IDC Business Value Case Study: Floor & Decor
Floor & Decor ensures comprehensive and efficient security with Contrast Security
Location: HQ - Smyrna, Georgia
Number of Employees: 12,000
Business Value Highlights
Ensure comprehensive security of retail business and development environments in efficient and seamless manner
• 258% three-year ROI
• Payback in five months
• 30% AppSec team efficiencies
• 13% development team productivity gain
• 94% less staff time to handle major issues related to development environments
• 88% less staff time to scan for security issues
•92% fewer applications with vulnerabilities
We use Contrast Assess within our testing environment to test our APIs and find out what vulnerabilities exist, and [we] use Contrast Protect in our production environment as a layer of protection for our APIs.”
Floor & Decor offers hard surface flooring and related accessories to customers through multiple channels. Headquartered in Smyrna, Georgia, the retailer has grown rapidly since its founding in 2000, with around 200 retail locations, 12,000 employees, and over $3 billion in annual revenue in 2022.
Darius Radford, Security Architect at Floor & Decor, explained that his company chose to use solutions from Contrast Security to better understand its security environment in order to identify risk and comprehensively protect its business operations. He cited the need to avoid the potential compromise of customer data as especially important to Floor & Decor.
According to Radford, the retailer has implemented four solutions from Contrast Security to ensure cross-organizational operational security: Contrast Protect, Contrast Assess, Contrast Scan, and Contrast SCA. He noted that Floor & Decor uses these solutions for production and development testing environments.
According to Radford, the use of Contrast Security solutions has enabled Floor & Decor to better identify, remediate, and avoid potentially impactful security events such as the recent Log4j/Log4Shell incident, noting that his company's applications were protected from the vulnerability even before it was publicly known. These capabilities have helped Floor & Decor develop a more mature and effective AppSec program in terms of its security vulnerability protection and remediation capabilities, especially for its API environments. As a result, his team provides comprehensive and effective security across business operations in a cost-effective and efficient manner and has established a foundation of robust security upon which expanding business operations can grow.
Based on interviews with Radford, IDC found that Floor & Decor is achieving significant value relative to its investment in Contrast Security solutions in terms of SecOps and development team efficiencies. IDC expects that over three years, Floor & Decor will realize benefits in these areas worth more than 3.5 times its investment costs (three-year ROI of 258%).
Floor & Decor has used Contrast Security solutions since fall 2020 after deciding that it needed to ensure more robust security for its retail stores and point-of-sale (POS) systems. It faced challenges common to retailers and other businesses managing strong growth, including limiting false positives and scanning for threats and intrusions faster, more seamlessly, and in real time.
By 2023, Floor & Decor had implemented four Contrast Security solutions with overlapping but also specific objectives for the use of each:
- Contrast Protect: Floor & Decor first implemented Contrast Protect to harden its security for store servers and POS systems as well as its API ecosystem and as part of its effort to transform its AppSec organization.
- Contrast Assess: Floor & Decor has rolled out Contrast Assess over time to address challenges related to having too many false positives and to provide zero-time results in identifying security threats through real-time monitoring, including for its API ecosystem.
- Contrast Scan: Floor & Decor has replaced another vendor solution with Contrast Scan to scan application source code that protects its increasing volumes of data and transactions.
- Contrast SCA: Floor & Decor has integrated Contrast SCA into its Jenkins development pipeline to secure its software supply chain by identifying critical and high-importance security vulnerabilities and understanding where third-party components introduce security exposure.
Radford noted that his company began its implementation with a limited subset of stores near its headquarters to test the implementation process and functionality. He explained that after this successful initial implementation, Floor & Decor continued its implementation across its other locations and POS systems, saying, "Everything else was fairly straightforward because Contrast is not a difficult tool to implement, and we used Kubernetes and our containers to handle the deployment."
At the time of the interviews, Floor & Decor was using Contrast Security solutions to support and secure more than 150 stores. The retailer has used limited professional service support from Contrast Security to support its implementation and develop plans for future use.
Radford cited improved protection capabilities and establishing a more mature AppSec program as the two most significant areas of impact for Floor & Decor of using Contrast Security solutions. He linked these gains from using the solutions to benefits in terms of employee time savings and productivity gains and less tangible business benefits in terms of lower operational risk.
Radford explained that Floor & Decor uses Contrast Security solutions for its cloud and API environments that drive business operations: "We use Contrast Assess within our testing environment to test our APIs and find out what vulnerabilities exist, and [we] use Contrast Protect in our production environment as a layer of protection for our APIs." These two Contrast Security solutions combine to provide what he termed "comprehensive security for APIs."
According to Radford, Contrast Security has helped Floor & Decor largely clear up its backlog of known security vulnerabilities, which lowers business risk and means less staff time is spent on identifying and handling such vulnerabilities. He stated, "We've gotten rid of almost all of our known vulnerabilities with Contrast. We now only have one application left with these vulnerabilities." Given the number of major business applications protected by Contrast Security solutions, this equates to a 92% reduction in the number of applications with known security vulnerabilities.
Reducing the number of active vulnerabilities and leveraging the capabilities of Contrast Scan have helped Floor & Decor perform security scans more readily and efficiently. Radford noted that scanning can consume significant staff time, saying, "We're spending less time on scanning during releases with Contrast because the number of vulnerabilities has gone down. When we first started with Contrast, we were spending a lot of time going through reports." He reported that the average security scan time has gone from around one hour to five to ten minutes with Contrast Security solutions, which is 88% faster.
Radford also spoke about the significant impact that Contrast Security solutions have had on development and DevOps operations for his company. In particular, he noted that the ability to integrate Jira with Contrast has substantially lowered the time required for team members to remediate issues. According to Radford, "Contrast saves us a lot of time through its integration with Jira in terms of remediation. What used to have to happen is that we had to create a Jira ticket and put the spreadsheet in the Jira ticket and explain the vulnerabilities for each one; now that is integrated with Jira. Contrast automates all of that, and we just have to tell it which Jira group to put it in."
According to Radford, Contrast Security solutions have enabled Floor & Decor to nearly eliminate DevOps staff time required to handle and address vulnerabilities that arise during the development process. IDC calculates that this team spends 94% less time addressing development-related vulnerabilities with Contrast Security. Radford said, "We've gone from a couple hundred of these situations of vulnerabilities needing to be remediated over a number of years to basically zero with Contrast." He further noted that each of these vulnerabilities can require weeks, if not months, of staff time to fully manage and mitigate. Additionally, developers wasted considerable time addressing false positives, so reducing the frequency and number of false positives with Contrast Assess has allowed them to better focus on delivering value through actual development activities. IDC's 2023 DevSecOps Adoption, Techniques, and Tools Survey shows that making developers more efficient is critical for effective application security, with 84% of respondents rating developer acceptance of security tooling as important for DevSecOps adoption. Together, these benefits mean that Contrast Security has played a key role in enabling DevOps activities and efforts to move forward with greater velocity and impact.
Radford sees Contrast Security solutions as playing a significant role in Floor & Decor's development activities going forward, saying, "Contrast is going to play a big role in our shift-left initiative for DevOps." In addition to noting the gains in security and staff efficiencies, he commented on how Contrast has proactively moved to help the retailer meet security and business challenges: "One of the things we like about Contrast is that they seem to always get places before we do. I like it when my vendor gets there before we do versus me getting there and having to ask for help with something."
Overall, Radford characterized Contrast Security as an enabler of Floor & Decor's growth and future plans. He noted that, while he could not attribute specific business gains to use of Contrast, "there's a certain level of assurance and knowing that we're protected." Although not easily quantified, this assurance of protection provides a valuable business benefit. According to IBM's Cost of a Data Breach 2022 report, a single data breach on a company cost an average of $9.44 million in the United States in 2022.
“We're spending less time on scanning during releases with Contrast because the number of vulnerabilities has gone down. When we first started with Contrast, we were spending a lot of time going through reports.”
– Darius Radford, Security Architect, Floor & Decor
Based on interviews with Radford, IDC quantified the value that Floor & Decor is achieving through its Contrast Security solutions. For purposes of this analysis, IDC identified two core areas of value:
- AppSec staff efficiencies. Contrast Security solutions not only have allowed Floor & Decor to implement AppSec operations that meet its operational and business needs but also have helped team members work more efficiently, thus allowing team members to focus less on security scans and remediation work and more on actual support of business operations. Radford estimated efficiencies for his AppSec team at around 30%. This results in AppSec team efficiencies worth an average of $80,000 per year over three years.
- Incident resolution efficiencies in development activities. By reducing the number of major vulnerabilities that must be addressed and false positives that must be researched, Contrast Security solutions reduce the frequency with which DevOps team members are pulled away from their core work activities. As a result, they spend less time — 94% on average — addressing such vulnerabilities, which has led to a 13% improvement in the overall productivity of the affected DevOps team members. This results in DevOps efficiencies in terms of incident response worth an average of $696,300 per year over three years.
ROI Analysis and Methodology
Based on the information provided by Radford about the investment costs and benefits of using Contrast Security solutions, IDC projects that Floor & Decor will realize benefits over three years worth more than 3.5 times its investment costs, which would result in a 258% three-year ROI. Further, IDC calculates a breakeven for Floor & Decor in its investment in Contrast Security solutions of five months, reflecting the relatively seamless implementation process and the retailer's ability to capture value through improvements in security capabilities and team efficiencies.
IDC calculates the ROI and payback period in a three-step process:
- Measure the financial benefits directly resulting from the use of Contrast Security Software, including security staff time savings and higher productivity for DevOps teams.
- Ascertain the total investment.
- Compare the financial benefits with the total investment over a three-year deployment.
* This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2023 IDC. Reproduction without written permission is completely forbidden.
Experience Contrast Today
Schedule a one-to-one demo to see what the Contrast Secure Code Platform could do for you.