Veracode lands Harvard business school dean & Microsoft director Dr. Jim Cash
Posted on | November 18, 2009 | add a comment
Application security vendor Veracode recently landed a big fish to sit on its board of directors, Dr. Jim Cash, Professor and Senior Associate Dean of the Harvard Business School. Cash sits the boards of General Electric, Microsoft, Wal-Mart, Chubb, Phase Forward, the Boston Celtics and the National Association of Basketball Coaches Foundation. He is a Limited Partner in the LLC that owns the Celtics.
Matt Moynahan, CEO of Veracode, spent five months pitching Cash, who has turned down many board invitations, to help direct Veracode. Moynahan says he simply got Cash comfortable with Veracode’s personnel and business model.
In this exclusive LastWatchdog guest blogpost, Cash explains why he agreed to help direct a small, emerging tech security vendor.
By Dr. Jim Cash
Professor and Senior Associate Dean
Harvard Business School
My primary research and work focus has always been on how large multinational companies can most effectively exploit information technologies and the role of the chief information officer (CIO). Although I have consulted with, and served on the boards of, large public companies, I have a long history of being involved with early stage companies that show promise of significantly enhancing the ability of large companies to exploit information technology.
To make sure I understand issues faced by these companies, I conduct several sessions each year for chief information officers and the people to whom the CIO reports, designed to identify their most significant challenges. Over the last year, this group has identified and conveyed that software security poses a significant risk to their organizations. This insight has developed as more granular approaches to enterprise risk management have been implemented in large public companies.
Embedded risks
If you look at the incredible repository of software and applications that companies have assembled over the last 30 years, to not understand the vulnerability and security risks embedded in software that supports critical business functions, is a big oversight. As I looked at several potential game-changing, early-stage companies last year, Veracode caught my attention because of their very unique approach to solving the problem of application security and risk management.
In looking at Veracode, there were really three areas that stood out. First, as I mentioned above, the application security space is an incredibly large domain and a critical business issue. When we consider the imminent risks within the “cyber security space”, I would say that the risk found within a business’s software portfolio dwarfs other issues.
Second, Veracode’s unique method of looking for security flaws which is based on binary executable code – the ones and zeros that computers execute. This is a more effective and efficient approach to identifying the vulnerabilities within an application portfolio. Other existing approaches that look at source code, permit security gaps to be masked a lot easier than once the code is translated into binary and executable code. Additionally, most companies won’t give out or have access to, source code.
And finally, what I find truly unique is that Veracode is delivering this security technology in a Cloud-SaaS model. This means that rather than trying to develop software, ship it off, license it to a bunch of people and then get caught up trying to chase a lot of different versions in a lot of different locations, they are basically running it in the cloud.
Good Housekeeping seal
One could think of it as an outsource model, where the code is shipped to Veracode, run in Veracode’s centralized environment and either returned with a detailed list of issues and suggestions or with a “Good Housekeeping Seal” of approval.
The pace at which a knowledge-based service company like Veracode can “continuously improve” is significantly increased when all of the learning is concentrated in one place, rather than relying on the discoveries of developers across distributed locations and then trying to figure out how to fold them in to the next software release. This Cloud-SaaS business model is one of the things that really captures my attention.
The combination of those three things led me to realize this was a company that I could learn from, and therefore provide some benefit to mytargeted practitioner communities-CIOs and executives to whom they report.
Finally, I like to choose firms that I think are poised to become public companies. I start implementing effective corporate governance practices as early as possible so that those organizations operate like a public company before they formally move into that state. This enhances their credibility with large customers and is an area in which I can add significant experience and insight.
