The following interview is a conversation we had with Ian Amit, CEO & Founder of Gomboc, on our podcast Category Visionaries. You can view the full episode here: $5 Million Raised to Build the Future of Cloud Security Remediation
Ian Amit
I’m great, Brett, how about yourself?
Brett
I’m doing great and I’m really excited. But before we begin, I got to ask Gomboc,, what does that mean?
Ian Amit
Yeah. Everyone asks that super geeky story about it. It is a hungarian origin from a hungarian mathematician that came up with a three dimensional shape that is monomonostatic. It’s basically a self writing object. And the origin story of Gombach is that we’re self writing security. So super nerdy, super geeky. But that’s the story of the company.
Brett
Hey, it has a meaning and it has a purpose there. It’s not just some random words that you threw together. So that makes me a little different from some of the other companies that I’ve spoken to.
Ian Amit
Yeah.
Brett
Now, I want to start off with some questions about your background before we dive into everything that you’re building there. So, the first question. I see that you were in the IDF. Jeff, let’s talk about that experience. I’m sure you learned a ton. I know it transforms your life, but what’s, like, the number one, or maybe like, two big things that you walked away with from that experience?
Ian Amit
Great question. And again, I’m not your typical cyber entrepreneur, founder practitioner. That came from the 8200 units in the IDF. My path was fairly boring, if you can call it. I started in the air Force in flight school and ended up a ten company commander. The main things that I learned from there is really about leadership. It’s about making quick decisions in kind of the fog of war and a lot of responsibility. And again, leadership in the field with people from all walks of life. So, again, a lot of super inspiring kind of leadership stories and decision making.
Brett
When you were in the IDF, did you always know that you were going to go and build a career in security? Was that obvious for you, because I think a lot of the people I talk to, that does seem to be the obvious path. You spend your time in the IDF, and then you move on and either found a security company or joined a security company. Was that the master plan or what were you thinking at that time?
Ian Amit
So I started in security, actually, before I was recruited, and the IDF, for me was, as I said before, not a typical 8200 story. Intelligence forces where people are kind of building up their entrepreneurship or cyber career. For me, the IDF was totally kind of a break in the middle of my very short career. Until that time, I used to be a hacker, used to tinker around with computers and hacking to things. And the IDF was actually a four year pause as far as anything that’s concerned with technology and security, unless you count security on the physical sense of things. So it wasn’t really kind of a path defining experience for me. It was much more of a, I would say, personality building experience and other experiences in leadership.
Ian Amit
So, no, when I finished my service in that, yeah, entrepreneurship was not really in the cards. It was essentially having to relearn or catch up of four years of missed out technology and advancements and insecurities. So not really your, as I said, not the typical origin story of an Israeli in cybersecurity makes a lot of sense.
Brett
Now, I see you’ve worked at a bunch of different companies, you’ve been an advisor, you’ve been a board member at a bunch of different ones. What ones do you want to highlight? What ones do you want to focus on here? Just for a couple of minutes, so we can learn from those experiences. Are there any that come to mind?
Ian Amit
Yeah, I like to tell the story in a narrative. So, as I said, I started as a hacker before I was recruiting into the IDF. I was just tinkering with computers, and I started finding out how security works later on in my career. I’ve spent a lot of time as a pen tester, kind officiating this practice and realizing that this is a professional I can take on and actually get paid for things that I would do anyway. And my career was.
Ian Amit
I filled a lot of roles throughout my career infosec, as I said, from Pentester to Red Teamer, leading security research in several companies, ending up kind of transitioning to what we call the customer side, ending up leading application security at Amazon, and finally at sort of the top of the scale, so to speak, as a chief security officer, as a CISO at Sempras, the big public company here in the US, spanning businesses worldwide. So again my career is essentially the story of stepping up the ladder one step at a time, building a lot of experiences and learning from the field, working with a lot of hands on until you get into upper management then its mostly more strategic thoughts.
Brett
It seems like a ladder up until November 22 when you decided to found a company. Then I described that as a bridge that youre crossing now or jumping over. So lets talk about that transition. What have you learned from making that transition from a CISO to a founder?
Ian Amit
Steven? Again this is not my first company that I was a founder. As far as startups go, ive had one back in 2004, five that lasted for a couple of years. So again not my first foray in that. Having said that, again, I’ve worked, especially when I was in executive roles. I still work with a lot of startups. I love working and kind of helping people build startups and especially when they solve real problems in security. You’ve mentioned the advisory positions and the board positions. That’s mostly what kind of the side gigs I was doing on top of my day job. And at some point I was like, you know what, it’s been fun and games, kind of living through other people.
Ian Amit
But now all the stars have aligned and this is the right time for me to instead of finding my next executive role in another big company, it’s basically all right. Instead of solving the security problem for one company, let’s solve a part of a problem that I’ve experienced myself for the past four and a half, five years or the entire industry. That was basically the jump into a startup. Again, no startup is like the other. So your description of jumping is definitely app and sometimes it feels like jumping into a void, not necessarily crossing a chasm. But yeah, that’s been the story and I’m sticking with it.
Brett
So at a high level in that introduction there, I said cloud security remediation. Do you want to expand on that just so our listeners can better understand what the company does, what the platform does and the problem that you’re solving?
Ian Amit
Yeah, absolutely. And again, the real origin story is sort of leaving myself living through the pain, living through that, the problem definition as we call it. And at Sempras, ive had opportunity to run security for 15 different businesses through a centralized security group security practice. And one thing I noted, especially as I was reflecting over those four years over there, is that ive managed to build a really good understanding and visibility into all the 1415 businesses, cloud deployment and everything that was wrong about them. However, the biggest challenge that I faced Washington fixing things. Security typically doesn’t have the authority or the capabilities or the know how to actually provide the fixes, nor they should, because DevOps is typically responsible for those environments.
Ian Amit
And we ended up sort of negotiating and horse trading with, all right, let’s prioritize this and beg for that, and ask DevOps to do this. And I realized that the other side, DevOps or the CIO’s, the ctos, those fixes weren’t really top of mind for them. So it was always deprioritized. Hence the negotiation and the ticket jockeying back and forth. I realized this is a big problem because the issues that we’re talking about are fundamental issues. They’re configuration issues of basic settings in the cloud environment. And that’s the number one cause for cloud breaches. And in my mind, getting back into the hacker mindset and the engineering mindset, it is a finite problem. This is not something that is unsolvable, it’s a big problem, but it’s finite.
Ian Amit
And then I realized, all right, this is prime for innovation and automation, and this is definitely something that a machine should be able to fix and alleviate all of that oil and work around the engineering side in a way that would help engineers rather than stumble them. And that’s how I set up Vanbach. It’s basically a solution that’s designed to provide contextual remediations, fixes at the code level that address configuration issues in your cloud deployment.
Ian Amit
They are super easy to deploy, and we’re essentially providing another virtual devsecops engineer to every team that knows everything about the cloud, that knows everything about the application that’s being deployed, and knows everything about security and manages to provide code changes and basically commit or prs back into the infrastructure code that describes cloud environment in a neat, repeatable, accurate fashion, so that someone on the other side, instead of trying to figure out how to do this, just has to review it, approve it, and be done with it.
Brett
When did you land your first paying customer? How many months did it take from when you launched?
Ian Amit
Oh, it took a year. It took even a little over a year. So this is not your typical oh, lets build a security product thats a single pane of glass. You choose how to spell pane, which is essentially a bunch of scripts that utilize the information from under security products and gives you a leg up on something. And my investors will hate me for saying this. This is actual deep tech where we’ve had to build AI algorithms that did not exist before, they only existed in the academic world. And as such, they didn’t really work in a commercial environment. So that was a pretty heavy lift. We have an automated way to ingest cloud documentation from the provider.
Ian Amit
We have an automated way to our cloud configuration from customers infrastructure as code templates, and an automated way to match those two things together and basically apply a security policy that generates contextual code changes that are suited for that customer environment. So there’s basically no signatures, no shortcuts, no blueprints to rely on. We have to tailor everything to each and every customer’s environment. So again, the promise was really great. And even though I knew it was going to take some time to build the actual platform, it took a little more than I thought. Hence the slightly over a year between the time were funded before we close our first customer. So, again, not your typical happy story. Oh, six month mvp, wham, bam, thank you, ma’am. And we’ve got paying customers. It was quite a heavy lift.
Ian Amit
And thankfully, we still have really phenomenal design partners that stood by us and provided feedback all along the way, and that allowed us to be really accurate and provide solutions that actually address real world problems that csos are experiencing.
Brett
I think what you described is something that I face, and I think every founder faces, you know, that things are going to take twice as long, they’re going to cost twice as much. You factor that in and somehow it still takes twice as long and cost twice as much. I don’t know how that math works, but that’s the case no matter what.
Ian Amit
Exactly. Yeah.
Brett
Now, how would you describe your marketing philosophy?
Ian Amit
Good question. I’m not a marketer. I’m not coming from that field again. I’m coming in from a security executive and practitioner perspective. I would call it sort of, I don’t know, in your face realistic. My language, no b’s. This is what we do and this is what we don’t do. We’re very adamant. I’m very adamant about saying or kind of framing the context in which we operate. I refuse to try to become a jack of all trades. We’re going to solve all your problems. But the marketing really addresses a real world pain. I’ve been there, I’ve experienced it myself in a couple of roles as an executive leader practicing security with companies that deploy into the cloud, including companies that build the cloud.
Ian Amit
So the marketing is really very much aligned with my personal story and the story of a lot of my peers that are experiencing that pain. It’s an interesting approach because we’re really solving two problems here. One problem is the classic security issue of I have exposure, I have some liability in terms of misconfigurations in my cloud environment and I need those to be solved. There’s a lot of compliance drivers around there’s a lot of attack surface drivers around there, and we’re also solving a resource problem. There are certain product categories like soar that are built around the fact that there are a lot of bottlenecks in existing processes. Having to work between security and DevOps and coordinate that and prioritize, these are things that we’re basically solving. And there’s a huge debate around AI and how it affects the workforce.
Ian Amit
We’re right there in the middle of that debate because what we’re doing is we’re providing, we’re doing a lift of the grunt work a lot of engineers are forced to do right now. And we’re essentially freeing up engineering resources so we’re not just another security feature or tool that helps you line up your environment and make it compliant. We’re also going to be freeing up ftes both on the security as well as on the DevOps side. So that’s where really the marketing plays out.
Brett
I want to ask a little bit about your time as a CISO. So when you were a CISO, can you just paint a picture for our audience of what it was like in terms of the marketing that vendors were doing, the sales efforts that were coming from vendors? Like what was it like from your perspective being on the receiving end of all this marketing and all this sales that vendors were pushing your way?
Ian Amit
In one word, painful. There’s a lot of bad marketing out there and that doesn’t really represent the entire industry, but that’s the loudest and the most obnoxious, I would say, marketing approaches. I used to get phone calls straight up to my cell phone of people trying to pitch me just out of the blue, random stuff with zero regard to what I actually need or what im actually doing and what the companys operating. So my personal experience there carries a lot of battles, cars so to speak, and its probably affecting the way that were doing marketing ourselves. I refuse to nag people. I refuse to add them to endless mailing lists and kind of bombard them with relentless questions. Everyone I talk to I end up asking, hey, you tell me when do you want me to follow up?
Ian Amit
If you don’t want me to follow up at all, totally fine. I’m going to save us both the hassle. But again, during my tenure as a Ciso, I’ve seen everything from completely out of the blue relentless zero context pitches to borderline illegal. Definitely from an SEC perspective of basically trying to bribe you with presents and gifts and all sorts of things and shticks that, I don’t know, maybe work on some other people organizations, definitely not public ones. But yeah, I’m carrying quite a bit of scars from bad marketing back in the days.
Brett
This show is brought to you by Front Lines Media podcast production studio that helps B2B founders launch, manage, and grow their own podcast. Now, if you’re a founder, you may be thinking, I don’t have time to host a podcast. I’ve got a company to build. Well, that’s exactly what we built our service to do. You show up and host, and we handle literally everything else. To set up a call to discuss launching your own podcast, visit Frontlines.io slash podcast. Now back today’s episode. What were some of them that got through? If we think through some of the vendors that were able to, you know, rise above all of that noise, obviously we don’t have to talk about, like, specific companies here or anything like that, but was there a pattern with the vendors that did rise above all that noise?
Ian Amit
Yeah, there’s definitely pattern. And then the patterns essentially take a couple of minutes to take a deep breath and do a little bit of homework. Doesn’t really require a lot of work, but trying to understand what’s the company’s operating environment, what’s the history of the company, of the executive that you’re trying to approach, do a little bit of digging. Everything is out there on the Internet and come up with an approach that is not, hey, let me sell you something. But it’s kind of inquisitive, is kind of, hey, I’ve noticed that you guys are operating in this and that field. I know that you recently started using this and that product might be interesting to hear your experience about it, or we’re operating in an adjacent field that might be useful for you guys if you haven’t covered it yet.
Ian Amit
So anything to create some sort of context that would allow me to say, huh, okay, no, that’s great. I have to spend 15 minutes and just hear about this or tell you a little bit about this problem domain and see if you can actually relate and answer it. So it’s really about listening. It’s about doing a little bit of homework. And the initial pitch is basically, hey, if it’s okay, let’s strike up a conversation and see if there’s a fit here. And be honest with what I’m describing as far as my needs and requirements do not match up to what you can provide. Point me to somewhere else that you might know that might be able to do that. Promise you’re going to be on my good list and I’m definitely going to remember that wherever you go.
Ian Amit
So definitely one thing that I’ve seen that cut across all the good vendors that I’ve had a chance to work with and I’m still in touch with a lot of those companies and individuals who work there.
Brett
It’s interesting because it’s not rocket science what you’re describing here. It’s actually very logical and it’s simple really. Right. It’s take time personalized. Don’t just blindly spam. Remember who’s on the receiving end like it’s a human. I think that’s very interesting that it’s not some like crazy tactic. There is nothing there that you described that cost hundreds of thousands of dollars or a specific tool that they need. It’s really just take the time and be thoughtful.
Ian Amit
Absolutely. And you know what, I get challenged by people who claim this is a numbers game. You got to shoot 1000 bullets before something hits. I was like, you know what, you’re right. This is a numbers game. And if you aim correctly and you do your homework, you’re going to get a much higher hit rate for the shots that you do take versus just spamming the entire world and their sister trying to hopefully nail someone that you know with a pitch that is completely out of context and misguided. So I tell them, yes, it’s a numbers game and I you’re in control of some of those numbers so make it count.
Brett
What I see is sometimes people forget that just because someone doesn’t respond, like that’s not the worst case scenario. Like the worst case scenario is they don’t respond and they hate you or they’re annoyed. They don’t hate you but they’re annoyed by your emails or your text or, you know, whatever it is. Like that’s the real damage there. It’s not the worst case scenario that they just don’t reply, it’s that they have no interest in ever engaging with you again. And I think a lot of the people who are doing all this kind of mass spamming, they seem to forget that.
Ian Amit
Absolutely. And by the way, the real worst scenario is if you do get answer and the answer is dont talk to me ever again. I just put you on the blacklist, either you personally or the company that hired you that allowed you to operate in such a way.
Brett
Yeah. So the stakes are high there.
Ian Amit
Yeah, absolutely.
Brett
Lets talk a little bit about your market category. So is your market category cloud security remediation, or how do you think about the market category that youre in?
Ian Amit
Yeah, thats a great question. And one of the biggest challenges that we have, we dont necessarily have a defined market category. As I said, its cloud security remediation. If you try to look it up, the analyst firms wouldnt have a good description and a good analysis of that space. Theres a lot of noise around it, surrounding it right now because theres obviously great capabilities as far as the detection goes, but almost nothing when it comes to remediation. And a lot of vendors are trying to move into that space because they realize theyre basically creating a liability at some point for their customers, for their cisos again. And ive been there, and some of my peers are being very vocal about, I do not want any more detection.
Ian Amit
This is becoming a liability for me to know more about the issues that I have in my environment. A hard enough time fixing the stuff that I do know about that remediation space is prime for innovation. Theres a couple of small players right now that, like Gombach and one or two of my competitors, theyre operating there and were surrounded by a lot of noise of companies that claim to do remediation enablement orchestration of remediation. No one really tries to solve the root of the problem and really alleviate the root cause. Theyre all trying to, again, kind of orchestrate and basically automate a lot of the ticket jogging that we used to do.
Brett
Do you view it as mission critical for the analyst firms to eventually recognize remediation as its own category, or is that not mission critical to what you’re aiming to do here?
Ian Amit
I don’t know if analyst firms have anything mission critical, but it’s definitely mission critical for organizations that are dealing with security. It’s essentially a way for them to rapidly reduce, if not eliminate, an entire attack surface that is currently attributed as the number one root cause for cloud breaches. So when I’m talking to my peers, when I’m talking to even CIO’s and DevOps engineers, they recognize this is a huge problem. It’s definitely something that needs to be solved. Sometimes they’re like, yeah, if that would have worked, this would have been amazing. And that’s typically how our pocs start, with a lot of skepticism, and then they realize, oh, you know what, those are pretty darn accurate and saves us hundreds of hours of engineering.
Ian Amit
So, yes, it is mission critical and you add station, you see a lot of movement from the big providers, the platform providers, trying to shift left, trying to push left, realizing that just coming up with alerts and detections is kind of extensive usability at some point, and you have to keep pushing left to actually fix those issues. Otherwise you’re just creating more problems rather than solving them.
Brett
To date, what do you think has been the most important go to market decision that you’ve made?
Ian Amit
It is defining our target audience as the security leaders. We keep iterating over the thoughts because we’re very engineering heavy. Again, we’re delivering remediations at the code level that show up as git pull requests and git commits. That is super engineering. That is something that 90% of security teams do not even touch or do. So the subject or the end user of our solution is essentially DevOps. However, the go to market decision to go to security is still the most important one that we did. And I keep challenging, and I keep doubting myself whether that is the right decision. So, as of now, after many deliberations and various revalidations, that’s 100% the critical go to market decision. Securities is the customer.
Ian Amit
Security is the one that owns the liability and owns the pain from a compliance perspective, from an exposure perspective, from an inefficiency perspective. And we’ll keep iterating around it, because DevOps is the ones that benefiting the most, realizing that they’re freeing up hundreds of engineering hours per year by utilizing our solution.
Brett
And then, is that the CISO you’re selling to or trying to target? Is that the head director, VP of cloud security, who is that senior security leader that you’re targeting in your communication and your messaging?
Ian Amit
It’s basically all of the above. It is a sort of director level and above, I would say, Persona really depends on the organization and kind of the hierarchy in it. It’s definitely someone who owns the security for cloud. So, as you said, sometimes it’s vp cloud security or something of that nature. Most of the times it is the CSO, because that’s an area that ends up being board reportable, so to speak, and that’s a liability that’s being carried around and is sustained quarter over quarter, sometimes year over year, as far as cloud security exposure, that needs to be accounted for and managed.
Brett
What about from a funding perspective? So, as I mentioned there in the intro, you’ve raised over 5 million to date. What have you learned about fundraising throughout this journey?
Ian Amit
Fundraising is fun. No, it’s not. And remember, we raised rc round back in November 22, basically at the bottom of the dip where everything was crashing down. Having said that, fundraising is all about maintaining and communicating with investors and remembering that its never just about technology, its about who do you want to have by your side after the dust settles and the money hits the bank account. And that is something that I realized fairly quickly. I was talking to a lot of VC’s. I have been working with VC’s for quite a while before that as an advisor, as angel investor myself, and switching roles and putting myself in the founder position. It quickly dawned on me that I need to pick the right people to be at my side, especially in the early phases.
Ian Amit
Seed round the future a round, because these are people that youre going to rely on for advice and to have a very good open relationship with. And its not just about the checkbook, its about the collaboration and the ability to gain value from. So even though weve had opportunity to raise money from several different investors, I ended up choosing the ones that I had the most kind of personal connection and understanding that, yes, these are the people who can challenge me and who I can challenge and ask the hard questions without having any fear that I’m going to be, I don’t know, reprimanded or kind of stepped over because they have some stake in the company.
Brett
Now, based on your experience building this company, your experience as an advisor, as an investor, as a CISO, let’s imagine that founder comes to you and they say, Ian, I want to build cybersecurity technology. Based on everything that you’ve experienced, what would be the number one piece of advice that you’d have to give them?
Ian Amit
Number one piece of advice would be to talk to as many cisos as you can and listen. Listen very carefully. As I said before, solving problems that were created in a lab and no one really cares about, is cool, is very geeky, but doesn’t really translate into a business. And I’ve seen many companies kind of rise and immediately fall or stay on life support because they solve very geeky technical problems that, again, no one really experienced or weren’t a priority. Maybe they were, true, but they were just not a priority for anyone. And they’re bigger fish to fry, so to speak, in a typical company’s security strategy. So talk to a lot of cisos.
Ian Amit
We end not to be very scary, and a lot of us, at least a lot of my peers, are very open to spending 1520 minutes with a founder that is trying to validate, that, is trying to get a sense of what matters and what doesn’t matter and that feedback. And again, even for myself, I consider myself someone who’s been in the industry for quite a while, but spent a lot of time at the CISO seat even. I insisted on speaking with new people that didn’t know me and didn’t have the bias of kind of patting me on the back like, hey Ian, great, you’re building a startup. Of course this is super relevant because I know you.
Ian Amit
I insisted on talking to new cisos that I haven’t methadore, challenging them, asking them about this space and that space and how did they live through the problem? Where does that problem meet them to actually build a solution that fits real needs from real companies?
Brett
Final question for you. Let’s zoom out three to five years into the future. What’s the big picture vision here?
Ian Amit
Big picture vision actually goes beyond security. What we’re doing is essentially taking away a lot of the coil and the grunt work that engineers are doing when they’re building and maintaining their cloud environment. Right now we’re addressing the security aspect of it. In the future, we can take the same policy engine that we’ve built and deployed and made it accessible for security needs and open it up for other policies like resilience and performance, and even cost. In a sense, we’re trying to change the way that people are deploying to the cloud, almost as if. And again, this probably ages me, but anyone who programmed in assembly or classic NCC knows that they needed to manage memory by hand. Like every bit, every byte, every allocation had to be well maintained and groomed and accounted for.
Ian Amit
While when you program in a modern language, you don’t need to think about memory management, the language takes care of that for you. And this is what essentially we’re trying to build. And again, three to five years, you’re not going to be needed to account for security needs when you’re building in cloud environment. You’re not going to be inundated with having to make sure that certain performance characteristics or resilience characteristics are being met. You can just define that as a policy. Hey, I want to make sure that I have a certain level of performance.
Ian Amit
I want to make sure that I have a certain level of resilience in terms of all my production applications are deployed in multiple availabilities, multiple regions, and we will just take care of that for you and you won’t have to tinker and toil relentlessly with the minutiae of configurations. Thats our grand vision that go beyond security and free a lot of those again, grunt work, engineering DevOps work thats being done right now and free them up to do higher level work.
Brett
Amazing. I love the vision and ive definitely learned a lot. I think any founder listening in, especially those who are trying to get the attention of cisos, are going to find this episode to be extremely valuable. Ian, we are up on time so well have to wrap here before we do. If there’s anyone listening in that just wants to follow along with your journey, where should they go?
Ian Amit
Probably LinkedIn. That’s the number one place where I post a lot of kind of my thoughts and experiences. It is fairly unfiltered, especially for LinkedIn, so brace yourself. It’s not going to be all rainbows and sunshines. I also have a Twitter account, but that’s mostly marketing so definitely LinkedIn. Just look me up.
Brett
Amazing. Ian, thanks so much for taking the time.
Ian Amit
Absolutely. Thanks so much, Brett.
Brett
This episode of category visionaries is brought to you by Front Lines Media, Silicon Valley’s leading podcast production studio. If you’re a B2B founder looking for help launching and growing your own podcast, visit frontlines.io podcast and for the latest episode, search for Category Visioners on your podcast platform of choice. Thanks for listening and we’ll catch you on the next episode.
Twitter
facebook
linkedin