WhiteHat Security remakes partner program around DevSecOps skills to respond to customer asks

WhiteHat has been a long-time application security testing provider, but recognize that the trends in the market require shifting their approach, and they have remade their partner program to incent this focus in their partners.

John Atkinson, vice president of Partnerships at WhiteHat Security

In late 2017, San Jose-based WhiteHat Security announced a major reworking of their channel program, reacting to the fact that the channel had become more central to their business, and rejigging the compensation offered to increase margins and better incent partner growth. Now, the program has been reshuffled again, with the emphasis this time on incenting and rewarding DevSecOps skills.

The new change reflects shifts in the market and their impact on WhiteHat, a longtime player in the application security testing space.

“This is an evolution of the program that we rolled out in 2017,” said John Atkinson, vice president of Partnerships at WhiteHat Security. “Our customer base is dragging us in this direction. The market is asking for more than the previous program had. It wants a better focus on DevSecOps – not just application security. Customers and prospects are more interested in the DevSecOps story because just identifying the vulnerabilities is no longer enough. They need to extend to remediation and mitigation. That requires more focus by partners.”

Atkinson said that it’s a critical shift because it reflects what customers want today

“The thrust of these changes reflect the fact that it’s important to understand where the industry is going,” Atkinson said. “Just identifying the fact that you have a vulnerability isn’t enough today. In the way that applications are being written going forward, with the modern software development lifecycle where customers are continually releasing their hardware, they don’t want to roll out insecure code because they can’t rapidly address vulnerabilities. This much faster rate at which software is developed means that we need to make sure that this process is secure. An ISV can’t do that all by themselves. The only way we can pull that off is through our partner community. And that means that we need partners who can meet this capability, which in turn means that we need to help them make the transition.”

The 2017 program did offer training, Atkinson said, but it was principally focused on the traditional AppSec world of just finding vulnerabilities.

“The previous training only scratched the surface of what we want to do,” Atkinson said. “It didn’t go very deep.”

The new training is different in two ways, Atkinson noted. One is the shift in focus around DevSecOps in the training material itself.

“It goes much deeper in this area,” he said. “We look at things like what Jenkins is and how it works. There is a technical track, and the technical resources go deeper than before. There is also a sales track.”

The second component of the training changes deal with business planning.

“We have changed the way that our channel managers work with partners,” Atkinson said. “We have changed their name, to Partner Business Manager, which reflects the change in function. They work with our Level 2 and 3 partners, to understand what their business is, and build a plan around that. The goal is to help ours partners build a business around the DevSecOps space.”

The new program has three levels, with membership status determined by a combination of revenues and the partner’s willingness to build a practice around DevSecOps.

The entry level Tier is DevSecOps Level 1, which provides self-service training and tools for solution providers to start building their DevSecOps practice

“We are happy to work with transactional partners, but they will be Level 1 partners,” Atkinson stated. “When you get to Level 2 and 3 areas, we focus on partners who can help operationalize DevSecOps.”

DevSecOps Level 2 is an intermediate partnership level with dedicated resources to help solution providers with enablement and marketing as they expand their DevSecOps expertise, while DevSecOps Level 3 is an expert partnership level with a personal partnership team aligned to solution providers’ business and profitability models.

“This is where we are making our big investments,” said Atkinson, who was overseas while doing this interview, talking with existing partners about how they can expand what they have been doing.

“We are having frank conversations about where they want to go,” he said.

The heavy lifting in upgrading the compensation parts of the program were done in 2017, and those will be substantially intact in the new program, but Atkinson said there would be some tweaks.

“We’ve simplified some of the approaches on functional discounting,” he indicated. “While those programs will largely move over, partners at level 2 and 3 will find additional margin. In Version 1 of the program, when we were building it out, we couldn’t forecast what partners were going to do. Now we can help them get into higher tiers and get additional margin.”

Atkinson said that while the new program will see a major shift in approach, and probably some shift in composition of partners, they are expecting the new approach will grow the partner base.

“Our intent is to grow our partner community,” he said. “However, we want to grow the highly productive parts. We are identifying new and existing partners who want to have a DevSecOps practice. This means that we may be getting some partners from the development space rather than  traditional security. We think there is plenty of room for disruption in the partner space, and we will take advantage of that.”