DevOps Chat: Charting a New DevSecOps Course, With ZeroNorth

ZeroNorth from its founding has been focused on bringing a DevSecOps solution to market that was unique and effective. The company has brought on industry veteran John Worrall as the CEO to join Chairman and Founder Ernesto DiGiambattista and the rest of the team to help organizations with DevSecOps. It also recently raised $10 million in funding to help the cause.

In this DevOps Chat, we sit down with Ernesto and John and talk about the new course that ZeroNorth is charting.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Transcript

Alan Shimel: Hello, everyone, it’s Alan Shimel, DevOps.com and Security Boulevard, and you’re listening to another DevOps Chat. We’ve got a great update today on DevOps Chat. We’re gonna be speaking with the brain trust at ZeroNorth Securities Company in the DevSecOps space. And you might have heard them previously on some old DevOps Chats, but we haven’t gotten an update in some time and they’ve undergone some changes and have some great news.

So, what I’d like to do is bring on first the Founder and now Chairman of the Board at ZeroNorth, Ernesto DiGiambattista. Ernesto, I didn’t mangle it too bad, did I?

Ernesto DiGiambattista: You did a great job, Alan. Thanks for having us.

Shimel: My pleasure. And I’ll mention that joining Ernesto is the newly appointed CEO of ZeroNorth, John Worrall. And John, we’re gonna just hold you in abeyance for a moment here, because I wanted to give Ernesto a chance to kind of bring us up to speed on ZeroNorth. Ernesto, go ahead.

DiGiambattista: Hey, thanks, Alan. Yeah, so, it’s been a while since we’ve spoken, but a lot has happened since the name change. We typically start off with our history around application security orchestration. And then, over the last 18 months, we’ve expanded beyond into advanced vulnerability correlation as well as working with our organizations beyond the cloud into private and on prem, which kind of evolved and brought our company history to ZeroNorth.

So, really, working with DevOps organizations and eliminating that friction, that pain, and embedding security throughout, and then in addition to that, really just helping the security ops teams. So, from a history perspective, we’ve really been pushing the whole end to end solution perspective, and we’re really excited right now with our explosive growth over the last 12 months, bringing on John Worrall as our CEO.

Shimel: Sure. Now, Ernesto, we should also mention, you guys did some fundraising during that period as well.

DiGiambattista: Yeah, we did. We closed our round in April with ClearSky as well as Rally and Crosslink, and obviously, we have participation again from Petrillo Capital. So, just some really strong investments that we’re using right now on the sales and marketing and then obviously, doubling down on our engineering to really help our customers.

Shimel: Got it—got it, got it, got it. And then, Ernesto, before I turn over to John a little bit in focus, I wanted to ask you, it’s a difficult—you know, having been a co-founder of several companies and been sitting in your shoes or standing in your shoes, it’s a difficult decision to know when to give, you know, kinda day to day control as the CEO up of your baby. But you know you’ve gotta do it, just like—you know, I just came home two weekends ago from dropping my son off in college. And every time I do, it’s a tough drive home. You know, you know it’s the right thing to do because they’ve gotta grow and it’s for their own good, but it’s a hard thing to do.

Why don’t you share with our audience what kind of drove you to do this, or what was the thing that, kinda the straw that broke the camel’s back in saying, “Yeah, it’s time for me to do this”?

DiGiambattista: Well, I think, you know, as any founder, you know, you start off with an idea and then you have to bring people around you to help grow the company, you know, from a product perspective. Eventually, someone has to come on and run, VP of Engineering, then it’s the CTO. And then, as you kind of bring, you know, the company to a certain level, you have to look in the mirror and understand where can you add the most value for the organization?

So, for me, it was, you know, working with John over the last seven months and getting to know him, you know, not really so much as a CEO but as really a partner and part of the management team and really helping us get to that next level.

So, as I kinda look at where I can add the most, to me, it’s really looking at someone like John who had the ability to really join us and help us, you know, really take it to that next level and help us scale the organization. I think as we kinda look at where we are and where we were, I think just the growth over the last 12 months and for someone like myself, having John at the CEO role is really gonna help us, you know, really grow very quickly. And, as we kinda talked about a little bit, he’d been helping me over the last seven months and knows the story, knows the company, knows the people, which is super important for me.

So, as a founder and as a board member, it was a really easy decision of working with someone I knew and trusted and obviously, from a culture perspective, that’s the hardest thing for any founder, I think, to really appreciate and understand is, you know you’re gonna have to bring someone at some point. Just making sure you find that right person is super important. So, I was really fortunate enough to have the opportunity to work with John for a long period of time.

Shimel: Sure.

DiGiambattista: So, with that said, I definitely wanna introduce and welcome John to the team and introduce him to you as well.

Shimel: Thanks, Ernest. John—so, welcome. Ernest gave us the lowdown there, and congratulations on the CEO appointment.

John Worrall: Thank you.

Shimel: So, John, just—you know, I’m not gonna make you read your own résumé, it’s embarrassing. [Laughter] But, for our audience out there, you know, you have a ton of experience, primarily as a CMO type of role, most recently with CyberArk, you know, a security company, they’re a public company now. And didn’t CyberArk buy Conjur up in Boston as well? Yep.

Worrall: They did. That’s right. They bought Conjur right after I left, actually, yes.

Shimel: Mm-hmm. I do remember that. And then, John, you know, you’ve had executive team experience going all the way back to RSA where you were CMO.

Worrall: That’s correct. Yes, I had different types of operating experience, but I’ve been in security since 1997. I actually got into marketing through product management, so I had a lot of the technology piece of it, the product strategy piece of it which was real critical to developing my career. I was responsible for the RSA conference, which we ran as a separate business unit when I was at RSA as well.

And then I had a chance to have full GM responsibility for one of the product lines for a couple years right after the EMC acquisition in the SIM space, so the product called Envision.

Shimel: Sure.

Worrall: All of that was a great development ground, great training ground for the role. And then now, as was my experience at Counter Tech, which was helping to raise the A round for them, and taking CyberArk public was all very valuable and really helped me build the tool set I need to take on a role like this at ZeroNorth.

Shimel: Yep, no doubt about it. And look, anyone out there who says, “Oh, it’s a marketing guy, they don’t have technical chops”—oh, bull crap. I know a lot of marketing guys, much like you, John, who came over either with Comp Sci degrees and strong coding skills or products, you know, leading product and engineering teams. So, you know, you don’t have to prove your chops or justify your position, here.

But John, I wanna ask you—why ZeroNorth? What got you excited, here?

Worrall: Yeah. Well, Ernesto mentioned a few of them, but I’ll start with the obvious, which is, there’s just an incredible market opportunity and if there’s a market opportunity, there’s a chance to really be part of something special. I’ve had that opportunity in the past at a number of companies where you just realize that the problem you’re solving is so important for the market and so important for your customers that you have the opportunity to really impact how strong their security programs are, and ZeroNorth is one of those opportunities.

Shimel: Great, great. So, what exactly, John, that ZeroNorth is doing that really leads you to believe—I mean, I think we all—let me back up. We all know there’s tremendous opportunities in the security, cyber security market today, right? But what specifically about ZeroNorth is it that leads you to believe—hey, this could be one that capitalizes on that? This could be something that kinda changes the game?

Worrall: So, there’s probably a few levels to that answer. I’ll start with the fact that we offer risk based vulnerability orchestration and we cover both the application side of the equation as well as the infrastructure side of the equation. So, we’re bringing together all the vulnerability data that an organization can possibly amass, and helping them turn that into something very, very actionable.

So, the number one—we’re unique in that. No one else is doing that. No one else has that orchestration as well as the ability to pull all this data together and turn that into something really actionable.

The second thing is that we’re not just dealing with, as I said, one side or the other. It’s not just the left side or the right side. We can integrate with any part of the pipeline, from code commit all the way through production environments. That means that your infrastructure guys and your application guys and your security guys are all operating off the same vulnerability data, the same prioritized data, which means you can really start moving the program down to a really secure DevOps environment, which is really what organizations are going for.

Shimel: Yep.

Worrall: The second part is that digital transformation is such a big thing for our customers that they really need to get the security of their application, development application and infrastructure really up to par, and they have to get it up to the same speed as application development—ZeroNorth can totally do that.

Shimel: Great. So, John, one of the things that I’ve been preaching now for a while is that, you know, with DevSecOps—and I, you know, I’ve been involved with DevSecOps now four or five years. I’m actually, this is gonna be the fifth year we’re doing a DevSecOps event at RSA conference in San Francisco, the Monday, in partnership with them in Moscone Center.

So, I’ve been involved in DevSecOps, it’s what got me into DevOps to begin with. And for so long, the emphasis has been on what we call shift left, right? Where we’re looking at how do we get security earlier into the Dev cycle, and a lot of that is around vulnerability scanning and testing code.

But I think we’ve also—or I think the leading edge of the DevSecOps community and DevOps community is starting to realize that as much as we have to shift left, we have to shift right as well.

Worrall: Yeah, I think that’s absolutely true. You’re trying to look at the application environment across its entire life cycle. And that means, again, from code commit all the way through your production environments. So, for those organizations that are starting on the right hand side, it’s really expand left, it’s not shift left. You know, you have to have a great right hand side program and you need to build the left hand side on top of that. So, I totally agree with your point—you have to do both.

Shimel: No, no—yeah, no doubt about it. And I think, as we realize that—and I also think, you know, they’re kinda two sides of the same coin at some level. But John, let me ask you another question, and that is, you know, when it comes to things like vulnerability scanning and testing and remediation, there’s a lot of established players. There’s open source tools, free tools, scanners, work flow.

Do you think it’s realistic to think that people are gonna throw those away, or is part of the ZeroNorth strategy to kinda harness or leverage investments people have already made?

Worrall: So, based on Ernesto’s vision that he established several years ago, we’re firmly in the camp of adding value to the tools you already have, making sure that you’re getting the most value from the tools, both in terms of quality of data that you’re getting out of those systems. Throughout orchestration capabilities, though, we enable you to scan a much broader part of your portfolio with fewer resources and we allow you to do that continuously.

So, in the process, you’re getting more value out of your tools because you got better data, but you’re also able to get better data for your risk analytics and your vulnerability assessments because we can scan the whole portfolio and we can scan continuously. And, as you know, these threat environment changes on a minute by minute basis, having a quarterly scan or a monthly scan doesn’t do you a lot of good in today’s world.

Shimel: Not in today’s pace. Speaking of today’s world, Kubernetes seems to be changing everything, right? Whether you’re talking about cloud, on prem, you know, rapid deployment, et cetera. What, if anything, in particular does Kubernetes present to TrueNorth in terms of either challenges, opportunities, et cetera?

DiGiambattista: So, yeah, I think—this is Ernesto. So, from ZeroNorth’s perspective with Kubernetes—

Shimel: I’m sorry, I said TrueNorth—Ernesto, I apologize.

Worrall: [Laughter]

DiGiambattista: No worries. So, yeah, just from our perspective at ZeroNorth, you know, we see, obviously, Kubernetes internally is a framework that we adopted and have been pioneering and driving from our platform perspective, but we’re seeing the same exact discussions with our customer base.

Shimel: Mm-hmm.

DiGiambattista: So, as you kinda think about DevOps and you kinda refer to, Alan, from your history with DevOps as a whole, you know, we’ve gone from a shift of monolithic applications to a world of microservices and containers. But the reality of it is—and as I’m sure you’re very well aware—we’re not all gonna go shifting in one direction. We’re gonna live in a hybrid world for a very long time where we’ll have monolithic apps still around today, but we’re also gonna be emerging and transitioning to a world of microservices.

So, with us, specifically, as we thought about that form the original architecture and strategy, as we’re solving this problem for our customers, we understand and appreciate this hybrid world where there will still be things sitting in a data center and there will be changes being pushed once a month. But the reality of it is, as John echoed earlier, we’re living in a software defined world. You know, every single company is leveraging software as their competitive advantage. So, as they’re looking at a cloud infrastructure or a cloud solution private or public, you know, Kubernetes or whatever it may be from a framework perspective is gonna be part of that story.

So, as you kinda mentioned earlier, DevOps needs to embrace some type of DevSecOps solution, and that’s where we look at it from a holistic and agnostic framework.

Worrall: And that’s one of the strategic changes that Ernesto made about six or eight months ago was to expand beyond DevOps and really acknowledge the fact that organizations are at different stages of their evolution to DevOps. And a solution like ZeroNorth can actually help them along that migration. It can speed up the process for them and make it much more effective and get better results out of their DevOps environment a lot more quickly than it could otherwise.

DiGiambattista: So, one of the things that, you know, Alan, you were talking about earlier, this is your fifth year in your journey of DevSecOps. You know, the conversations that we were having three or four years ago were very different from a customer perspective. They were just starting in their DevOps journey. And today, a lot of those organizations have embraced and pioneered and driven that into their organization.

Now, the question is—how do you add the Sec into DevOps and kinda help the organization bring that all together from the ________ and visibility perspective?

Shimel: Agreed, agreed. So, John, so you’ve got your mission here, right? This is on you, now. What are some of the things you’re gonna be doing or bringing to the organization to kind of fulfill the dream here of—not the dream, but to fulfill the opportunity that you see?

Worrall: Yeah. So, first of all, the important thing is to stay focused on the direction we’re headed that Ernesto chartered for us. And that’s the, really, most important thing for us to do because it’s working so well. We’re getting such great traction out of the market, great recognition that every customer has this problem, so we need to stay focused on solving the problem.

A lot of the stuff that I’ll be focusing on, especially initially, is rather boring in many ways, because it’s all about making sure we’re really effective in our execution, making sure that we’ve got the right resources in the right places. So, making sure that we can grow the business effectively, making sure that we’ve got the product development programs going as effectively as possible, making sure that our Customer Success team can stay up with our growth and our volume as we deploy more solutions to customers so they can get the value that they want out of the ZeroNorth platform.

And a lot of that isn’t too sexy, but it’s really critical to serve our customers and meet the market need as a company like ZeroNorth has such strong growth.

Shimel: Got it, agreed. Well, guys, I think when I started, I told you—time goes quick. We’re coming up on our hard end, here. But if people want more information, of course, they can go to ZeroNorth.io, but John, wondering if there’s any conferences or speaking kind of opportunities where ZeroNorth will be participating, where maybe people in our audience can follow along.

Worrall: Sure. We have a good speaker program, we’ll be at the major conference. We’re at BlackHat, we’ll be at RSA. We are gonna be at a bunch of CISO network breakfast meetings coming up. I think we’ve got six or eight of those scheduled. So, we’re out there doing a lot of things.

Our team has also been very, very effective at some of the local ISSA events and things like that where our CTO’s been very active out there, our technical team has been very active out there, and there’s a lot of ways to interact with us.

Shimel: Got it. Excellent. Well, guys, first of all—John, welcome to the team.

Worrall: Thanks, Alan.

Shimel: Secondly, Ernesto—good work, man. You know, I know where you’re coming from. It takes a big man to recognize that sometimes you gotta call in, you know, someone else to help you with something, right? And that’s the first step, right—

Worrall: Totally.

Shimel: – is going in there. So, congratulations on that. Continued success with ZeroNorth. Let’s stay in touch and see where things are going.

Worrall: We would love to do that, Alan. Thanks very much for the chance to talk with you today.

DiGiambattista: Thanks, Alan.

Shimel: Alright. Take care, fellas. Alright—ZeroNorth here on DevOps Chat. This is Alan Shimel. You’ve just listened to another chat.

Alan Shimel

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan