Welcoming Gomboc’s New Chief Product Officer and Co-Founder: Matt Sweeney

In this special edition of Cloud Control, we're thrilled to bring you an exclusive interview with Matt Sweeney, the newly minted Chief Product Officer and Co-Founder of Gomboc. Matt is a seasoned veteran in cybersecurity and brings a wealth of experience from leading roles at Mandiant Security Validation and Fortinet FortiSASE. With a keen focus on bridging the oft-tense divide between security and engineering teams, Matt's vision for Gomboc centers on leveraging AI to empower organizations while tightening their defense against digital threats. Dive into our conversation with Matt to uncover how his journey, driven by a passion for impactful product delivery and a forward-thinking approach to cloud security, positions him to steer Gomboc into a future where trust and productivity flourish side by side 👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

I'm excited to have you on this very special edition of Cloud Control, Matt. Let's start with this, what inspired you to leave your role at Mandiant and join Gomboc as the Chief Product Officer and Co-Founder? What factors have gotten you most excited?

Answer 1 🎯

Throughout my career I’ve been focused on delivering products that drive a major impact to secure organizations. Joining Gomboc represents an opportunity to make a significant difference on that front by directly implementing security best practices  in cloud environments. Given the uneasy tension that can exist between the security and engineering teams, I believe Gomboc plays a critical role in providing superpowers of trust and productivity to those teams. 

Another amazing aspect of this opportunity is the team at Gomboc. I already feel the collective passion to help our customers and support one another. Our greatest asset is our team’s ingenuity, determination, and skill.

I’m excited to leverage AI to empower and accelerate the mission of our customers while making things as hard as we can for those who wish to do harm.

Question 2 💭

Tell us more about the tension between security and developers. Are there misaligned incentives or goals that are the root cause for this issue?

Answer 2 🎯

Security and engineering teams currently perform a dance where each of them have the best intentions but ultimately end up spending a lot of time to get results.  This dance involves identifying risks, filing tickets, scoping the work, prioritizing the work to be done, tracking those tickets in periodic meetings, and reporting the risks the team closed out.

The security team must ensure that an organization fulfills all of its contractual obligations as well as maintaining compliance with corporate standards, whereas an engineering team strives to deliver product value to customers. Regarding the security risk dance, engineering teams often end up kicking the can down the road due to the level of effort to resolve security risks versus competing priorities. 

With the Gomboc solution stepping onto the dance floor, the team can prioritize risks based on compliance with clearly defined policy aligned to cloud security IaC best practices and retire the security debt in the scope of one dance versus the whole evening.

Question 3 💭

How do you see your past experiences shaping your role and contributions at Gomboc?

Answer 3 🎯

Leading product and engineering efforts for Mandiant Security Validation and the Fortinet FortiSASE offerings gives me perspective on the types of threats that security and engineering teams face every day in a wide range of enterprises, from Fortune 500 to SMBs. I’ve experienced the friction that can develop between security and engineering groups as both do their best to balance the push to deliver products while maintaining security. I’m excited to channel that knowledge to create a product that delivers accurate fixes automatically to customers and harmonizes the relationship between security and engineering practitioners.

Question 4 💭

In leading a startup, you need to innovate quickly. What unique approaches do you plan to bring to Gomboc to accomplish this?

Answer 4 🎯

Focus is one of the most effective superpowers of a successful startup. Leading product efforts at Gomboc I plan to quickly develop a picture for our whole product concept and focus our efforts on being the best solution in the world to bridge the gap between security best practices and automated, durable solutions to security configuration. We will guide organizations to establish the best practices and workflows that will make it easy and effective to include Gomboc at the center of their operations. 

Effective partnerships also accelerate the value we can bring customers. I will selectively partner with organizations to make our AI-based remediation most effective. At the same time, we'll be focused on expanding our automated remediation capabilities and integrating them with CNAPP solutions to burn down technical debt instead of just giving customers more work to do.

Question 5 💭

With the dawn of AI Software Engineers and AI SOC Analysts, what predictions do you have for the future of cybersecurity and AI?

Answer 5 🎯

The impact of AI-driven engineering and analysis is twofold - the increased burden placed on security and engineering teams to review generated code and the benefit of automation for analysts who suffered for years under the crushing weight of events and alerts generated by log management and SIEM systems.

AI software engineers introduce an element of uncertainty regarding generated source code, which will usher in an era of increased responsibility for security teams to support auditing and compliance activities in a scalable way. To address increased use of generative coding agents, security and engineering teams will require the support of agents which counterbalance the risk of security vulnerabilities being introduced by teams that may not have considered appropriate security best practices.

SOC Analysts often measure performance in terms of throughput of alerts rather than outcome, which is primarily the case because the knowledge to triage and assemble events and alerts of interest hasn’t been codified in a way AI systems can utilize. This scenario represents the cybersecurity industry solving the problem of observability by creating another one with security operations triage at scale. I believe the only way for the SOC to move from reactive to proactive involves AI to translate attempted breaches into codified detection engineering rules or algorithms.

Both of these scenarios benefit from pushing security best practices farther left toward the developer while security professionals audit their efforts with deterministic AI.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

If you missed the beginning of this newsletter, Matt Sweeney has joined Gomboc as Co-founder and Chief Product Officer. Read more about it here: https://www.gomboc.ai/blog/cloud-control-special-edition-q-a-with-matt-sweeney-gombocs-new-chief-product-officer-and-co-founder

Gomboc was one of of 17 companies to join the second cohort of the Google for Startups Growth Academy: AI for Cybersecurity program. Read more about it here: https://blog.google/outreach-initiatives/entrepreneurs/cybersecurity-startups-using-ai/

Latest AWS and Azure Updates You Don’t Want to Miss

1. AWS Systems Manager Parameter Store now supports cross-account sharing

2. Generate AWS CloudFormation templates and AWS CDK apps for existing AWS resources in minutes

3. AWS Free Tier now includes 750 hours of free Public IPv4 addresses, as charges for Public IPv4 begin

4. Azure Classic Administrator roles are retiring on 31 August 2024

5. Retirement: Support for Application Gateway Web Application Firewall v2 Configuration is ending

Top Articles and Resources of the Week

Articles

1. AWS snags Skyhigh's Gee Rittenhouse to run security business

2. Fusing cloud security with AI-powered SecOps

3. 5 certifications that can boost a cybersecurity leader’s career

4. CISA hit by hackers, key systems taken offline

5. Israel's Orca Security CEO reveals the future of cloud security

Resources

1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍

2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍

3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.