From CISO to Founder: How Gombach’s Ian Amit Turned Industry Pain Points into Product Strategy
Sometimes the best startup ideas come not from technical innovation, but from living through the problem firsthand. In a recent episode of Category Visionaries, Ian Amit shared how his experience as a CISO at Sempra shaped Gombach’s approach to cloud security remediation.
Living the Problem
“I’ve managed to build a really good understanding and visibility into all the 14-15 businesses, cloud deployment and everything that was wrong about them,” Ian recalls of his time at Sempra. “However, the biggest challenge that I faced was fixing things.”
This wasn’t just a minor inconvenience – it was a fundamental breakdown in how organizations handle cloud security. Security teams could identify issues but lacked the authority to fix them. DevOps teams had the authority but different priorities.
The Breaking Point
The situation created a constant cycle of negotiation. “We ended up sort of negotiating and horse trading with, all right, let’s prioritize this and beg for that, and ask DevOps to do this,” Ian explains. “I realized that the other side, DevOps or the CIO’s, the CTOs, those fixes weren’t really top of mind for them.”
This realization led to a crucial insight: the problem wasn’t just technical – it was structural. The solution would need to bridge the gap between security’s needs and DevOps’ capabilities.
From Problem to Solution
Instead of creating another security dashboard, Ian focused on automating the remediation process itself. “It’s essentially a solution that’s designed to provide contextual remediations, fixes at the code level that address configuration issues in your cloud deployment,” he explains.
The goal wasn’t just to identify problems but to generate actual code changes that DevOps teams could easily implement. “We’re essentially providing another virtual devsecops engineer to every team that knows everything about the cloud, that knows everything about the application that’s being deployed, and knows everything about security.”
Building for the Real World
This firsthand experience also shaped how Gombach approached product development. Rather than rushing to market with a partial solution, they spent over a year building something that truly addressed the root cause.
“We have to tailor everything to each and every customer’s environment,” Ian notes. “So again, the promise was really great. And even though I knew it was going to take some time to build the actual platform, it took a little more than I thought.”
The Strategic Target Audience Decision
Perhaps the most crucial decision was who to target with their solution. Despite creating a product that DevOps teams would use, Ian made the strategic choice to focus on security leaders. “Securities is the customer,” he explains. “Security is the one that owns the liability and owns the pain from a compliance perspective, from an exposure perspective, from an inefficiency perspective.”
Lessons for Technical Founders
Ian’s journey offers several key insights for founders building technical products:
- Deep operational experience can reveal structural problems that pure technical innovation might miss
- Sometimes the best product strategy comes from living through the pain points personally
- The user of your product isn’t always your primary customer
- Understanding organizational dynamics is as important as technical capability
For founders considering the leap from operator to entrepreneur, Ian’s experience shows how valuable operational expertise can be in shaping product strategy. The key is not just identifying problems, but understanding them deeply enough to build solutions that work within real-world organizational constraints.
As Ian advises other founders: “Talk to as many CISOs as you can and listen. Listen very carefully… solving problems that were created in a lab and no one really cares about, is cool, is very geeky, but doesn’t really translate into a business.”