The Business Leadership Podcast

Salli: [00:00:00] You're listening to the business leadership podcast with Edwin Frondoso

Ian: Security does one thing, DevOps does another thing. And there's a whole process.

Edwin: On one end you have, as you mentioned, a kind of a lift and shift attitude. A lot of companies are moving their infrastructure from the on prem, from hybrid environments into the cloud.

Ian: Utilizing AI Gives attackers the possibility or the ability to really multiply their efforts very easily in a very low cost manner and find new ways of attacks. Fully exploit or fully utilize a lot of attack paths that were expensive before.

Edwin: Good morning. Good afternoon. And good evening biz leaders. Welcome. To another episode of the business leadership podcast. I'm your host headwind for Novo. And today we're featuring a special episode from our future narrator mini series recorded live at the collision conference in Toronto.

In this series, we explore the future [00:01:00] of leadership, innovation, and storytelling with visionary leaders who are not just designing products, but our creating entire new worlds and markets.

Joining me today is my friend, Dr. Paul Newton. And together we'll be speaking with Ian Amet. He is the co-founder and CEO of Gomboc.ai a company providing cutting edge cloud infrastructure security solutions. Ian has over 25 years of experience in the security industry has held senior leadership positions at rapid seven, Amazon zero Fox and more bringing a wealth of knowledge and expertise to the table.

In our conversation. And we'll discuss the challenges of closing security gaps. Without a clear resolution path. Leading to inefficiencies and coordination issues between security. And dev ops teams. He'll introduce Gomboc is a solution designed to address these problems through cloud remediation. [00:02:00] Focusing on providing contextual fixes, tailored to specific customer architectures and environments. So without further ado, here we go.

We're now speaking with Ian Amitt, CEO of Gombak. How are you doing today?

Ian: Pretty good, Elwin. How about yourself?

Edwin: I'm doing well, pretty excited for this conversation. It's first off, Ian, can you share what problem is Gumbach solving in the cloud security space?

Ian: Sure. So Gumbach is really addressing an area that's untapped right now. In cloud security, we've got a lot of products and a lot of ability to understand what problems exist and what gaps we need to close.

However, no one's providing a real solution to closing those gaps. You've got tons of products that are. Filling your backlog with alerts. Security teams are left with managing those alerts and trying to figure out, alright, how do I address them? And security needs to work with DevOps to solve those problems.

Security [00:03:00] teams do not have the authority or the knowledge to actually make changes in cloud architecture and they're dependent on DevOps. Without a clear path to a resolution, to what does it mean to close a security gap, We're left scrambling. We're left doing a lot of work trying to coordinate between security and DevOps, flying tickets back and forth.

And Gombok is really designed to close that gap. We focus on cloud remediation, which means that we're providing actual fixes to problems in cloud architecture security. And those fixes are contextual. They fit the specific customer architecture and environment without breaking it while delivering that, that gap closure. So that, that's what we're focused on.

Edwin: Yeah. That's a lot to digest, just from what I'm hearing Ian. And for those who are maybe not in the security space, but within a business leadership role, there's a lot of tickets getting opened.

Ian: Correct.

Edwin: And probably not getting closed.

Ian: Correct. There's a lot of tickets getting opened. And [00:04:00] even those who are getting opened, for every one that gets opened, there's probably a dozen or more that haven't been opened even. We're talking about, let's say you have a hundred alerts. Security teams have to prioritize which ones they're going to open a ticket for.

Because there's a bottleneck Cause by DevOps teams who don't have time or the motivation to even deal with those tickets. To all the tickets, yeah. Yeah, exactly. So we're looking at, a multi faceted problem. The first facet is knowledge gap. Yeah. People don't have the knowledge on how to close, how to address those things.

The second one is process and resources. Again, security does one thing, DevOps does another thing. And there's a whole process. This is a process that is created just to appease, just to close that gap. And that process is highly inefficient. We're addressing both the knowledge problem as well as the process problem here at Gombok.

And eventually what we're doing is we're eliminating [00:05:00] the need to even open tickets while we're addressing the backlog of alerts that you don't even have tickets for.

Edwin: I imagine that the tickets that are getting created and this gap that's being filled is because the rapid growth of cloud infrastructure and utilizing old technology. Problem solution architecture and this is where entails where this opportunity is coming from, right? Absolutely. Absolutely.

On one end you have, as you mentioned, a kind of a lift and shift attitude. A lot of companies are moving their infrastructure from the on prem, from hybrid environments into the cloud.

They're bringing in a lot of old, old school, I'm doing air quotes here. Old school kind of security approaches and architectures to the cloud, which is not the case. The correct way to do it on top of that, the cloud doesn't stop. You've got new resources, new services coming up, modified services on a daily basis.

Again, expanding that knowledge gap, and [00:06:00] it's a, it's a cat and mouse game where we're constantly losing. We're constantly chasing our own tails. And again, that's where I had an awakening saying, wait. This is an engineering problem. This is a finite set of issues that I can put a machine on it and close that gap.

And that's exactly

where we're operating. That's great. Talk to me how Gombak helps the DevOps focus on the innovation and the scale, versus what we're talking about the quote unquote old school way of resolution.

So Gombak is there to really free up DevOps from dealing with?

The toil, I call it with constantly chasing the minutia of this configuration and that configuration. How do I do this? And oh, there's something changed and now I need to address it. Now we need to do some research to figure out how to utilize this specific feature in my environment where we're there to really freedom up from that by providing that AI driven mechanism that is [00:07:00] tasked with keeping up with What's going on with the cloud and making sure that your environment is always adaptive, is always kept up to date with the requirements from the security teams and are keeping your architecture clean.

And that frees up DevOps to really handle the higher level problems, architecting, solving big problems, creating and deploying applications and maintaining them. So that's how we really help them. I tend to use an analogy that might date me a little bit. The analogy basically equates that to programming in assembly in the good old days where you had to almost literally physically manage memory. Every bit, every byte of memory that you allocate, you have to keep tabs on, you have to free it up, make sure it's clean, not overrun anything else. Almost assembly and the classic C. Versus modern programming where you don't really care about memory management, higher level [00:08:00] languages, exactly, the interpreter, the actual language takes care of that for you.

This is the equal of what we're doing. We're letting DevOps and security focus on higher level problems. On again, programming in Python or Rust versus an assembly while we're taking care of all that toil, all that the equivalent of memory management, which is cleaning up and making sure that the environment is safe, clean and secure.

And by doing so, first off, Ian, I love the assembly to see because I may not look at it, but I did. See an assembly back in the nineties as an engineer. So I totally get it for those who are listening, maybe not, but we could talk about it later, but I guess with this, release of resources, as you said DevOps could really work on the real solutions, the real problems that are affecting some of those issues or those [00:09:00] tickets but be That may be resolved through Gombak, I'm assuming.

Ian: Yeah, absolutely. And in the future, we also plan to expand our policy coverage. Right now, we focus on enabling and enacting a security policy into your cloud infrastructure. But in the future, we can expand the language that we use for policy to go beyond just security. We can expand into resilience, into performance, optimization.

So again, DevOps team can say, hey, I want to make sure that All of my production deployments are done in a multi zone, multi region fashion. And just have us take care of that instead of them having to, Oh, did I remember to put that in multi region? All of

Edwin: that can be solved through it. Yeah, that's great.

I'm curious from your point of view, What do you see the future of cloud security or cyber security? What does it look like?

Ian: Oh man, I've been doing cyber security for over 25 years now. [00:10:00] If I'd had a penny for every time I did a prediction, I wouldn't need to start this company. I think we're at an infliction point where the use of AI has really benefited the attackers more than the defenders have had the ability to embrace and actually utilize it.

And again it's it's almost an unfair comparison because I came from the offensive side. I did a lot of pen testing and red teaming back in my days. And the, the reality is that an attacker only has to succeed once. That's right. The defender has to be a hundred percent.

Exactly. It has to do a hundred percent. Utilizing AI Gives attackers the possibility or the ability to really multiply their efforts very easily in a very low cost manner and find new ways of attacks. Fully exploit or fully utilize a lot of [00:11:00] attack paths that were expensive before.

Yeah. On the defensive side, however, I think that there's been a lot of effort to just slap, ai, whatever you can without really, a lot of forethought about what is the problem that we're trying to solve and what is the right algorithm, what is the right solution that might work for it.

It almost feels to me that we're still in the phase of, we just found a really cool hammer and now that's right. Everything looks like a nail. Smashing

Edwin: everything.

Ian: Smashing everything. Chat, GPT, this GPT, that, gen ai. This doesn't work like that. That's right. I think that. And by the way, that's a good thing because if I'm looking forward a year, a couple of years from now, I think we will get to that realization of, wait a second let's take a step back, Gen AI is not the only AI that we have available to use.

We've got a lot of many different algorithms and AI applications. Let's try to find, the right set of problems. [00:12:00] And solve them with the right set of tools. Again, I'm, I'm biased because in Gombak, we're not using gen AI. We're using deterministic AI because again, we're trying to solve an engineering problem with a finite set.

I don't need anyone to be creative to be generative about it. I need them to be accurate and to be able to tell me I can't do this. If there's a constraint, an engineering constraint, I don't need some generative AI to come up with a hallucinative solution Doesn't meet the reality. So I'm hopeful. I'm hopeful that cybersecurity is actually going to advance in leaps and bounds over the past, over the next 10, 12, 18 months, as more AI applications will come to the realization that they can be applied to different scopes, to different areas of cybersecurity.

We've seen some phenomenal advancement in again, enabling us to be almost super human. Especially at the SOC level, a lot of, analyzing tons of data, disparate data [00:13:00] sources, correlating all of that. Modern tools gives us almost superhuman abilities. If you were a SOC analyst back in the 90s, 2000s, and you could get the same tooling that we have today, you would probably be like, your mind will be blown right back in the 90s. That's a good example of utilizing AI. I think that we'll see much more expansion into other areas of security. That are going to help us close that gap between attackers and defenders.

Edwin: That's great. No, thank you for sharing that. I'm wondering, as I talk to many business leaders and thinking about the challenges that you're facing today and within the future, I'm wondering what are those challenges and how are you leading within your organization or even within your industry?

Ian: So the challenges are really helping our customers and helping the industry go through that paradigm shift, security and development used to be [00:14:00] completely siloed in the past with the current economy, with the current kind of change of roles and the level of. Data and knowledge and education that people have at their fingertips today.

Those are getting blurred and they're getting closer and closer together. Old school approaches are still stuck with security does one thing dev ops or development does another thing, and there's almost a barrier of communication between them. This is one of the biggest challenges that I'm seeing today.

It's that blurring off the lines. DevOps gets closer to security. Security gets closer to DevOps. There needs to be more accountability and a lot of companies are realizing that especially as they're shrinking their workforce. Sure. We're seeing lots of layoffs, which means that everyone has to do more with less and we're seeing roles expand beyond the boundaries that, that we used to set up for them.

And that's a big challenge. There's a knowledge gap to solve. There's [00:15:00] a, almost a culture gap to solve within organizations these days that have to operate on that. gray area of security and development and be actually effective around it. We can't sit still and still, expect security to just, give advice or make demands as far as, oh, you need to make this secure, without having the accountability and the ability to actually come in and get their hands dirty and make, do something about it.

That's really one of the biggest challenges that I'm seeing in my space as well as in other spaces in security. Yeah,

Edwin: Those challenges, it seems as you mentioned, it's a paradigm shift. It's almost like two things that came to mind, and I'd love to get your quick thought on it. It's like a new role is coming together.

But there might be some loss in expertise as well. On the fringes. If you if DevOps is coming towards security and security is coming towards DevOps there's going to be some lost knowledge, but maybe, and I don't want to fill in your words, but maybe that's where the AI is coming into play, sir.

Ian: I, [00:16:00] I truly think it is, and again don't get me wrong. DevSecOps, one of those roles that were supposed to be a mashup of security and development. I think that's not going to be a role in the future. You're either coming from development with that deep development and architectural understanding or you're coming from security with the deep understanding of risk management and security and offensive and challenging the paradigm, but both roles need to have some crossover.

The DevSecOps role, I think that's a classic role that can be filled with AI. Yeah.

Edwin: And

Ian: as you said, on the fringes, on the far ends, AI can really fill in. In that, some might claim that this is taking, taking jobs off the market, but it's creating, I would actually say it's freeing us up to deal with higher level problems.

It's freeing us up. The same thing that, that the industrial revolution, we don't have cotton pickers anymore. That's [00:17:00] okay. Yes, there is a transition period. Yes, it is painful. But as we educate, as we learn. And groomed the next generation and the existing generation to deal with those shifting roles.

I think it's better off for everyone. A hundred

Edwin: percent.

Ian: I

Edwin: agree. I am curious as we are doing future narratives, future narrator, what Ian, what is your vision of the future that you're building?

Ian: The future that I'm building personally really goes into that area of, as I mentioned before, let me free you up.

From dealing with the nuances with the small things. These are the tasks that an AI can really help us. And I'm sure that you just as well as I do. You're using some AI tools to again just to skip. The boring parts of your job summarizing things. You know creating some content and then providing your personal kind of artistic or expertise [00:18:00] around it.

That's the future we're building at Gombok and we're just trying to make sure that companies and organizations can be better served. And, in, in my vision, I'm seeing myself as tasked with removing an entire attack surface, which is currently the number one root cause for cloud breaches.

So it is a tall order, when I'm putting it down to the basics, I'm only dealing with the low hanging fruit. The fact of the matter is, all those attacks are abusing the low hanging fruits, the stupid misconfigurations that we as humans tend to do, especially with an expanding knowledge gap.

This is exactly where AI can come into play, rid us of that need to keep up with the small changes. And allow us to operate at higher levels.

Edwin: Yeah. And no one wants to be stuck with the minutiae of socket level security. Ian, this is great. I'd love it if you could share any final [00:19:00] thoughts, advice for any business leader, could be tech leader, executive founders that that, that's listening today.

Ian: My personal advice. And again I've started Gombok after spending four or five years and as an executive, I used to be a CISO. In my past, my best advice is don't come up with a solution in a lab, don't come up with a solution in the basement, in the garage, whatever it is, from a technical perspective.

Again, we can geek out. All day. On that, on, yeah, exactly, on, on, on the beauty of a, again, of a beautiful technical solution to a problem that no one cares about. Talk to the people in the field. Understand what is the pain. I came to the realization and it always pains me to say, that the problem that I'm solving is first and foremost, a resource problem and only then a security problem.

And again, that's coming from a security geek.

Edwin: Yeah.

Ian: And I would have the same advice to any entrepreneur, any founder, talk to the people in the field, [00:20:00] understand what is the actual pain that they're experiencing on a day to day basis. Don't try to get them to talk about some made up or some, again, super geeky.

Technical problem or security problem. Ask them, what hurts you on a daily basis? Where do you see the most friction? Where do you see the most inefficiencies?

Edwin: Try to solve those. That's amazing. Ian, thank you for joining us on the business leadership podcast.

Ian: Thanks so much.

Edwin: That's it. Biz leaders. Thank you for joining me on this special episode of the business leadership podcast. Part of our future narrative mini series recorded at the collision conference. It's been an enlightening conversation with Ian ament, exploring the innovation solutions, gumbo.ai offers for cloud infrastructure security.

For links to all the resources we discuss. To connect with Ian. And to learn more about the future narrative project, check the show notes in the app that you're listening to right now. If you're interested in [00:21:00] reading more about Ian and the other business leaders we profiled at collision. Join our wait list for the upcoming book. If you found value in this episode, please subscribe, rate and share it with the first person who comes to mind. That could benefit. And be grateful from hearing from you. So your support helps us grow and bring us more great content. Thanks again for tuning in and being part of our community. Until next time have a 100 X day.