Cloud Control Special Edition: Q&A with Matt Sweeney, Gomboc's New Chief Product Officer and Co-Founder

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Welcoming Gomboc's New Chief Product Officer and Co-Founder: Matt Sweeney

In this special edition of Cloud Control, we're thrilled to bring you an exclusive interview with Matt Sweeney, the newly minted Chief Product Officer and Co-Founder of Gomboc. Matt is a seasoned veteran in cybersecurity and brings a wealth of experience from leading roles at Mandiant Security Validation and Fortinet FortiSASE. With a keen focus on bridging the oft-tense divide between security and engineering teams, Matt's vision for Gomboc centers on leveraging AI to empower organizations while tightening their defense against digital threats. Dive into our conversation with Matt to uncover how his journey, driven by a passion for impactful product delivery and a forward-thinking approach to cloud security, positions him to steer Gomboc into a future where trust and productivity flourish side by side 👇

Question 1 💭

I'm excited to have you on this very special edition of Cloud Control Matt. Let's start with this, what inspired you to leave your role at Google and join Gomboc as the Chief Product Officer and Co-Founder? What factors have gotten you most excited?

Given the uneasy tension that can exist between the security and engineering teams, I believe Gomboc plays a critical role in providing superpowers of trust and productivity to those teams. 

Answer 1 🎯

Throughout my career I’ve been focused on delivering products that drive a major impact to secure organizations. Joining Gomboc represents an opportunity to make a significant difference on that front by directly implementing security best practices  in cloud environments. Given the uneasy tension that can exist between the security and engineering teams, I believe Gomboc plays a critical role in providing superpowers of trust and productivity to those teams. 

Another amazing aspect of this opportunity is the team at Gomboc. I already feel the collective passion to help our customers and support one another. Our greatest asset is our team’s ingenuity, determination, and skill.

I’m excited to leverage AI to empower and accelerate the mission of our customers while making things as hard as we can for those who wish to do harm.

Question 2 💭

Tell us more about the tension between security and developers. Are there misaligned incentives or goals that are the root cause for this issue?

Answer 2 🎯

Security and engineering teams currently perform a dance where each of them have the best intentions but ultimately end up spending a lot of time to get results.  This dance involves identifying risks, filing tickets, scoping the work, prioritizing the work to be done, tracking those tickets in periodic meetings, and reporting the risks the team closed out.

The security team must ensure that an organization fulfills all of its contractual obligations as well as maintaining compliance with corporate standards, whereas an engineering team strives to deliver product value to customers. Regarding the security risk dance, engineering teams often end up kicking the can down the road due to the level of effort to resolve security risks versus competing priorities. 

With the Gomboc solution stepping onto the dance floor, the team can prioritize risks based on compliance with clearly defined policy aligned to cloud security IaC best practices and retire the security debt in the scope of one dance versus the whole evening.

Question 3 💭

How do you see your past experiences shaping your role and contributions at Gomboc?

Answer 3 🎯

Leading product and engineering efforts for Mandiant Security Validation and the Fortinet FortiSASE offerings gives me perspective on the types of threats that security and engineering teams face every day in a wide range of enterprises, from Fortune 500 to SMBs. I’ve experienced the friction that can develop between security and engineering groups as both do their best to balance the push to deliver products while maintaining security. I’m excited to channel that knowledge to create a product that delivers accurate fixes automatically to customers and harmonizes the relationship between security and engineering practitioners.

Question 4 💭

In leading a startup, you need to innovate quickly. What unique approaches do you plan to bring to Gomboc to accomplish this?

Focus is one of the most effective superpowers of a successful startup. Leading product efforts at Gomboc I plan to quickly develop a picture for our whole product concept and focus our efforts on being the best solution in the world to bridge the gap between security best practices and automated, durable solutions to security configuration.

Answer 4 🎯

Focus is one of the most effective superpowers of a successful startup. Leading product efforts at Gomboc I plan to quickly develop a picture for our whole product concept and focus our efforts on being the best solution in the world to bridge the gap between security best practices and automated, durable solutions to security configuration. We will guide organizations to establish the best practices and workflows that will make it easy and effective to include Gomboc at the center of their operations. 

Effective partnerships also accelerate the value we can bring customers. I will selectively partner with organizations to make our AI-based remediation most effective. At the same time, we’ll be focused on expanding our automated remediation capabilities, making CNAPP and CSPM tools a solution that doesn’t just give customers more work but also burns down their technical debt.

Question 5 💭

With the dawn of AI Software Engineers and AI SOC Analysts, what predictions do you have for the future of cybersecurity and AI?

Answer 5 🎯

The impact of AI-driven engineering and analysis is twofold - the increased burden placed on security and engineering teams to review generated code and the benefit of automation for analysts who suffered for years under the crushing weight of events and alerts generated by log management and SIEM systems.

AI software engineers introduce an element of uncertainty regarding generated source code, which will usher in an era of increased responsibility for security teams to support auditing and compliance activities in a scalable way. To address increased use of generative coding agents, security and engineering teams will require the support of agents which counterbalance the risk of security vulnerabilities being introduced by teams that may not have considered appropriate security best practices.

SOC Analysts often measure performance in terms of throughput of alerts rather than outcome, which is primarily the case because the knowledge to triage and assemble events and alerts of interest hasn’t been codified in a way AI systems can utilize. This scenario represents the cybersecurity industry solving the problem of observability by creating another one with security operations triage at scale. I believe the only way for the SOC to move from reactive to proactive involves AI to translate attempted breaches into codified detection engineering rules or algorithms.

Both of these scenarios benefit from pushing security best practices farther left toward the developer while security professionals audit their efforts with deterministic AI.

Question 6 💭

What excites you the most about working at the intersection of cloud security and artificial intelligence?

Answer 6 🎯

I’ve spent a significant part of my career solving grand challenges using artificial intelligence (AI) and machine learning (ML). Access to tooling and hardware to deploy AI solutions has expanded so dramatically that it is far easier now to go from a great hypothesis about how to solve a problem to a solution. 

Applying AI and machine learning in the security space can be exciting and challenging because the stakes are high. Oftentimes, automated solutions with AI end up creating more work for practitioners than they solve due to false positives and the general uncertainty the user has about what the system is doing.  

The solution we’re delivering at Gomboc is driven by AI but has predictable outcomes that not only fix problems but also help train users with contextual information to engender trust. The AI revolution holds great promise for the security space, but we have to be careful applying it so that we save effort rather than create new problems.

Question 7 💭

What key product management strategies do you believe will fuel Gomboc’s growth in differentiating our offerings and best serving our customers?

...we will develop strategic integrations and solution definitions to support our customers and partner organizations to deliver the whole product offering that our customers require to integrate Gomboc into their operational workflows with minimal effort. For example, with a Terraform run task integration we can enable organizations to apply Gomboc as a post-plan or pre-apply task to ensure that from development through to production cloud security configurations comply with policy.

Answer 7 🎯

Leading product management, I plan to leverage Gomboc’s key differentiators to establish our position as an indispensable cloud security product. Unlike our competitors in the CSPM and CNAPP space which identify risks and may even suggest some way to address them, we provide well-documented one-click solutions which security professionals and software engineers understand. The combination of plain language policy with deterministic automated remediations from Gomboc connects organizations in a way that hasn’t been possible before. 

Building on my previous comment about partnerships, we will develop strategic integrations and solution definitions to support our customers and partner organizations to deliver the whole product offering that our customers require to integrate Gomboc into their operational workflows with minimal effort. For example, with a Terraform run task integration we can enable organizations to apply Gomboc as a post-plan or pre-apply task to ensure that from development through to production cloud security configurations comply with policy.

As a thought leader in cloud security, Gomboc will share our unique knowledge regarding security practices as applied to open source code to educate the industry and our customers by providing case studies about inherent risks in third party code for cloud infrastructure deployment. More on that to come.

Question 8 💭

Tell us more about some of the key goals you hope to achieve with the team in the near future?

Answer 8 🎯

Our near-term goals include focusing on 1.) Expanding automated remediation capabilities, including expanding coverage across top cloud providers and IaC languages; 2.) Operationalizing the security gap remediation workflow to capture performance metrics, reports, and outcomes so that our customers realize the value of the product and can communicate that in their organization; and 3.) Demonstrating integrations with providers in the CNAPP and CSPM space to help customers apply fixes instead of getting frustrated with longer lists of items they’ll never be able to remediate.

Question 9 💭

With AI transforming how security products are developed and deployed, what key metrics do you think will be most important in determining how effective a new solution is?

Answer 9 🎯

Establishing trust with customers presents one of the biggest challenges applying new technologies. 

In the case of AI, providing clear metrics measuring the coverage of a solution as applied to a given technology or API and the accuracy that solution delivers relative to the expected outcome establishing that trust. Customers appreciate Gomboc’s deterministic approach to delivering security remediations since all changes may be audited. 

The time and resources required to achieve a desired outcome represent another key metric area for solutions. As Gomboc evolves we will be able to provide metrics capturing the delta from issue discovery to remediation so that organizations realize the value of our solution and can convey the effect of their efforts in their organization.

Question 10 💭

Let’s look towards the future landscape of cloud security - how do you see it evolving? Are there any emerging threats that are top of mind for you and that you believe Gomboc will need to prepare for?

Answer 10 🎯

The evolution of AI not only helps security professionals, it also gives threat actors tools to evolve more quickly and effectively. Given that threats actors have shifted to data theft and financial gain as their primary means and goals of operation (see this document) while external organizations discover a majority of compromises, focusing organizational efforts to securely configure assets and maintain that security between audits is more critical than ever.

I think the security industry needs more products like Gomboc which provide augmentative support for engineering and security teams. To that end, I believe we will see a continuing evolution from humans in the loop to humans on the loop in the security industry as products demonstrate predictable results that scale.

Latest AWS and Azure Updates You Don’t Want to Miss

1. AWS Systems Manager Parameter Store now supports cross-account sharing
2. Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes
3. AWS Free Tier now includes 750 hours of free Public IPv4 addresses, as charges for Public IPv4 begin
4. Azure Classic Administrator roles are retiring on 31 August 2024
5. Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending

Top Articles and Resources of the Week

Articles

1. AWS snags Skyhigh's Gee Rittenhouse to run security business
2. Fusing cloud security with AI-powered SecOps
3. 5 certifications that can boost a cybersecurity leader’s career
4. CISA hit by hackers, key systems taken offline
5. Israel's Orca Security CEO reveals the future of cloud security

Resources

1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍
2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍
3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.