I’ve always said the best part of my job is talking to customers – especially happy customers! – and I got that chance a couple weeks ago in interviewing George Gerchow, the chief security officer at Sumo Logic.
George is one of those “no BS, move fast, lead by serving, and do it all with a smile” guys. And he’s unflinching about the criticality of security to the company he serves. With cameras rolling for our video with him, at one point he said “As a SaaS business, if we get breached, we could be out of business overnight.”
After filming paused, I said, “That’s a pretty big statement – do you want to do another cut, with less precarious phrasing?” He didn’t even blink. “Nope – that’s the truth. Why soft pedal it?”
Sumo has grown rapidly, attracting cloud companies and large enterprises to its business analytics, big data, continuous intelligence platform. As a result, George and the four teams he runs have a lot of sensitive data to protect. He’s acutely aware of the need for security to keep that customer data safe while not getting in the way of business innovation.
The key, says George, is applying security early in the app dev process. He’s found that many companies are taking the old waterfall approach to security even in the container and Kubernetes world – waiting until systems are running in production to worry about security. “By then it’s too late. You either pay for it now, or pay for it later.” He votes for securing it now so you don’t have to pay later!
With Kubernetes security, “securing it now” is more important – and more achievable – than ever. Applying security controls at build, and fixing problems at that early stage of app development, costs 1% to 5% of what it would cost to fix that same problem after it moves into production, according research firm Gartner. And preventative measures – essentially building proactive security into your systems – are easier to apply in the cloud-native stack, given the declarative, immutable nature of the technology.
“Shift left is more achievable in the cloud, since you have to bake security into the infrastructure to keep up with the pace,” George commented. Leveraging the Kubernetes-native architecture of StackRox fits perfectly into that mandate, he said, because StackRox uses the controls native to Kubernetes, so security policies reside directly in the infrastructure. He also called out how this approach enables low-friction security – the infrastructure and the controls are one and the same.
George also noted that StackRox has hit that Goldilocks of sweet spots balancing breadth and depth. Some solutions are super wide, he said, covering all sorts of infrastructure with a little bit of security but not doing a good job at any of them. Other solutions are super narrow, doing one thing incredibly deeply – but only that one thing, which doesn’t provide enough value for George. “StackRox is laser focused on the right set of solutions with the right depth to protect our Kubernetes apps.”