively while thousands of companies remain exposed, when they could be benefiting from these advanced security tools. We intend to accelerate enterprise adoption and make source code analysis more accessible for every company concerned with application security, from the smallest shops to the largest enterprises. The new pricing model, and our extensive partnerships with leading security consultants, will ensure that every organization can afford, deploy, and capitalize on source code scanning to protect their critical data.

Around the Web