SecurityScorecard
How SecurityScorecard doubled roadmap attainment and saves 150 hours per quarter on cost capitalization
25% → 50%
Developer time spent on new features after strategic reallocation
150+ hrs
Saved per quarter on cost capitalization reporting
80%
Quarterly roadmap attainment, doubled from 41% within a year
"Span gives us omniscience. We can finally see who's doing what work, how much time we're spending on it, and what value it brings—then act on it."
Michael Sands
Sr. Director, Product and Program Operations
Background
SecurityScorecard is a global leader in cybersecurity ratings and third-party risk management, helping enterprises measure, monitor, and improve their security posture while reducing supply chain risk across their vendor ecosystems. The company serves more than 3,000 customers worldwide, including 70% of the Fortune 500.
Mike Sands, Senior Director of Product and Program Operations, oversees product, engineering, and design operations—requiring accurate visibility into development activities for both operational planning and financial reporting.
Challenge
SecurityScorecard needed real visibility to plan accurately and hit roadmap goals
Like many fast-growing engineering organizations, SecurityScorecard lacked visibility into how development time was allocated across different types of work. Engineering managers estimated time spent on new features versus bugs and maintenance, but these estimates didn't match where time was actually going.
The result was a planning challenge. In Q4 2024, SecurityScorecard achieved 41% roadmap attainment—delivering less than half of committed features. Without accurate data on time spent, it was hard to set realistic commitments or explain delivery gaps to go-to-market teams.
“A year ago, we lacked clear visibility into engineering activity,” says Sands. “That made it hard for our go-to-market teams to feel confident about delivery timelines.”
SecurityScorecard also faced a time-consuming cost capitalization process. Their previous vendor required a three-day turnaround time for reports, and couldn't generate them in a timely manner. Every month, multiple engineering team members had to spend several days reconciling data. Sands estimates that every quarter, over 150 hours were spent on coordination between finance and engineering, including manual work reconciling data and spreadsheets.
Solution
Span delivered decision-grade insight and fully automated cost capitalization
SecurityScorecard implemented Span in early 2024. Today they leverage the platform’s quantitative and qualitative insights for many use cases, but Sands highlights two that solved their most pressing challenges.
Investment Mix provides automated visibility into how engineering time is distributed across new features, bugs, incremental improvements, and maintenance. By connecting directly to SecurityScorecard's Jira and GitHub systems, Span automatically captures work activity and categorizes it, revealing the true distribution of time with objective data.
Cost Capitalization automates the R&D capitalization process. Span tracks engineering time at the epic level, applies capitalization rules through smart filters, and generates audit-ready reports. SecurityScorecard worked as a design partner on this feature, helping shape the capability to meet their specific needs.
Results
More innovation, stronger execution, and 150 hours returned to the business each quarter
Strategic reallocation enabled innovation
The data revealed that 50% of engineering time was going to bug fixes—significantly more than estimated. This insight enabled a strategic decision that had been impossible without accurate visibility.
When Avesta Hojjati, SecurityScorecard’s CTO joined in late 2024, Span allowed him to get up to speed on his organization quickly and understand where there were challenges.
By using Span’s data, engineering and product leadership was able to drive a strategic conversation with the board, where they agreed to set a new target to shift resources towards innovation. In less than one year, developer time spent on new features increased from 25% to 50%—exactly as planned. The strategic reallocation was only possible because Span provided visibility to identify the problem and track progress toward the goal.
"Span is the most valuable internal software we have.”
Avesta Hojjati – CTO
Roadmap attainment nearly doubled
With accurate capacity planning based on real data, SecurityScorecard improved from 41% attainment in Q4 2024 to 80% in the most recent quarter—nearly doubling their ability to deliver on commitments within one year.
This improvement rebuilt trust between product and go-to-market teams. Sales and customer success now felt they could count on roadmap commitments, enabling better customer conversations and more accurate planning.
Quality improvements eliminated code freezes
Leadership also made a deliberate investment in quality: hiring automated QA engineers across squads, changing deployment processes, and replatforming technology to reduce technical debt. Now, the team catches issues earlier, reducing the time spent on customer-facing bugs from 15% to 10% within one quarter.
The quality investments delivered tangible operational improvements. SecurityScorecard had traditionally implemented a two-week code freeze at the end of each quarter to reduce risk. This past quarter, they eliminated the code freeze entirely.
"Our go-to-market teams had learned to trust our releases," explains Sands. "We learned to trust our releases by identifying the issue with quality, and the only way we were able to do that was by adopting Span."
150+ hours saved per quarter on cost capitalization
The cost capitalization transformation eliminated manual work entirely. What previously took over 600 hours per year now takes approximately 15-20 minutes per month. The VP of Finance and engineering leaders no longer spend days rectifying data or uncovering problems during audits.
"Now we can do that in about 15 to 20 minutes because we can just generate a report, identify the issues, and keep a real-time track of how much we're capitalizing," explains Sands.
"The transformation in our cost capitalization process has been remarkable. We went from spending days each quarter reconciling spreadsheets and chasing down data to having real-time visibility into our R&D investments. Span gives us confidence in the numbers, and makes our audit process significantly smoother."
Terry Nwosuocha – VP and Corporate Controller
"Now we can do that in about 15 to 20 minutes because we can just generate a report, identify the issues, and keep a real-time track of how much we're capitalizing," explains Sands.
Cultural transformation
Span became what Sands calls the "lingua franca" for how product, engineering, and design communicate about work. Span is now deeply embedded in SecurityScorecard’s operating rhythm, providing a shared source of truth that enables more productive conversations about priorities and trade-offs.
"Span gives us omniscience. We can finally see who's doing what work, how much time we're spending on it, and what value it brings—then act on it."
Michael Sands – Sr. Director, Product and Program Operations
Looking ahead
SecurityScorecard continues to leverage Span as a foundation for engineering operations and financial reporting. Finance and engineering teams rely on real-time data to automate manual work, while product and engineering teams use investment mix insights for strategic allocation decisions each quarter.
"It is one of the few vendors that I will recommend to people unabashedly," says Sands. "The partnership with Span has been remarkable. The product team has been incredibly responsive, and we value the design partnership to help shape new innovations.”
For SecurityScorecard, the combination of accurate data, automated reporting, and cultural alignment has positioned the engineering organization for sustainable high performance.