Everyone loves buying new tools (or not). It feels good to be able to use a new platform or technology to address an issue in the organization. But almost everyone hates the chaotic buying process that comes with many enterprise purchasing decisions. It does not help that the sales experience varies wildly between projects and vendors.
While it might be your first time through the process of evaluating tools to solve the issue of secret sprawl, especially leaks into public GitHub repositories, GitGuardian has helped hundreds of enterprises find the right solution in far less time than they first imagined. We understand the common hurdles anyone adopting a new solution faces, including how to communicate the value and urgency of solving the issue as you build a case for any new tech. We are happy to help you navigate these waters as well.
It all comes down to defining success, showing results, and getting the right buy-in for moving ahead.
Evaluating via a POC
Most enterprises require a formal evaluation process where a Proof of Concept, POC, must be performed when making a purchasing decision. Historically, this has meant bringing various vendors on-site, a lengthy installation process in a specially provisioned environment, and hours of training before the actual evaluation can start.
These kinds of engagements have left a lot of folks, understandably, hesitant to engage with vendors early in their evaluations. Often, teams start creating pages of requirements and questionnaires, which they hope will be helpful later on in the procurement process. Unfortunately, this approach leads to even longer evaluations because when they see a solution in action, finally grasping the problem holistically, there are always new questions they could have never anticipated.
While it is always a good idea to do a thorough investigation of any tech you will be relying on, especially for security, we think there is a better approach that can get you to a decision much faster and with far happier stakeholders.
Defining success with the right players
We see the buying process as a journey. All great journeys start with knowing where you are going and knowing who will be in the traveling party. After all, Gandalf didn't just push Bilbo out the door without a plan; he gathered the full party together and showed them the map before they ever stepped out of the Shire.
Instead of spending days in isolation, guessing at how to talk about the issue of secret sprawl, you can spend that same time gathering the right players together to get on the same page about the scale and scope of the issue. We are happy to help with this discussion using the reports and research we have assembled, trusted, and relied on by the AppSec community for years now.
We can help you understand the risks you realistically face and potential missteps in previous attempts to address the symptoms. In just a few short hours, sometimes all on the same day, we can help you build an evaluation guide and success criteria to evaluate solutions to secrets sprawl. The goal is always to help you understand your current risk and how you can best lower it.
Next is the part that many people who have had a bad POC experience dread: the actual installation and testing.
Results in hours, not weeks
So many teams have struggled with the POC process, in our opinion, due to enterprise solutions historically requiring a lot of setup and team buy-in before you can even begin to see any results. If a solution takes weeks to become operational in your environment and requires dedicated time from, let's be honest, an overworked team, then that POC is going to stretch out for longer than you anticipated, even when you take into account Hofstadter's law.
With the GitGuardian Platform, most organizations can expect to see initial results in minutes, not days. Defining your perimeter is extremely quick and straightforward. If you are trying to get a handle on secrets leaked to public repositories, then the actual integration and testing require almost no work from your end, take just a few minutes to perform, and you will only need to spend your time verifying the results. If you are evaluating GitGuardian Secrets Detection for your internal repos, a full historical scan of a large and real repository might take a few more minutes to surface any issues over a new, small example repo, but the results will be fully actionable. We find out customers are often surprised by how low touch and unobtrusive fully integrating GitGuardian can be.
Once you have your results in hand, faster than you might have spent just coming up with questions; otherwise, it is time to take those findings to the rest of the organization and continue to the procurement step.
Justifying the decision to buy
At the end of many traditional POCs, you will have a spreadsheet full of results and more questions than you started with. Even if you do have everything you need at this point, the next hurdle is getting the internal buy-in to go from identifying to adopting the solution to your secrets sprawl problem.
When evaluating GitGuardian Public Monitoring, we give you actionable insight into your state of public secrets sprawl. The report includes a high-level overview of the developers defining your perimeter, the commits scanned, the actual secrets that have been leaked over time, and more.
We will also give you an analysis of the secrets we found, including showing you how many we found to be valid, a breakdown of severity levels, the number of sensitive files found, and more.
While we are just showing the highest level of the summary report here, our team is happy to dig into the findings in detail, answering any and all questions along the way. Importantly, we can help you put these findings in perspective for the next important step, communicating the risks of not fixing these issues.
Communicating Risk
Every department and every team leader cares about the same thing: risk. Managing risk and making sure any efforts lower risk in some way. However, every team and leader likely defines risk differently. For your legal team, legal risk and compliance risks are likely top of mind for any endeavor. For the Board of Directors, it is all about managing the investors' risk and keeping business risks at a manageable level while still taking enough risks in the marketplace. To get anything done in the enterprise world, you need to find a way to communicate and align with the risks of all sorts of stakeholders.
We have worked with companies of all sizes and complexity and understand deeply how secrets sprawl poses risks at every level. We can help you answer any questions and show the clear return on investment that solving this problem will bring and in terms they will comprehend. We are happy to assist in the educational process with lunch and learns, executive briefings, and customized learning engagements, no matter how large or complex your organization is.
If you are not quite ready to engage in a conversation about the issue, then we invite you to use our basic Value Calculator to get a sense of the scope of the issue.
The Value Calculator is a rough estimate tool. We would be happy to meet with you to get you a personalized and much more detailed calculation.
Helping you fix today's problems today
Buying security tooling carries an urgency that does not come with many traditional IT decisions. Spending an extra few weeks when testing a new rack of servers does not normally carry a risk of compromising your customer data and valuable cloud resources while you wait. Getting the right solution to solve your issues at scale shouldn't wait weeks or months to evaluate and even longer to implement.
Secrets sprawl is something that should be addressed sooner than later. Let GitGuardian help you get on the road to solving it today. Reach out and let's solve this issue together.