In an effort to introduce you to the people building Oort, I sat down last week with Oort's Founder & CEO, Matt Caulfield, to discuss his motivation for starting the company and where he sees opportunities to innovate within the cybersecurity market.
When, and why, did you decide to start your own company?
I’ve known that I wanted to start my own company since I was about ten years old. However, I only really started thinking about starting this particular company about three years ago.
I had just spent the past several years at Cisco, completely obsessed with the idea of Edge Computing, but without any outlet for bringing it to life. Edge Computing is this idea that the Cloud alone is not the right platform for everything. Cloud Computing, like AWS, GCP, or Azure, is still fairly centralized, so for workloads that require low latency or high bandwidth, it tends to be too slow and expensive.
At Cisco, my team had prototyped this awesome container-based Edge Computing platform that Mobile Service Providers could deploy along with their 5G rollout. While the platform was great and the idea of deploying applications to all of these edge sites was compelling, it wasn’t really clear which use case would drive the adoption of Edge.
So I set out on a mission to find that killer use case. And I literally set out. I left Cisco to go pursue this. Over ten years at Cisco I had worked with some of the largest and most innovative tech companies on everything from cloud platforms to networking to video to security. I came up with about a dozen use cases and, out of everything I considered, security kept coming back to me. Here was a use case for Edge Computing that had teeth. What if we could use this new emerging platform to disrupt the status quo of network security?
There are a few reasons to start a company. Some of us find a burning problem to solve, others harness a new technology, and sometimes it’s just pure passion. For me, and for many entrepreneurs I’ve spoken to, they see the way the world is today and they imagine how it should be. Through sheer force of will, they invent the future. That is what I intend to do and that is why I started Oort.
Is there a particular founder, or company, you admire most?
I am a bit of an industrialist. Henry Ford, Andrew Carnegie, John D Rockefeller. Some of these figures are controversial with a modern lens but I’ve always had a fascination with the sheer size of the industries that they helped create and with the legacy each one has left. My father and I used to drive past the birthplace of Rockefeller on my way to and from college in central New York state. It reinforced, in my mind, the importance of humble beginnings.
In the modern era, I still have a deep admiration and respect for Cisco, which is why I stayed there as long as I did. I admire Microsoft for the speed at which they entered and dominated the cloud market. Out of the current startup landscape, I would probably pick HashiCorp. Their tooling, commitment to open source, and overall ethos is just plain appealing to an engineer like me. It is something I hope to emulate at Oort.
In what ways do you see the cybersecurity landscape evolving in the coming years?
We’re all wondering: can it get worse? The number and magnitude of attacks, the number of companies, and the amount of investment dollars being poured into the market. It’s a fragmented mess: a high entropy system.
Just look at the number of network security categories. You have a dozen or more categories for what should, fundamentally, be one thing. I think SASE (Secure Access Service Edge) is a step in the right direction. At Oort, we have our ten-year vision, and underpinning that, our own Grand Unified Theory of Security, which describes how this high entropy system should eventually collapse in on itself. Out of that singularity will emerge a new order that will hopefully leave behind the brittleness of the current ecosystem; more of a platform-based approach to cybersecurity.
I know that sounds pretty abstract, so let me tie it back to reality with three observations for the here and now.
The first observation is that “identity as the perimeter” is just as flawed as “network as the perimeter.” Everyone knows that traditional network boundaries are now meaningless but to throw out network security entirely in favor of just endpoint security, or just application security, or just identity is like fighting with one hand tied behind your back.
Second, the trend of DevSecOps is great, but how about adopting devops practices for security teams? Development teams should take responsibility for the code they ship and the infrastructure they operate. What I also find compelling, in addition to dev teams adopting security, is the idea that security teams can also learn a thing or two from development. Infrastructure as Code has made it possible for individual engineers to wrangle cloud platforms in a way that is both efficient and predictable. IT and Security teams also wrangle infrastructure. The tools and practices around Infrastructure as Code make perfect sense in that context as well. Security as Code. Policy as Code.
Finally, security enforcement is entirely disconnected from business context. The purpose of security is to manage risk for the business to an acceptable level. However, business intent is, at best, loosely correlated with policy and almost entirely disconnected from controls, save maybe some traceability through the IT ticketing system. We, as security solutions providers, need to do a much better job of tying business context into every aspect of our solutions.