Floor & Decor carpets its security with Contrast

Floor & Decor — the hard-surface flooring retailer based in Smyrna, Georgia that has blossomed to $4.26 billion in annual revenue since its 2000 founding — is on track to see a strong 258% ROI after three years of grounding its security environment in Contrast Security solutions, according to an IDC Business Value Case Study commissioned by Contrast Security*. 

Floor & Decor has rapidly grown into what it is today: a 200-store chain with 12,000 employees that places #764 on the Fortune 1000 and which, according to Investors Observer, is currently the highest overall rated company in the home improvement retail industry. 

Floor & Decor must have exquisite taste in security solutions: The retailer is on track to realize benefits worth 3.5 times what it invested in Contrast’s full platform. After crunching the numbers along with Darius Radford, security architect at Floor & Decor, IDC concluded that the investment will have a three-year ROI of 258%, with payback arriving within just five months. 

As Radford explains, what led Floor & Decor to Contrast was a need to better understand the company’s security environment, to identify risk and to comprehensively protect business operations.

Locking down customer data

A top priority for Floor & Decor was to protect customer data from being compromised, Radford told IDC analysts. Specifically, the retailer wanted to strengthen security for its retail stores and point-of-sale (PoS) systems. 

That’s understandable: Retailers are currently grappling with a plethora of payment system malwares. One recent example was the ransomware attack that hit NCR PoS systems in the hospitality industry in April, forcing restaurants and other businesses to reportedly resort to pen and paper in order to send data to the head office. Another: In October 2022, two PoS malware variants were used to siphon payment terminal credit card information for 167,000 cards, 

Securing such systems from these and other attacks can be a grueling task, given challenges such as being inundated with false positives and needing to scan for threats and instructions faster, more seamlessly and in real time. 

In the fall of 2020, the growing home improvement brand turned to Contrast for help in managing its burgeoning security needs. 

The retailer wound up implementing four Contrast solutions, in both its production and development testing environments, in order to ensure cross-organizational operational security. 

The tools have some overlap, but Floor & Decor chose each for specific objectives. "We use Contrast Assess within our testing environment to test our [application programming interfaces, or APIs] and find out what vulnerabilities exist, and [we] use Contrast Protect in our production environment as a layer of protection for our APIs,” Radford explained to IDC. 

The four solutions the company implemented and where/why it’s using them: 

• Contrast Protect:  to harden security around store servers, PoS system and the API ecosystem. As well, Floor & Decor is using Protect to transform its Application Security (AppSec) organization.
• Contrast Assess: Floor & Decor is using this scanning tool, which continuously detects and prioritizes vulnerabilities and guides users on how to eliminate risks, in order to  lessen the problem of too many false positives and to provide zero-time results in identifying security threats through real-time monitoring, including for its API ecosystem.
• Contrast Scan: The company adopted Scan to protect increasing volumes of data and transactions as the business has grown.
• Contrast SCA: The retailer integrated this Software Compositions Analysis (SCA) tool into its Jenkins development pipeline to secure its software supply chain, by readily identifying critical and high-importance security vulnerabilities and seeing where third-party components are introducing security exposure.

Implementation started with a few stores near Floor & Decor’s headquarters, in ​​Smyrna. Implementation and functionality went well, so the retailer expanded its use of Contrast across its other locations and PoS systems. By the time Radford talked with IDC, Floor & Decor was using the Contrast Platform to secure more than 150 stores. 

He found the rollout pretty straightforward, he said, because "Contrast is not a difficult tool to implement, and we used Kubernetes and our containers to handle the deployment."

The retailer has used limited professional service support from Contrast Security to support its implementation and to develop plans for future use.

The biggest bangs for the buck

In order to quantify the value that Floor & Decor it realizing from its Contrast Security solutions, 

IDC identified these two core areas of value:

AppSec staff efficiencies: “Not only have Contrast Security solutions allowed Floor & Decor to implement AppSec operations that meet its operational and business needs, but they have helped team members work more efficiently, thus allowing team members to focus less on security scans and remediation work and more on actual support of business operations,” IDC reports. “Radford estimated efficiencies for his team at around 30%. This results in AppSec team efficiencies worth an average of $80,000 per year over three years.”

Incident resolution efficiencies in development activities: Reducing the major vulnerabilities that DevOps team members have to address and reducing false positives that suck up their time in research has led to significant time savings: what IDC says was 94% on average. That ramps up overall productivity of the affected DevOps team members by an average of 13%, IDC says. And that, in turn, saves a sizable chunk of cash when it comes to incident response: what IDC pegs as being worth an average of $696,300 per year over three years.

Bye-bye, backlog

According to Radford, Contrast has helped Floor & Decor largely clear up its backlog of known security vulnerabilities, which lowers business risk and means less staff time is spent on identifying and handling such vulnerabilities. 

According to IDC, given the number of major business applications protected by Contrast solutions, “this equates to a 92% reduction in the number of applications with known security vulnerabilities.”

"We've gotten rid of almost all of our known vulnerabilities with Contrast,” Radford says. “We now only have one application left with these vulnerabilities.”

Faster/easier scans with less wasted time

He cited other major benefits Floor & Decor has seen from using Contrast, including:

Faster, easier security scans with Contrast Scan: "We're spending less time on scanning during releases with Contrast because the number of vulnerabilities has gone down." In fact, the average security scan time has gone from around one hour down to between five and 10 minutes with Contrast Security solutions, he says, which are 88% faster.

Contrast/Jira integration: The integration has likewise slashed the time required for team members to remediate issues. “What used to have to happen is that we had to create a Jira ticket and put the spreadsheet in the Jira ticket and explain the vulnerabilities for each one,” Radford recounts. “Now, that is integrated with Jira. Contrast automates all of that, and we just have to tell it which Jira group to put it in."

Less developer time gets wasted: The development team spends about 94% less time on vulnerabilities that crop up during development. "We've gone from a couple hundred of these situations of vulnerabilities needing to be remediated over a number of years to basically zero with Contrast,” he says, noting that each of these vulnerabilities can require weeks, if not months, of staff time to fully manage and mitigate. 

Radford also appreciates how Contrast has helped the retailer meet security and business challenges: "One of the things we like about Contrast is that they seem to always get places before we do,” he notes. “I like it when my vendor gets there before we do, versus me getting there and having to ask for help with something."

The peace of mind that comes with protection

Simply put, it’s a good feeling when a security vendor has your back. "There's a certain level of assurance and knowing that we're protected,” Radford muses. 

Can you put a dollar sign on that feeling? … as in, the assurance that your business is protected? 

It’s tough to quantify, but it’s not impossible to estimate: IDC points to IBM’s Cost of a Data Breach 2022 report, which estimates that a single data breach on a company cost an average of $9.44 million in the U.S. in 2022.

ROI, payback, saved time, slashed chances of pricey breaches: It’s a floor plan for peace of mind. 

To view the full IDC Business Value Case Study* (doc #US50839123, June 2023), please visit the customer success page.

Additional resources:

• More customer success stories 
• Floor & Decor case study
• Contrast Secure Code Platform
• Request a demo