linux

Episode 64: API Service Mesh with Idit Levine, CEO and Founder of Solo.io

Intro


Mike: Hello and welcome to Open Source Underdogs! I’m your host Mike Schwartz, and this is episode 64 with Idit Levine, Founder and CEO of Solo.io, an API Gateway and Service Mesh company with a product called Gloo – not to be confused with Gluu – the company that I lead, who sponsors this podcast.
I’ve been trying to get Idit on the podcast for many years ever since I spoke with her at an Open Source Conference in 2019, and finally, her PR agent reached out to me a few months back, and, of course, I agreed immediately.

Solo is not your typical startup journey, it’s sort of a miracle it got off the ground, but once it did, they didn’t waste any time – they’re already breaking 10 million in sales.

To avoid spoiling the story, I should just stop here, so let’s cut to the interview.
Idit, thank you so much for joining us today.

Idit: Thank you so much for having me, Mike.

Did Solo Join an Incubator?


Mike: My first question, and this is sort of a different one, but it’s something I’ve been thinking about, is when you first started Solo.io – which was not that long ago, I think five or six years ago – did you join an incubator and why or why not?

Idit: I did not. I wasn’t even aware that they exist, honestly. When I started the company, what I knew is that I had some “technical” friends that I knew that I can start it, and basically started doing this – the software was more about the technology. So, I needed to learn that while I was raising money, and so on.
Honestly, Mike, I think the first VC that I met, they asked me about a pitch, and I asked, “What is a pitch, what am I supposed to do?” I really didn’t know much, I needed to learn.
I wasn’t aware of a long incubation, definitely not in those days, because it’s not very popular.
I just basically started the company around software and just tried to get some money in order to kind of like bootstrap the company. But that’s basically the things I would do. Honestly, mainly because I wasn’t aware of it.

Mike: Do you think if you could do it again, you’d use an incubator?

Idit: No. Now, I feel that they learn so much from those processes. I think it’s very good if a first founder maybe is not aware of a lot of stuff, that’s really helpful to be kind of like protected by team that has done it before and knows how to help you and guide you.

Today, I think I learned enough of the process, and I’m doing it for a while right now. I made a mistake, I learn from them, so now, I’m feeling that I’m more free to actually do it myself again, if I need to.

State of Company at Seed Funding

Mike: At the time you raise your seed funding, was the open-source project started, did you have any technology, did you have any initial customers or team? Like, what was the state of the business when you closed, let’s say, that seed round?


Idit:  No, there was nothing, honestly. Before that, I worked in the EMC. Part of the EMC, my job was to basically do cool stuff on open source. I was in business, I was in the city office, and my job was to basically, if I had a new technology and we had to figure out how we can play that. Basically, we did a lot of open source and invent development. We immediately knew that we were playing back then, in Kubernetes, Mesosphere and Mesos, and all that great kind of technology. Docker was just a new thing back then, so, again, playing in that ecosystem was immediately a thing that we’ve done.

When I started the company, there were two things that I started pitching in the beginning. The first thing that I was pitching was unikernel. It took me a few months to understand that that’s something that I would not be able to ever raise money on. Probably for good reasons.

By the time we were at home, I was pretty bored, so I built another open-source project called Squash. And that was an open-source project that related to debug microservices in Kubernetes.

And that was relatively successful project, but mainly, as I said, I think that there is a good money on it because the work that I was doing before in the open-source, I literally built a reputation of someone who is capable of doing a cool project.

How Many VC’s Pitched?


Mike: How many VC’s did you pitch in your initial seed funding round?

Idit: Oh, man, a lot. I mean, as I’ve said, again, you remember, I was on the east coast, but once I decided to do it seriously, I left the EMC, and then, I basically went to the west coast, where there is VC that is more in that space and that, yeah, I got a lot of those, a lot. I think like every founder as well.

Products?


Mike: I don’t want to go too deep into the tech, but when I look at the Solo website, I see there are a few products. I am wondering if there’s like an 80/20 rule here, where one of the products accounts for 80% of the revenues?

Idit: We don’t have 20/80, actually, that’s interesting. I think it’s probably 50/50. And the reason is because of the packages, a lot of time we’re selling them together. If you look at all the projects, the main two markets that we’re going after is, the Gateway and the Mesh market. We started with a Gateway mainly because the Mesh wasn’t — you know, we couldn’t sell it.

So, we started from the Gateway, and we knew that this is kind of like an entry point and kind of like a stepping stone to a Service Mesh, so that felt very in the area. And I believe that in the future the Mesh will grow more.

First Customer

Mike:  So, one of the challenges of a start-up is always the first customer, especially if you’re selling in the Enterprise space. How did you convince this customer to be first? What did they actually buy? And whatever they bought, does that resemble your current offering today?

Idit: Yes, actually, as I said, we started selling the Gateway, and that was a flagship product of the company. When we started, basically what we did is, we had three design patterns in a way. I didn’t do it the regular way, we did it from open source. We didn’t go and talk to customers and say, “What do you want us to build?” And then, we built it. We were more like, we’re in the open-source and kind of like say, “Okay, that seems like the right thing to do.”

Kubernetes came, you needed a new API Gateway, you wanted probably an Envoy – that’s what we believed people wanted – and then, we went to pitch.  And a lot of those customers came to us from the open-source community.

So, we learned a lot from that process. What we did, and we did it differently, because we are coming from open source, we basically managed all our relationships with our customers through Slack. Then, understood what we need to do in order to make that very, very successful in their infrastructure. And we basically got all those requirements and built them into the product. It’s very different to build an open-source project versus an Enterprise environment.

Value Prop


Mike: So, what would you say is the most important thing that motivates your customers to buy your product?

Idit: I think that today Solo is kind of like three things that we are very good at. Number one is, we really, really understand the marketing really, really well, and the technology in it, so we know what’s coming up. We know what is 20 and what is not, we’re looking at adoption – we really understand that very well.

So, we always compromise with the customer that we will bring them to the edge of the technology. If there is a new technology that is relevant, we’ll probably put it in our product. I think that’s one thing that customers like, so the perception of Solo is that it is an innovative company, which it is – it’s what we are.

The second one I think is customers in sales, which was always one of the things that is the most important to us. This work with Slack, when I started it, everybody told me that’s not going to scale. And surprisingly today, when we have hundreds of customers, it is still scaling, and the technology itself, if you look at it right now, there was a lot of shifts in the market in terms of the infrastructure that you’re running, most likely running in something like Kubernetes.

So, it makes sense that you would have a Cloud native Gateway, and when you start scaling and scaling and scaling, it makes sense that you will take care of something like MPLS and Security and Zero-Trust and Observability, and all those microservices – it’s just that this is the needed technology when you are going to scale. And that’s where the market of microservices like Kubernetes is right now.

Is Solo a Distribution of existing Open-Source Components?


Mike: Solo is an interesting company in that, in a way, you write software, you write a lot of software. But you also have a curated distribution of open-source components that you give your customers a control plane to manage and take advantage of. So, it’s not just the software that you’re writing, but without Envoy and without Kubernetes and without Cilium, you really maybe couldn’t even build a product. So, do you think that maybe this is a new model, where you add a little software on top of this huge curated distribution of other very complicated components?


Idit: Instead of creating the open-source project – we do have one, for instance, Gloo Edge is a technology that is an API Gateway based on our technology, and it is based on Envoy. I think that what we were good at was identifying, pretty much at the beginning, which of those technology would be better on Envoy, when honestly Envoy was relatively a very small community no one really knew about it, and NGINX was the chosen proxy.
We chose Istio, even though we could have competed like everybody else and tried to build a better service mesh, but I knew that that will be the choosing mesh, even though when we looked at it, it was pretty messy, and we knew that it would take you a while to get there.

I was very, very aggressive to my team saying we are not going to be competitive, we are going to use that.

And the reason is because the software that wins is not always the best software. It is the software that most people are leaning to because they will make it eventually the best software. And I think that that was something that Solo has recognized very well. All that technology, all those products that we are doing is basically we are building – and I will not say a little – we are building quite a lot of logic, ease of use and enhanced technologies on top of those — let’s call it basic component that you need.

There is a lot of complexity actually in the control plane, way more than in the data plane, for instance. But, yeah, as I said to you, this is my model, hopefully sellers will succeed with it, but yeah, I believe that open source is building an amazing technology, and that we should leverage the best.

We are also contributing a lot of those technologies. I mean, if you look at the Istio right now, the new thing that we did with Ambient that we and Google contributed to it, it’s mainly we are the main contributor to it. And Istio, we are contributing a lot to it, we have a full team that is responsible to contribute to it. If you look at this, probably I think the most engineers that are working today on Istio are coming from Solo.

How to Decide What Features Are Open Source?


Mike: I was looking at the open-core model, but I’m actually more curious about, there’s always this friction between what do we put in the community version and what do we open-source. What’s the decision process behind deciding whether a plug-in will be commercial or non-commercial?

Idit: In the beginning when we started, we had nothing, we put everything in the open source, but then at one point, we understood that that’s a problem. Because eventually, somehow, you’re not going to exist as a company if you are not going to make a little bit money at least. So, we needed to figure out that what we’re putting on to double it will make sense, we are not hard to open source because it’s very important to us that open source will be successful.

It’s why we continue contributing constantly to the open source, but we also need to make sure that we will have something that differentiates it on top of it. And the decision in the beginning when we thought about it, the Enterprise feature that people actually really, really wanted to have a provider helping them was security or stuff that will let that do. You know, Enterprise feature like HA.

So, that’s the stuff that we put in Enterprise. The question is, you are usually around technology, would it make sense to be in the core open-source project because that is where it belongs. It’s kind of like a core feature, or it’s actually an extension to that open-source project.
And therefore, it’s going to be that Enterprise edition. To us, it was very important that the core should be open. That’s the way we’re doing it.

Pricing

Mike: I always worn entrepreneurs that pricing is one of the most challenging aspects of a tech start-up in particular. Can you share maybe some of the lessons you learned about how to price in the first few years, did you get pricing right initially, did you have to do a major pivot – what was your experience there, and do you have any lessons learned in pricing?

Idit: As I said to myself, okay, maybe the real unit of contribute for instance in the Gateway is supposed to be the API call, but honestly, that will take a lot of time for me, and it’s also going to be a pain for my customers, so how can I still value how much they use it, without actually interfering too much with the customer and with my engineering team.

And what I came with in the beginning is that the data plane is usually a good assumption, because if you have a lot of call, you’d probably want to scale that data plane. And in the data plane, it’s easy to call, the customer tells me I have five clusters, this is a data plane I am using – it is very easy to measure it and if people use it more, that’s fine.


So, that was the beginning. When we added the service mesh, there was a way more data plane and there was also a way more potentially change. Because you have cycles, and the cycle is basically going directly with the application, the microservices. The microservices going up and down, so very hard to basically figure it out. We needed to change that model and we went to the cluster model.

We said, just let’s keep it simple, we don’t want it – again, it’s all about keeping it simple. That’s what was important to me. I don’t want my customer to need to have a PhD in order to understand the way we were pricing.

That’s what I did. And again, it’s probably cost me some money. I probably left some money on the table and that was fine. But again, it was all about and it is still all about Solo as the partnership. It’s all about the relationship that we have with our customers, it is a real partnership, we are seriously the extension of their team.

But, you know, stuff changing all the time, so you always need to adjust. And honestly, you are learning that from your customer. So, for instance, what we saw right now is that some of the customers that are basically using us, it is more like advanced development center kind of thing.


Innovation centers like city offices or the innovation center on the ITN, and when they are starting, usually what they want, their job is to basically build something to offer to the businessmen. So, the question is, the money is not going to come from them, you cannot expect them to have tons of budget to pay you to run it.

So, what they really want is more of the consumption model. What they want is to create something and get the platform available everywhere, without paying millions of dollars, but then, they will basically enable teams to come after. And that’s different. The model should be different, it can be how much clusters you’re running. Because it could be that you’re running an empty cluster in the beginning. So, we needed to adjust based on the customers. So, it’s always moving kind of like we are learning from the customer how we can make it better.

But again, to me, the way I’m looking at this and that’s always my motto – whether it is truthful building, writing software or selling product – I want to take the challenges on my team. For instance, I prefer right now to build a sophisticated metering that will make the best customer end-user experience for my customer, even if it’s harder.

How to Maintain High Growth

Mike: You know, I was reading an article, and it said that you were projecting five to six times growth for the next year, what is a key to obtaining this high rate of growth? How is that possible?

Idit: First of all, the market – and that’s very, very important. Like for instance, when we started, we had the Gateway that was very popular and everybody needed it, and then the Mesh came, but it took us a while until Mesh would be everywhere. Right now, there is a lot of stuff that is going really, really well for us, and that’s what is allowing us to go.


What number one is, for instance, that is still going to the graduation. So, we actually choose the right service mesh, and not only this, it is going right now to graduation which has shown maturity.
So, that by itself means that there is more demand from the market. You just need to have the right market product to sell, and when a customer wants it, it would be really lazy to grow. But I’m not going to say that there are no challenges, in economy, it could be that we have an amazing product, we have tons of money – that’s not really helpful if our customer doesn’t have money. They’re not going to buy it. Again, that point – you need to make sure that the product is a necessary, that people will need to spend money for it.

Just, again, listen to the market, make sure that you have the right market fit, which I think is the most important, thinking about the packaging, make it very, very easy for people to consume your product.

Metrics and Data?

Mike: You’ve mentioned that you’re data-oriented, and I’m wondering, what are some of the most important metrics that you track?

Idit: This is a good question. I mean, if you ask my CFO, who is a very, very data-oriented person, a lot of the metrics that is running is metrics is numbers – how many VCs we are doing, how much of it is in production and that kind of stuff. Data that I’m looking at is different than the data that my CFO, the metrics that they’re looking at. I think in every business, it’s all about people, it’s all about the people in the business, it is all about the people in the market. Why has AWS decided to do this, why has Google decided to do this, what’s going on inside this organization – all this information is not metrics, but it’s data that you need to collect in order to make the right decision.

How do I predict it five or six years ago that there is going to be a lot of clusters and that people will need a service mesh for each and Istio will be that service mesh. That was pretty crazy to do five years ago.


But I had enough data that would lead me to believe, a lot of data that would lead me to believe that this is the direction that we need to go. So, we do have the metrics of how many customer success, otherwise you cannot scale – you need to know when something is wrong and, you know, big enough organization right now that “I’m not everywhere and I don’t know everything anymore.”

What Gives You Joy as CEO?


Mike: What gives you the most joy as a CEO?

Idit: It is always your job to basically kind of like try to cover the gap that you have in the company. As in the beginning, we had engineers, but we didn’t have anybody to do evangelism, and kind of like after that, we grow, and then we got that evangelism, so I’m not doing evangelism anymore. You are always doing more stuff, and to me, the way I’m looking at this, honestly, when I’m waking up in the morning is, what is the next fire that I need to put off, like where do I have a problem with, what is not working well the way it is working right. It is seriously like that’s how you should think about it – where is the next fire will come from and how am I covering it.

And to me, I’m a person that is easily being bored, so, I like learning, I like seeing what the problem is, I’m dangerous in every position in the company, potentially. I’m dangerous enough now after six years that I learned all of those.

So, I think that, the fact that it’s never boring, but I wish it was a little bit more boring. I mean, I heard a joke from someone that said, “A founder that started a company in the last five years, what did they need to overcome?” We needed to overcome Covid, we needed to overcome the SVB with the Silicon Valley Bank fall, we needed to overcome the fact that all our competitors suddenly could have raised 100 million dollars, you know, like crazy variations with seed money.

And so, there was a lot to overcome since then and it is never boring. And I think that as someone that likes challenges, that drive “I want to be the best, I want to win.”, so, that’s what I’m enjoying.

And I’ve got an advice from Diane Greene, who was the founder of VMware. And she was one of the people that started Google Cloud, so, one of the feedbacks that she gave me when I started. She basically said to me, “You can decide which type of CEO you should be.” Keep the stuff that you really like to do or you really feel that you’re a huge differentiator. And my guess is, it is that technology is the strategic, that is my strength.

And bring strong people next to you to cover the stuff that you can give away. So, my advice is to go to market. That to me is kind of like the way I’m looking at this, but honestly as a CEO, you really do a lot of the stuff that you don’t want. I mean, your job is to fix the problem or to cover stuff and to enable the other teams. If I need to help my engineers, I will do that if I need. You know what I mean? I will do everything I need to enable the team base. That is I think very important.

What Advice Would You Give Yourself If You Could Go Back in Time?

Mike: If you could go back five years or six years and give Idit some advice, what would that advice be? It doesn’t have to be at the very founding, it could be in the early stages too.

Idit: Wow. I learned so much. It’s very challenging to run a big team and make everybody aligned. As the company’s growing more and more and more – that’s become more than another. I think that the advice that I would tell my younger Idit is basically, just follow your instincts, listen to people, but eventually, make your own decision. I think the thing that I was doing wrong in the company was, a lot of times, I’d hire a leader for market and he’d go to market. And I knew that this is not my strength.

So, even though I didn’t believe always that what they thought were doing is wrong, I let them do it because I said, “Look, they are the expert. I’m not an expert in marketing, so let them do this.” I paid a big price for it because I felt that actually a lot of times, they were wrong and it’s within the company.
So, I think that what I learned today and why I think that I would be a better leader than I was back then is because I’m going to die or succeed on my mistake, honestly. Because there’s nothing faster than us to come and take responsibility for someone else’s mistake.

Again, it doesn’t mean that you’re not going to listen, but after all the data at the beginning, if you believe, like trust your instincts, don’t assume that someone else knows your business better than you. I think that this is something that I made a mistake a lot of time, actually multiply times. Before I said, “Okay, that’s it.”

Close

Mike: Idit, thank you so much for sharing all that experience and know-how and best of luck with Solo. Although it doesn’t look like you need it, you look like you’re doing amazing, so, congrats.

Idit: You always need more luck, but thanks.

Mike: Special thanks to Idit and the Solo team for reaching out. Cool graphics from Kamal Bhattacharjee. Music from Broke for Free, Chris Zabriskie and Lee Rosevere.

Next episode’s expected Jan of 2024, an interview with Nick Schrock of Dagster. I’m slowing down a little bit, but I’m still trying to do four episodes a year.
Don’t forget the State of Open Conference is returning to London, Feb 6th and 7th. So, until next time, this is Mike Schwartz, and thanks for listening to Open Source Underdogs.

Episode 63: EBPF Networking Isovalent with Liz Rice – Chief Open Source Officer

Intro

Mike: Hello and welcome to Open Source Underdogs! I’m your host, Mike Schwartz, and this is episode 63, with Liz Rice, Chief Open Source Officer at Isovalent, the software startup behind Cilium, an eBPF-based Networking, Security and Observability project. 

This episode was recorded in early February at the inaugural State of Open Source Conference or SoCon, which was held in London at the QEII Center in Parliament Square. The force of nature behind SoCon was Amanda Brock, CEO of Open UK and editor of the essential book Open Source Law, Policy and Practice, 2nd edition. Check it out on Amazon if you’re an open-source founder. Don’t miss SoCon next year in 2024, especially if you’re already in Europe for FOSDEM.


If you think eBPF or enhanced Berkeley Packet Filter sounds like a geeky low-level technology that you don’t need to know about – well, you’d probably be wrong. It enables developers to safely write code that runs in the Linux kernel. And safely is the key word here, because if you crash the Linux kernel, everything on the whole server goes down, all the containers, and everything else running on that server.


However, by exposing the power of the Linux kernel, developers can write code that runs faster and consumes less energy, and faster and cheaper has always been an attractive feature. Cilium combines three products into one. It’s like an old-fashioned firewall, an API Gateway and Wireshark, and it’s Kubernetes pod aware. It’s used by a number of successful products like Teleport for access management or Solo.io Service Mesh.
Simply said, eBPF is going to fundamentally change our infrastructure.


I met Liz at the SoCon conference, and after learning a little about Cilium, I was really impressed, and I asked her if she would come on the podcast, and luckily, she said yes. So, here we are with the interview.

Mike: Liz, thank you so much for joining me today.

Liz: Thanks for inviting me.

Tech Overview


Mike: As I understand it, Isovalent leverage’s a kernel technology to build a product called Cilium Enterprise. The upstream Cilium project on GitHub has over 22,000 commits and 14,000 stars – these are really impressive numbers for a project that started in 2016. How did this happen and how does this relate to the origin story of Isovalent?


Liz: Yeah. So, Cilium is built on a platform called eBPF, which is the kernel technology that you referred to. And eBPF allows us to run programs that are triggered by events that happen in the kernel, and those events could be Network packets, they could be a system call being made by user application – pretty much any sort of event in the kernel can be used to trigger an eBPF program.

Cilium was the first networking project to take advantage of eBPF. And it was always designed with the idea of container networking in mind. And the folks who started it are the founders of Isovalent, as well as being the originators of the Cilium project. So, Thomas Graf, Daniel Borkmann, who’s a kernel maintainer looking after eBPF, within the kernel.

And eBPF and Cilium, particularly eBPF in Networking and Cilium, kind of grew hand in hand since 2016 thereabouts, as we – the many, many contributors to the Cilium project – as it grew and as it gained functionality, sometimes that’s required additional capabilities in eBPF.

So, it’s been really almost like a long game. I think when Daniel and Thomas and Dan, the CEO, when they were first thinking about using eBPF, it was such a cutting-edge kernel technology – nobody was using it in production.

You know, when we add something to the kernel today, people won’t be using it in production for probably three, four, five years to come, so really, anticipating what the future was going to be.

I first saw Thomas presenting Cilium and the underlying eBPF technology back in 2017, and at the time I thought, “Well, this is revolutionary, this can change so many things.” Because not only can we see Network packets being manipulated by eBPF programs, we’ve also got this incredibly performant way of observing those Network packets and reporting on them that we can use for observability tooling. And like you mentioned network policy – we can implement network policy in eBPF.
Just making policy decisions about whether an individual Network packet is permitted or denied by policy, based on Kubernetes identities – this is the other real strength of Cilium.


It knows the Kubernetes identities, the labels of every pod. And so, you’re no longer just looking at network flows in terms of IP addresses and the port numbers you’re actually looking at them in terms of “this is a flow between service X and service Y.” It is so much more meaningful for a Kubernetes’ user.

Why the name Cilium

Mike: Just out of curiosity, do you know what Cilium means?

Liz: I think they’re little hairs in the inner ear – I’m not entirely sure why that was used as the name for the project.

Origin


Mike: I understand the eBPF technology is mind-blowing – Cilium is quite a project as I said. I mean, you’re not one of the co-founders, but do you know anything about how did it become actually a business?


Liz: I think pretty early on, as Cilium, the project, was getting established, and this sort of understanding that eBPF was going to be a really great foundation for efficient networking. That idea of building a company around this technology was probably in Thomas’s mind right from the get-go – I don’t know that for sure, but I imagine it was. And he and Dan Wendlandt, who I mentioned earlier – this is Thomas Graf and Dan Wendlandt – Dan had the background in software-defined networking, he’d worked at Nicira.


And I think they really saw the future of container networking being built on eBPF, so it was kind of natural to build a company. But, for the first few years, really the focus was on building the Cilium open-source projects, getting that really well-established and really well-known in the Kubernetes community.

It’s now been adopted by the CNCF, so we’ve actually contributed the project to CNCF, we’ve recently applied for graduation status there. It’s probably the most widely adopted in production networking plugin for Kubernetes now.

That kind of path from open-source projects, we really need to see this widely adopted, and then, a business that can provide, not just support, but also some Enterprise features that really large adopter is going to need. And just makes a lot of sense.

What does a Chief Open Source Officer do?


Mike: Your title is Chief Open Source Officer, and that’s a title I’ve never actually heard before. How is that role defined at Isovalent and why were you so excited to take on this mission?

Liz: It’s a particularly interesting title in a company where the vast majority of the engineering is open-source engineering, but I don’t run the engineering teams. My role is much more about how do we continue adoption of the open-source project, and how do we interface with the foundations, the community – I do a lot of work with the CNCF as well. How do we both act as good citizens towards that community and do the right thing in the open-source world. But also make sure that we’re taking advantage of everything we can.

You know, foundations like this offer us a lot of roots to speak to people who might become users and how we can do that in a way that is beneficial for people who want to learn about Cilium, or who want to learn about eBPF. So, that kind of educational role also falls within my team.

Open source v. Enterprise

Mike: This may sound like a silly question because Cilium was so powerful, but from a business perspective, what would you say are the main value propositions of the software?


Liz: So, from the open-source perspective, it’s a highly performant networking solution with built-in observability and security features. And we could dive into more details on what those are. From our perspective, it’s fantastic. If people are satisfied using the open-source version of the code – that’s great – we never want to make it such that — we don’t want to curtail the functionality, so that it always wants to be useful to open-source users.

That said, there are some features that particularly larger Enterprises are particularly interested in that you won’t need if you’re not a big Enterprise. So, for example, integrating with Legacy workloads. Some high availability features that you don’t really need unless you’re at a certain scale – those are the kind of features that we provide in the Enterprise distribution at Cilium.

Isovalent v. Sysdig?


Mike: Do you see yourselves competing with a company like Sysdig?

Liz: On the security front – yes. There is an element of competition there. I think we’re sort of speaking with slightly different customers there. Because, to my understanding, Sysdig is very much a security focused solution, whereas Cilium really applies more to a platform team who’s establishing, I would say Networking first, with this incredible set of security capabilities that you can then show to the security team, these amazing capabilities that they’ll get all that they already have by using Cilium.

I think we’re probably talking to different people within our respective customer organizations, but there is a certain amount of overlap around particularly the kind of runtime security, which we have a sub-project of Cilium called Cilium Tetragon. And there’s the ability to create profiles for the kind of things like accessing sensitive files or running certain executables, privilege escalation, suspicious network activity – these are the kind of things that we can detect at runtime using eBPF.

Why contribute project to the CNCF?

Mike: You mentioned that Cilium was contributed to the CNCF. What was the reason you brought the project to the CNCF? Also, what does that mean for the governance of the project?

Liz: It’s a big step to contribute a project. Because we hand over the intellectual property to the CNCF. That is something that Isovalent used to own and no longer owns. And the governance of the project really needs to be in the hands of the community. So, Isovalent remains the most prolific contributor, but – and this is again part of my role – encouraging more people and more organizations to get involved in not just code contributions and not just documentation contributions, but also the kind of broader evangelism of what Cilium is and the advantages of Cilium.

So, yeah, we’ve really embraced that community. And I think the phrase that we’ve used internally is “paved the world with Cilium”.

And the best way to pave the world with Cilium is to give it to as many people as possible, and the CNCF gives us a really great route to reaching all those people who are using Kubernetes. It gives those people confidence that it doesn’t matter what happens to Isovalent, the Cilium project is in the hands of a much, much bigger organization at this point.

And then, you know, that subset of people who are using Cilium, but then, find themselves needing Enterprise features. We won’t necessarily be the only Enterprise distribution, but there’s no doubt in my mind that we have the greatest expertise. So, hopefully, we will be the obvious choice for someone looking for Enterprise features or Enterprise support agreements around Cilium.

Trademark


Mike: This actually leads into my next question, which is that CNCF actually owns the trademark for Cilium, but your product, the Isovalent product is called Cilium Enterprise. And so, hypothetically, another company could make a product called Cilium Pro. I mean, I looked at the contributors and I went down eight contributors, they all work for Isovalent, I didn’t have time to go any further, but, obviously, your company has a lot of expertise, but still, the prospect that company spent a lot of money defending their trademarks, I almost never heard of anything like that – is it sort of terrifying, though?

Liz: I mean, at one level, yes, it is kind of terrifying. And Cilium is a brand name that is better recognized today than Isovalent is. And that’s a challenge that we have to embrace. And there are rules around what you can and can’t use – I think that there are probably still a few instances of documentation and use of the word Cilium, which we’re not really allowed to do any more, that we haven’t managed to tidy up everything.

There’s limitations on what you can and can’t use around a name based on what is now a Linux Foundation trademark. But everybody understands there’s a transition between us having a trademark and then giving it to the foundation. It obviously takes a little while to tidy up all that options around that, yeah. So, Isovalent Cilium Enterprise is the Isovalent distribution of what is a CNCF-owned community project.

Outside Contributors


Mike: I mentioned that there’s a lot of Isovalent engineers who are contributing code, but are there other engineers who are also contributing?

Liz: Absolutely! Google is quite a prolific contributor, Cilium is actually used in Google’s Dataplane V2, we have maintainers from Datadog, again a huge adopter who has been using it. Enormous scale – there’s some really good talks from Datadog talking about the scale of which they’ve deployed Cilium, we have contributors from Palantir.
Yeah, there’s several what we call committees, so maintainers of the project, who come from lots of different organizations. And then we have – I think it’s around 700 contributors in total. Isovalent today is just over a hundred people. The contributor base is much, much wider than just Isovalent. That said, we probably have the largest group of people working full-time at Cilium.

Market Segmentation?


Mike: On the commercial side, for infrastructure, the marketing is very horizontal, but have some natural segments worked out in terms of the customers who convert from open source to a commercial relationship with Isovalent? And are you figuring out that there’s any ways to segment the market here or the messaging?


Liz: I think that’s something we’re learning – I have just mentioned that we’re about a hundred people now, so we’re growing in our capabilities for how we target different customers and different verticals. We’ve had a lot of success in financial verticals media, quite a few transport, strangely enough. Yeah, so there’s a pretty wide breadth of Enterprises who have adopted this. I guess, the prerequisite for nearly all cases is that there are Cloud Native Kubernetes users, or that we do have some users who are using Cilium in a standalone load balancer scenario.

Have we figured out how to market to all of these different types of businesses? We’re absolutely still evolving and learning. But I think the fact that we’ve for many years had this very community-based focus, a very community-based approach, means that we can establish relationships and have trusted sharing expertise on a technical level that then encourages those engineering teams to recommend us internally.

And when it comes to making a choice about an Enterprise product or whether they need commercial support, those engineering teams already know who the experts are, and have potentially already had help from our team through the open-source community.

Team Location


Mike: Is there an Isovalent headquarters office where engineers go in, or is everyone like spread around the world?

Riz: We are fully distributed. We do have offices in Zurich, where Thomas is based, and in the Bay Area, where Dan is based. And I think that the timing, you know, really around the pandemic, just at the point as Isovalent was growing was sort of around the same time as the pandemic hit. So, inevitable that we were going to be remote based.

And as people have joined, they joined from countries all around the world. We have people from as far as long as Japan, or Alaska, Australia, throughout Europe and across the U.S. So, our team is really now fully distributed, and the culture has to embrace that. So, we’re very much focused on being remote first.

We do get the team together, and we try to get the whole company together, at least once a year. And we have a lot of encouragement around getting teams together in what we call hive time. Because we’re all about kind of bee-related metaphors.

Monetization: What features are enterprise?

Mike: I’m curious about monetization. It sounds like it’s open core, and what are the extra bits that you’re offering, I guess, in the Enterprise? And how do you decide what to make open source and what to add as an extra feature in the Enterprise distribution?

Riz: I see that the term open-core can sometimes come with a bit of a negative connotation. Sometimes people think of it as an open-source software that’s got some kind of, you know, been cut off at the knees, and that’s absolutely not what we believe in.

We absolutely believe in the open-source product being genuinely usable, and there are some pretty large organizations who continue to use just the open-source version. The kind of things that people will come to us for will be — there are some high availability features, there are things like BGP support for connecting into your legacy data center workloads, some Telco specific protocols that we’ve worked on – we very much don’t want people to feel that there’s something that’s core to their basic use case that they can’t do with Cilium.

Unless they are big enough that they’re the kind of organization that wants to pay anyway. You get to a certain size of organization, where you really don’t want to be just relying on open source with no sense of who’s going to support it when anything goes wrong. And they may come to us for features, they may come to us because they just want to know that somebody will be there to help them, you know, with a contract in place, should anything be needed.

Features for Growth


Mike: We mentioned that Cilium is a really broad product. Is there one particular product feature that you see driving the most growth, going forward in the next couple of years?

Liz: That’s a really great question, because we do have you know really, really powerful features in a number of different axes. So, for example, we just did a partnership with Griffon, where we’re building some really great dashboards, again a big part of this is available, completely open source.

There are also going to be some additional Enterprise features here. Perhaps the thing that strikes people is that they get this amazing visibility. And you know, that could be the moment when they realize, “Huh, look at the power of Cilium!” And the fact that we can see all these latency metrics or security information being shown in a visual way. So, that could be one thing that really drives growth.

It could be Service Mesh. We have a very efficient approach to doing sidecars Service Mesh in Kubernetes. Service mesh is one of those features that when it first started being talked about in probably 2018 – huge hype, huge excitement – the reality of people adopting Service Mesh, they found that it’s actually quite resource-heavy, there are issues, instrumenting all your workloads with these Service Mesh sidecars.

I think some of the realities of deploying Service Mesh had not quite lived up to the initial expectations. And then, last year, we announced the sidecarless approach that Cilium can bring. And mostly through the power of eBPF, it’s incredibly efficient. We can shortcut a lot of the path that a network packet has to take through the Service Mesh.

So, I think that’s another area that can be a real driver for growth, as people realize they can get all the benefits of Service Mesh, but without the overhead that they’ve come to associate with it.

And then, finally – security. I think I mentioned earlier the runtime security tooling that we’re able to provide through eBPF and through the Tetragon project, combining in a really performant, efficient security tooling. At the moment, everybody’s focus in security seems to be on supply chain, but they also still have firewalls. I’m quite a big believer that we have runtime security, everybody has runtime security in the form of firewalls.

We just were on the cusp of people understanding how powerful this new generation of runtime security tools can be to essentially firewall, not just Network packets, but things like bad executables or unexpected privilege escalations, that kind of thing.

Mike: Does the breadth of the product ever feel like a curse? Wouldn’t it be so much easier if there was just one application, and we can focus the marketing message and the sales, and all is just this one thing?

Liz: I’m sure the marketing team tasked with coming up with a tagline would find it a curse, yes.

Lessons for Open Source Startups?

Mike: So you’ve been in the techs business for a long time, taking off your Isovalent hat for a second and just as an observer of the startup scene, and other than the open-source scene in, do you have any advice for particularly entrepreneurs? Because this podcast is really designed first for founders, any advice for founders?

Liz: Yeah. This is actually something I’m getting increasingly interested in and I’m working with the CNCF on how we can encourage businesses on how to operate and be successful with open-source based businesses. There’s two sets of vendors who I would say have quite a lot to learn, particularly if they come into like a Cloud Native community audience.

There’s one class of vendor who is open-source based, they have an open-source project that they’re building their business around. The second class is people who are not open-source, but they have a product that they want to sell into the primarily open-source based Cloud Native community.

I think for both those sets of people, really understanding how powerful community is, Cloud Native community is kind of where I’ve lived for the last, I don’t know, half a dozen years. And it’s incredibly powerful, the relationships that you can build up – not just between individuals, between organizations, can be a really solid foundation for the business relationships that you then build on top of that.

And I think the real lesson for a lot of vendors is: don’t just expect to turn up at an event, pay for a booth or a table, and expect people to come and buy your software. Invest in time as well, invest in contributing, get involved in our project, get involved in the cigs and tags.

Don’t just expect people to immediately think that your open-source project is the one true amazing solution. Take the time to learn what other people are doing around that, and then, have those conversations about why your solution is great and what its strengths and potentially weaknesses might be. Learning to get involved in a community is really, really important.

Closing Notes


Mike: Well, I think that brings us to a close. Liz, thank you so much for sharing and best of luck with Isovalent and Cilium.

Liz: Thank you so much.

Mike: Again, special thank you to Amanda Brock and the whole open UK team for launching the State of Open Conference, where we recorded this episode. Cool graphics from Kamal Bhattacharjee, music from Broke For Free, Chris Zabriskie and Lee Rosevere.

Remember how Liz said that eBPF and Cilium are really good for Service Mesh? Well, remember that, because next week’s guest is Idit Levine the founder of Solo.io.

Until next time, this is Mike Schwartz, and thanks for listening to Open Source Underdogs.

Episode 52: Melissa Di Donato, CEO of SUSE

Intro


Michael Schwartz: Hello and welcome to Open Source Underdogs. I am your host, Mike Schwartz, and this is episode 52 with Melissa Di Donato, CEO of SUSE. SUSE really needs no introduction except to say that as one of the oldest open-source companies in the industry, it maybe has more traction than most people give it credit for, particularly in Europe.

As you’d expect for the CEO of SUSE, Melissa has had a stellar career as a developer and business leader, had many large and small firms, including Oracle, PWC, IBM, Salesforce, and SAP. I was particularly looking forward to this interview because SUSE has such a long and interesting history, and it’s reinventing itself right now to play an important role in the next phase of the open-source revolution. Some of you may have read about the recent announcement to acquire Rancher. This was a brilliant tier in my opinion and shows that they really understand the market and how SUSE can add value.

Before we get started, I have a quick request – we all want to help open-source founders and startups. I make the podcast, but I need your help to get the word out, so tell your friends, post on LinkedIn, tweet out a link, post on Hacker News, or follow me and share one of my posts on LinkedIn. whatever you think makes sense, go for it. With that said, I know you’re not here to listen to me, let’s get on with the real star of the episode, Melissa DiDonato, CEO of SUSE.

Melissa, it’s great to have you on the podcast today.

Melissa: Mike, thank you so much for having me.

Career Path To Leading SUSE?

Mike: Maybe before we get into the official questions, I’m sure many of our listeners are curious about your career path to becoming CEO of the world’s largest independent open-source company. What were some of the pivotal experiences that prepared you for this role?

Melissa: I feel like every role I’ve ever had has led me to become the CEO of SUSE. It’s really funny, it wasn’t any and particular spot or position or role that I had that led to being the CEO of SUSE. Last 20 years, I worked predominantly in my entire life with ERP and CRM, predominantly ERP companies, like IBM, Salesforce, SAP, just to name a few.


So, one might even questioned further, “Well, okay, so if you spent your whole life proprietary software, in companies, very big enterprises, like IBM and SAP, how did you find your way to SUSE?” And the past really helped me build the foundation for the future.

So, I have a unique experience and perspective for SUSE. I came in as a user. So, I started my career as an R3 developer, an SAP R/3 developer. So, I started as a coder, and I started creating SAP applications to sit on top of the first Linux systems. And the very first partnership we had 25 years ago was SAP and SUSE.

So, how did I get into technology in the first instance was on the recommendation of a mentor. A mentor I had at the time said, “Have you thought about getting into SAP? It’s really beginning to catch on.” And from that moment forward, I never left, so I’ve got more than 25-year history, in technology, starting out as a developer, with all BOP and Bases code to create applications to sit on top of SUSE.

Every move I’ve made throughout my career has been typically based on the recommendation insights or thought leadership of the people around me, particularly my mentors. So, my mentors have played a really, really big role in my past of which to create the future. And of course, like I say, coming into SUSE was a really unique journey. Having spent my entire career in proprietary software, now making my way into, from a user of open-source and SUSE specifically, into becoming the CEO of this great company. So, it’s been an interesting journey.

Initial Priorities

Mike: So, leading a 25-plus-year-old technology company is a daunting task for any business leader. But joining as a new team member, or maybe you could say an outsider, has both pluses and minuses. Why did you take this on, and coming from the outside, what were your first priorities for the business and culture, and how do you do take the reins to align the company with these new priorities?

Melissa: It’s a really good question. So, how does someone like me find their way in, and once I get in, how do I create some new momentum? When I did the analysis from the outside, when I was speaking to EQT about the role of being CEO of SUSE, I spent my time to do some research. I interviewed some members of the community, the open-source community, I interviewed some customers, some employees, I’ve interviewed customers that had left SUSE in favor of another technology. And never saying of course why I was asking them the questions I was asking, but I poked around quite a bit. And when I realized is that SUSE is at the cusp of historic shift, I really felt the movement of open-source now becoming a very critical part of any thriving enterprises, core business strategy.

When I looked at SUSE, it seemed like the power that enabled these mission-critical business operations, to surge, to grow, to deliver. So, I thought, “Okay, this is very, very interesting company. We will be well positioned to emerge as a clear leader, as this shift as well as because of the innovation and the products that we have to offer. The ability to — I guess power the digital transformation for our customers – and this was of course pre-coronavirus, but I saw the digital transformation root coming onto a main part of play for our customers.

The ability to deliver this digital transformation at our customers pace, but to make sure that we stood as an agile, enterprise-grade, open-source innovation across the enterprise Edge, Core, Cloud – that seemed to me to be something I really wanted to be part of.

And when I began to dig into the fans of SUSE, the community, it was extensive. And I think it was even more so recently with our recent news of our acquisition, people went wild over the fact that, you know, they watched SUSE, and supported SUSE, and we’re going to do anything for the innovation and the growth of our future.

So, then I looked at this company, 28-year SUSE has been around a world-class, engineering-led business, producing rock-solid IT infrastructure, with a huge amount of success. And I thought, “Well, what do I need to do as, you said, what were my priorities when I joined?” So, when I decided to join, then, what should I need to do?” I think when I joined last summer, it’s been — I just passed my one-year anniversary, Mike, so I’m more than 365 days old, and I looked at what areas do I want to impact immediately and first, and what are the areas I wanted to empower and enhance.

So, first for impact. I realized, when I sort of was talking about SUSE more and more, that our brand awareness did not correspond with our success. When I mentioned SUSE, I got a lot of, “Who???”, and I said, “Oh, the green chameleon.” And they said, “Oh, yes, of course.” But there was no connection. I felt it was really important to start amplifying the brand, to show just how successful we are, and how big, and how innovative, and how much of a thought leader we are in the industry.

So, to address this, we rebranded SUSE. We then had a platform to tell our story in a much, much better way. Our new brand, our new tagline, our new story is the power of many, and I think it’s important probably, Mike, for many of your listeners, because the power of many celebrates our open-source heritage, and showcases the power of community-led innovation.

And this rebrand has been a big part of who we are in the last six months. It took us some time to actually launch, but I believe wholeheartedly that the power of many really describes who we were, who we are, and who we will continue to be.

The second thing I wanted to focus on was growth and expansion. SUSE had, and has now ever more so ambitious growth targets. When I came on board, I announced that we would double our revenue in three years, partially by organic, partially by inorganic. And a large part of my first year would be on that, really ensuring that our organic strategy was enterprise-grade in way of sales and go-to-market, and that we had an inorganic growth strategy to execute on.

Within my first year, as you know, we announced our intent to acquire Rancher or Labs, which is the market leading, Enterprise Kubernetes management vendor. So, I think we’ve managed to take a couple of those boxes and we’ve had some incredible results. We ended our Q2 with more than 30% year-over-year growth. So, incredible big ambitions, but great success around growth and innovation and expansion. And then, I think lastly, I wanted to enhance SUSE’s focus much more so on our customers and our partners.

In my first 100 days, I don’t know if you read about this, but it got out quite a bit that in my first 100 days, I set out the target to meet 100 customers. During that time, I got to 97, I didn’t quite get to a 100, almost there, failed by three. But those meetings were absolutely pivotal and crucial in developing our near and mid-term strategy. We began to shift our entire go-to-market focus on customer success and creating for the very first time customers for life team, ensuring that we cared for our customers, we nurtured our customers, and literally created a customer relationship for life.

And I think the last bit is that I knew – we had talked about this, Mike, before – I knew that I wanted to enhance what SUSE’s culture already stood for. We have a very, very strong and unique culture that’s based on ethos originated in open source. We wanted to add to that culture, we wanted to contribute to the culture by mentoring, by having employee groups around diversity and inclusion, so we launched our very first mentoring group for employees. We’ve also launched women in technology, and we also launched, prior to SUSE, amongst many others, like GoGreen and loads of other programs, because we wanted to make sure that we embraced and enhanced and grew and depended upon this incredibly strong culture here at SUSE.

Message Sent By Rancher Acquisition Announcement?

Mike: In order to prepare for this interview, I listened to a talk from Nils Brauckmann, your predecessor, from SUSECON 2019, and he mentioned that SUSE was looking to acquire orchestration and management tools that sit above Kubernetes. And hindsight’s 2020. So, now I hear that, as we’re looking to buy Rancher, but now that the acquisition’s been announced, and can you help us understand the message that SUSE is sending to both the internal team and the world about your goals and aspirations?

Melissa: What Rancher did in the announcement with us is that we showed the world that we are relevant, that we want to create, modern, innovative technologies to deliver against and solve the problems against our customers’ business problems. And it really reinvigorated the spirit.

I mean, the people that came out of the woodwork and applauded about this acquisition was pretty incredible. I mean, it was a real following and a real uptake in SUSE and the interest in us and made us very, very relevant. I think what it’s done is it puts us on the map to solve real business problems that are customers, are depending upon us to help them solve.

And that’s what I learned in the first few months was that I had customers coming to me, constantly saying, “I need more from SUSE. I want more. I want more innovation, I want more modernization, I want you to help me modernize my legacy applications. I want you to modernize my infrastructure. I want you to start thinking about how you can help me accelerate my business, and how do I get on this digital transformation journey.

And together SUSE and Rancher do just that. We help our customers simplify first, and then what we help them do is to simplify and optimize their apps, their data, their environment, their infrastructure. And we’re really trying to make IT, non-stop IT reality for them, and they’re depending on that from us. The second that they kept asking us for is what our intended acquisition does. Does it help leverage the Cloud and bring their IT infrastructure, customers’ IT infrastructure into a modern computing world?

And a lot of our customers have come to us and said, “Well, how do I start? How do I modernize, where do I go?” And with Rancher together, that’s our ambition to help them modernize their legacy applications, utilizing containers, getting to the Cloud, and then being able to leverage edge technologies for the future.

Our customers want to achieve all the benefits from the Cloud, but they want to remain in control, and they want to remain open. And with Rancher and SUSE together, we can do that. We offer – well, soon – we’ll offer a platform to manage our customers’ different environments, as if they were one. And that’s really important for our customer base. Because having been in business for 28 years, you could probably imagine that a vast majority of our customers are what we call traditionalists, the kind of customers that have built a very stable, complex environment on-prem that are beginning now to depend on their partners and vendors to help them modernize. And that could be the Cloud, whether it’s hybrid or multi-cloud or whatever it may be, bit of on-prem, bit of Cloud, and we can help them do that.

And that’s our ambition with Rancher, to be able to together offer the digital transformation journey and be able to reap the benefits of the Cloud, while remaining in control. And what that does is, it helps our customers accelerate their business. And that’s what we’re all after. We’re after success in the end game for our customers.

We can help our customers, with Rancher together, accelerate our customers digital journey, our digital transformation, and help them scale, so they can get their products and services to the market faster. That’s the ambition of the two together.

Value Prop

Mike: So, when I read articles about SUSE, I almost always see Red Hat mentioned. What’s the plan to differentiate SUSE from Red Hat and other Linux distributions, like Ubuntu, or maybe I could say, what’s the value proposition for SUSE?

Melissa: You know, I get that question a lot, and I get – because SUSE is known, our success has been hugely around being a Linux distributor. As I mentioned earlier, and you’ve said a couple of times, Mike, that we are the largest independent open-source company in the world – that’s a differentiator in and of itself. I think that our customers want and need to transform their business via digital innovation. They can’t do it in the most expected but yet most unexpected way is now mainstream.

They understand that a flexible IT infrastructure, that is ready to support their transformation, their digital transformation, rapidly but yet securely, is going to be very key in a world that is, as we all know more now than ever, in constant change. I mean, year and a half ago, when I was looking around the world seeing an SAP, I never thought a year-and-a-half later I’d be the CEO of an open-source company that has navigated extraordinarily well through a pandemic.

The world is in constant change. And I think that constant change has driven, it’s exacerbated the need for our customers to not be locked into just one vendor, or one technology, or one direction, or one solution set, because that just limits their pass. It reduces the ability for them to have choice, and doesn’t allow them to preserve flexibility, and not as a big differentiator. When you’re talking about our competitors, our competitor, the one that you mentioned first is, they want to own the entire stack – that’s not our thesis.

In fact, we’ve supported our competitive technologies before, and with Rancher we will continue to do that. We will continue to be open and agnostic in a way of offering a broad set of portfolio, product portfolio that takes and combines industry-leading solutions across Core, Edge and Cloud, but not locking anyone in. And that is a really big differentiator for us, a really big differentiator for us.

And I think that, also knowing that our customers – having a differentiating IT infrastructure cannot be invented behind closed doors. And they need the best possible infrastructure, services support by – as I mentioned earlier – the power of many. And that’s where open source comes in. And we’re much more than it is a distributor. We’re much more an orchestrator of the power of many to deliver the most innovative solutions that open source can offer in the world.

And being the largest now independent open-source provider, we’re going to bring all of these technologies, all of this innovation, and all this true openness to bear, to be able to provide the most flexible solutions for our customers. And that is what really differentiates us from the marketplace.

How To Create An Enterprise Grade Sales Program?

Mike: I was looking at your resume on LinkedIn, and I noticed that you were Chief Revenue Officer at SAP/ ERP cloud. And I think many open-source companies underestimate the challenge of building a great sales organization – how’s the sales organization involved since you change? And do you have any advice for startups on how to think about building the sales team and sales processes?

Melissa: Yes, Mike. We’ve done a lot, specifically in the sales motion here at SUSE. So, in addition to being the CEO of SUSE, I also serve on the board. I’m the executive in residence at a venture fund called Notion Capital. And at Notion, although their startups have always asked the executives and residents like myself, to specialize in go-to-market, how do we scale, how do we create a sales organization, for not just scale and depth but high growth, and what kind of tidbits and ways we go to market to be really hyper focus on value, but also on customer success.

I do this quite a bit, and I like to think that I’m not just well-educated, but I do a lot of research on this topic of sales – how do we create a sales motion that can change dependent on where the motion originates. For example, is it an existing install customer? Is it partner-led? Is it indirect? Is it direct? Does the customer know anything about SUSE? Have they ever heard of SUSE before? Is it a net new brand, or someone we’ve sold to in the past but then lost?

Each one of these questions lead to a motion that will change also depending upon the solution and the complexity of the challenge and the problem we’re looking to solve. Every sales engagement, every communication with our customers always needs to start first with what problem and what challenge are we looking to solve for our customer.

So, sales motion changed a lot since I started. We invited, first step, our sales organization to be bold, to think differently, to think big, to go after the largest and most complex digital transformation challenges that our customers were looking to solve, and to inspire our customers to solve those challenges with SUSE.

This is why we’re much more value-focused, we’re much more interested on why our customers need to do something, why they want to do something and the why is really important here, because we can only provide our best guidance when we understand the why. In some cases, for example, this means we won’t pursue an opportunity. If I don’t have the solutions and the offerings to be able to solve the problem for the customer, then we’re not the best fit. And sometimes we don’t.

But it also means that we need to spend a significant amount of time doing discovery work. So, understanding why our customers are where they are, what they want to achieve and what are the consequences of doing so.

And it’s much more hyper-focused on the consultative side of understanding our customers that it is driving just a drop in sales solution. Today, we’re very point of view driven – I guess I could say point of view driven – meaning that we’ve developed through research customer experience, customer visits, understanding of what works and what does not. So, it’s really developed a nice point of view that allows us to proactively challenge our customers on their journey. And then be able to be a trusted advisor in which to add value to that journey.

We involve our account executives throughout every sales engagement, every sales motion, every sales call, obviously it’s important for SUSE, that each of our execs in the field can bring back our customers and partners viewpoints. So, even when we have an indirect sale, we include an account executive. And to collect the data, to understand the data, to understand the viewpoints of our customers, so we can learn and build a database of experience to build on that for the future. And I think, not just for me, but I think for the world, we had hundreds of people in field sales in January.

We have hundreds of people in digital sales right now – we’ve all moved to a much more digitally enabled sales cycle than we’ve ever have in the past, ever. I mean, in 25 years, I’ve never seen anything become so digital so fast as sales has. And I think that’s kind of going dark.

When I look at a partner perspective, so a big part of our business, I think you know Mike’s channels, when I look at that sales motion and that go-to-market, it’s a little — you know, we’re also changing how we work, how do we work with the traditional hardware vendor. Or how do we work now with the new cloud service providers or the MSPs or a partner who wants to use SUSE as an embedded solution.

Those have been a very, very big part of our success. Each of these partner types are critical to our go-to-market and really truly a testimony to our ability to create an ecosystem that significant but very robust. How we go to market with them has changed. We look for ways now instead to co-innovate, to co-market and to co-invest. So, the three “co’s.” And we do that because we feel that one plus one plus one is 50. We feel that if we can co-innovate, co-market, co-invest with our partners, we will get to the best amount of success for our customers.

And just like any even customer engagement, we put a significant amount of effort into understanding our partners as well, collecting the data, what problems they’re seeing, what solutions they are trying to solve and sell and add value and be relevant. And I think that’s probably — that’s a lot of advice I’ve now given to a lot of our startups in the community that want to create an enterprise-grade sales team, go-to-market function.

You know, at the end of the day, if we are just focused and honing in on the most important thing is customer success and helping them solve their business problems, everything else will follow.

Market Segmentation

Mike: SUSE is in a very horizontal, global market. From a tactical sales and marketing perspective, do you segment the market or how do you think about breaking that horizontal market apart?

Melissa: We didn’t segment much before I came, but since I’ve come, we’ve now really got into great detail about segmenting our customers and prospects by industry and by size. So, we’ve had delineation between what’s Tier 1 enterprise, upper mid-market, lower mid-market, and SMB. And it’s really important, you know, being able to communicate with our customers, it’s really important to understanding and predicting what their issues are going to be, because obviously that varies by size.

Mike: And does that drive the way that you interact with these customers? Like, I know it’s hard to serve the SMB market, you need a more automated way of interacting, and what’s the impact of that being on sort of the customer relationship?

Melissa: Oh, my god, I love to say that, you know, today was the same as it was six months ago, but you’re right, I mean servicing an SMB in an old world was predominantly digital. The way in which we service, I was mostly online, you know, in fact, a lot of SMBs are not necessarily in an office all the time, and they’re out and they’re remote in different locations, so the ability to get to them physically was even harder.

But now, the world’s changed, now everyone’s a digital sales engine. So, even our Tier 1 Enterprise customers, the last six months we’ve been servicing them through a lot of online video calls and through the telephone and other means, but, yeah, the way we service them is very different. In the old world, Tier 1 was high touch and SMB was low. And now, everything is high touched, but only a digital high touch.

Pricing

Mike: Pricing is really hard for open-source companies. I think it’s hard for all companies actually, do you participate in pricing strategy as CEO? And do you have any advice on how to build a process to find the right price, especially as the business environment is changing?

Melissa: So, one might think sometimes that getting involved in pricing is too detailed for a CEO, but I’ve been called worse where I get into the details of the business and I think, yes I do get engaged, and yes, I do ask a lot of questions. I want to be able to have the best value for my customers at the best price, and that doesn’t mean cheap. What it means is that I want to be able to sell for value, and that’s going to be based on the value of my customers see on price. It kind of goes hand in glove.

And pricing is an important topic, particularly right now when you look around IT industry, when you look at open source. I’d first say, how do we evolve pricing as the business environment changes, how do we set the right price. So, I think the first thing is that we have to price the value always, as I mentioned. The second thing is, we want to understand and be very clear about the problems that we’re looking to solve. So, what are the business challenges? Some customers are willing to pay for things like support, and that could be a main revenue stream for some open-source businesses.

And for others, they want to get everything for free, they don’t feel like they should have to pay. Or that it is not warranted. The value of paying for supporters is not worthy, it’s not warranted. And the case like SUSE, where so many of our customers are running mission-critical applications, the support, and the QA that we provide, and the assurance policy that we provide of the software we deliver is critical. It’s mission critical. And we look at that kind of problem, and what an outage can cause, and how complex it could be. There’s value there. So, the complexity of your product solves a problem, and how severe, and how big that problem is on behalf of your customers. And the market will be very, very key to a pricing strategy.

And that’s all of course based on, we said earlier, which is research. Research is key – understanding third parties, having customer advisory boards, testing our pricing with different customers’ and partners’ segments – that works. And, in fact, you know, we’ve got a big business in Latin America, where it’s being very, very impacted by currency changes. The currency in the pricing strategy you have for certain countries, and coupled again with emerging markets, could be different. So, you know, the research and understanding the customers’ business problems, what you’re looking to solve, what’s going on in the industry, the economy, and the market is all going to formulate the basis for a very strong pricing strategy and approach.

And one point I do want to call out is that pricing is also very much about being confident of who your company is and what your company does. Pricing gives value. The value it derives, and sticking to the beliefs and the nature of the value that you deliver is going to be linked to your pricing, because at the end of the day, customers will pay, like they do for SUSE, like they do for Rancher. They’re going to pay for a solution, for a technology that reduces costs, optimize performance, and improves their time-to-market to be able to service their customers better. Reducing risk is something that all customers are willing to pay for, and that insurance policy is very, very valuable.

How To Prioritize R&D?

Mike: A diverse group of engineers must have a ton of good ideas – how do you prioritize your R&D investments, and how do you balance investments in open-source projects versus investments in software that you monetize directly?

Melissa: So, this is another good one. And being a newbie, I’m only 365 days in into open source, or 370 days, and now I guess to open source, I’m coming from proprietary, and I think, “Oh, my goodness me! How do you balance, how do you prioritize the investments in open source, what the community wants, what your customer wants, how do you invest, where do you invest, and how do you prioritize that from an R&D perspective?”

And we get so many incredible ideas from engineers and from various teams across SUSE. We really live and breathe this culture of collaboration, not just outside the community, but in an extended community inside of our company. We also get loads of ideas from our — what’s now become over 28 years a very rich and vibrant partner ecosystem. We get loads of ideas from our customers via the customer executive councils.

And of course, we depend heavily on all of our communities, in the open-source community. So, we have several mechanisms in place to encourage, to fuel, to really get new ideas going, regardless of where they come from. Because we have many sources. But then, how do we prioritize and get these ideas? The ideas that have potential.

First, for us, go into a Convocation center, where the prototypes are developed and tested. So, we gather, collect and pull together all of these incredible ideas across all of our main areas, ecosystem, customers, partners, communities, developers, engineers, and we put them into a prototyping system and then test it.

In terms of R&D , because you asked for about R&D as well, Mike, we prioritize our investments in innovation, specifically in innovation that matters. We focus first on where we can create and enable, a concrete value for our customers that they couldn’t get before. So, thanks to new technologies or bridging existing technologies and new ways. So, that’s really important from a priority perspective.

This can also be said as well for innovation related to the operational or support improvements that we deliver, documentation and trainings and services, just give you a few. As we think about investments, we’re really fortunate in that we do not have to balance open-source investments with what we monetize. By nature, all of our software is open source, everything is based on open source. So, the balance for us occurs where and how and when and what we contribute to the open-source community.

For instance, how we select and engage in a specific project or technology is really where our balance comes in. And in SUSE, we focus on contributing to the projects that we feel will solve real-life IT needs and real-life IT problems for our Enterprise customers. Because we always got our customers’ needs and insight in the end.

Diversity

Mike: The list of female CEOs of open-source software companies, and that you can really say of tech companies in general is pretty short. What can we do as an industry to enable more gender diversity? And can open-source companies play a more prominent role?

Melissa: There’s no better industry in the world than to be diverse and inclusive than open source. There’s no better industry. This is the most inclusive, most collaborative, most open industry or – being IT – a sub-segment of IT being open source. I think what’s happening, the overall socio-economic environment is going to have wide-ranging impacts in the way we work and live, and not just gender diversity, but true openness, true collaboration, truly be inclusive.

I’ve always tried to do my part to affect change and drive impact in the world around me, but I mean, I’m bringing this into perspective in every role I do, and here at SUSE, as a CEO, I get a little bit of a bigger, maybe broader, maybe louder platform, but it’s certainly no different. I’ve gone on a career-long mission to ensure that technology is – which obviously has been traditionally male-dominated – becomes as inclusive and diverse as we possibly can. In fact, as I mentioned earlier, I was only one of the very, very small handful of female software developers at my first job.

Women – can you believe it, we’re even encouraged not to wear trousers, pants suits, we had to look like a woman back then – I’m not that old, by the way – so, if you look at my picture hopefully I look young, but I’m not even that old. But with that said, you know, I echoe your point that companies need to have diversity and inclusion at every level of their organization.

And every level, it needs to be executive leadership but down to the very corner of the company. It’s not just about enhancing performance and innovation. And of course, making your workplace attracted to top talent, but being diverse and inclusive also ensures and assures employees that they’re valued and that their voices can be heard. Businesses that recruit a more diverse workforce by getting open-source technology into the hands of students as an example is a great way to start building and fostering a talent pipeline.

So, at SUSE, we’ve got an academic program, it’s tripled in size – I’m very proud, very, very proud – I’m tripled in size, year over year, growing to include over 800 academic institutions globally, and there are students in the program over 71 countries. We have main low-resource areas of priority, focusing on places like Africa, where I spent some time, India as well, and I was trying to equip students everywhere, of all genders, with free tools and the necessary training to be successful in tech.
The SUSE academic program is just one example of the vast array of training courses we offer, virtual labs, curriculums, etc. in the latest open-source technologies delivered by SUSE, and that’s no cost at all for the academic community.

So, what we’ve tried to do with training, with certification, with extending the reach, it’s to be role model. I live by the thesis – you can’t be what you can’t see. There’s this thing called birds of a feather, and what we live to do here at SUSE is to stand up, to be visible, to be present. Just show the world what true innovation, coupled with diversity and inclusion can mean, not just for open source, but for the world at large.

And I think the beauty of open-source is what it does is, it breaks down barriers and breaks down gender, extends across every bit of geography gender, political affiliation, life experience – we are the borderless industry in every way. In that same spirit, SUSE will always celebrate openness and diversity. We embrace all principles of diversity and not just gender, but diversity of thought, diversity of experience, diversity of leadership of options and innovation.

And if we want to live this mantra of growing, of being, of open, of openness, of diversity and inclusion, every single way, inside and outside of SUSE, and we hope that we can get back to our open-source community, to encourage more women coming into the industry into open source and to be much more inclusive.

Advice For Open Source Founders?

Mike: So, the last question. And thank you for being so generous with your time.  We’re running a tad over, but I promised this is the last question. I guess, putting on your entrepreneur hat more than your SUSE CEO hat, do you have any advice for entrepreneurs who are launching a business around an open-source software product?

Melissa: I know we’ve gone over. I get quite enthusiastic, Mike. I’m sorry, I’m going to make this one quick. So, entrepreneurs, you ask for advice around entrepreneurs that want to launch a business around open source. So, first and foremost, as I started out, the very first question that you asked me, and I’m going to end on the same note, and that’s, first and foremost fundamental – your trust. Nearly every career move I’ve made, and has been either on the advice of a mentor or in concert was discussing with my mentor, and I’ve had various mentors, I haven’t had the same one for the last 25 years, but mentorship and sponsorship are not just crucial for starting and growing a business, but they also play a hugely prominent role in tackling the lack of diversity in tech. We just talked about, by providing support and advocacy and highlighting different career paths and growth opportunities for everyone across the industry. It’s really important to find the right sponsorship, the right mentors early on. I recommend finding a couple of mentors, diverse backgrounds, diverse industries.

If you’re in tech, finding someone for finance is a really interesting perspective because really, really well-rounded views. Secondly, I’d make sure that you build meaningful relationships. I’ve realized this is a very, very, very small industry. The tech industry is about relationships just as much as it is about skills, if not more. And depending upon those relationships throughout the lifetime of your journey is going to be really important. I think last, build a strong trusted network that’s open, collaborative, inclusive, and then, be the person that you can trust yourself. That would be my last bit of advice.

Closing

Mike: Melissa, thank you so much for sharing all this wisdom and experience with us today.

Melissa: Thank you so much for having me, and thank you again for showing so much interest in SUSE, and constantly being an advocate for us in open source. We’re very grateful to you, Mike. Thank you so much.

Mike: Well, there’s so much to unpack there. You might have to listen to this again and take notes. Thanks to the SUSE team for all the help scheduling and getting this episode to the finish line. Audio editing by Ines Cetenji. Transcription and episode website by Marina Andjelkovic. Cool graphics by Kemal Bhattacharjee. Music from Brooke For Free, Chris Zabriskie and Lee Rosevere.

Next week, we have our first podcast from India. Don’t miss Rajoshi Ghosh, co-founder of Hasura. It’s a really fascinating company that has created a GraphQL interface for your existing data. Until next time, stay safe and thanks for listening.

Episode 51: Cloud Native Agility, Reliability and Stability with Weaveworks CTO Cornelia Davis

Interview with Cornelia Davis, CTO of Weaveworks, a leader in the cloud native infrastructure open source software ecosystem.

Episode 48: Zero Trust Security and Packaging with Ev Kontsevoy, CEO of Gravitational

Intro


Michael Schwartz: Hello and welcome to Open Source Underdogs. I’m your host Mike Schwartz, and this is episode 48 with Ev Kontsevoy, CEO of Gravitational.
This episode, it’s a little longer than most, clocking in closer to 45 minutes. That’s definitely because Ev has such a broad breadth of technical and business experience, we probably could have gone on another hour.
If you want to hear a little bit more about the tech stack, watch The FLOSS Weekly, episode 529. I’ll put in a link on the episode website.
Gravitational has two very interesting products, and they are somewhat related but also a little different. It must have been a tough marketing challenge to come up with a unified message, but apparently they did it, because the company’s been super successful by all measures.

So, without further ado, let’s cut to the tape. And after you listened to this podcast, I’m sure you’ll want to check out Gravitational’s website for more info.

Ev, thank you so much for joining today.

Ev Kontsevoy: Thank you for having me, Mike.

Story Of Mailgun

Michael Schwartz: Before we talk about Gravitational, can you talk a little bit about your previous startup called Mailgun and your experience at Rackspace, and how that led you to identify the business opportunity for a Gravitational?

Ev Kontsevoy: Mailgun was interesting, and for those who don’t know, Mailgun is an API platform to send and receive emails programmatically, so it’s email for developers. If you need to send a password recovery email, or if you need to send newsletters to your customers, you just use Mailgun API to send those messages and collect responses.

That company was interesting to me because of two things. First, it was founded in the middle of financial collapse. I moved to New York City around 2009, right when the economy was self-collapsing, I guess. And it’s also when AWS was beginning to happen, which is always interesting, like, which means that when everything is crushing around you, there is always some positives. And I thought, well, if Jeff Bezos can sell APIs to servers, I could probably sell APIs to emails.

And the reason for that is that if you’re moving to the cloud, you cannot really take your things with you, so whatever email delivery appliance you used to have, like you need to have a virtual replacement for it, that’s how Mailgun really got started. It was really tough, raising money back then for a project like this, because most investors didn’t understand what an API was. I would do a presentation, and then an investor will pull out a Blackberry. And he said, “All right. So, I got my Blackberry here out, so how do I use you API?” At that moment, you know that you lost, that this is not going anywhere.

But then, an interesting thing happened. A Twilio got funded. And everyone paid attention because Twilio said, “Oh, we are API for developers to do, like, SMS.” They started saying that Mailgun is simply a Twilio, like Twilio, but for email. And it helped tremendously.

So, we got accepted into Y Combinator, in 2011 actually, and went from there. I ran the company for a couple of years and eventually got acquired by Rackspace, by one of the cloud providers.
So, the interesting thing I learned from that experience – well, it was my first company, so you’ll obviously learn a ton if you do that – but as a technologist, I wasn’t prepared to be exposed to so much…let’s just say crime. That’s what it is really. Because email is a really dark world, so many shady things happen via email. You know, fishing, and viruses, and spam, and I would say that 80% of my attention was consumed by those problems, as we were running that company, which is unfortunate, because you actually want your real users, engineers, developers to enjoy, the product, you want their experience to be great, you want performance to be great, you want documentation to be amazing. And you constantly have to deal with spammers, fishers, and all parts of bad, bad internet.

So, that was my Mailgun experience. And the reason we, I guess, decided to sell that company to Rackspace, is because Rackspace at the time had very compelling vision, for using open source and open standards to free the world from AWS dominance.That was kind of resonating with me because I started my career as a software developer during Windows dominance. And I just remember how boring and bleak everything felt, just operating within constraints of what Microsoft thinks you should be doing. And, yeah, so that was the story of Mailgun.

Technical Origins Of Gravitational

Michael Schwartz: You know, it’s a totally different answer than I was expecting.

Ev Kontsevoy: What did you expect?

Michael Schwartz: I was listening to another episode, or another interview with you, and you spoke for some time about some of the interesting technical challenges around how complex Mailgun was, and how you were considering replicating it on a different cloud, and how completely, like just, it seemed like such a big challenge. And I was wondering if that sort of gave you some technical ideas that might have led to the development of the Gravitational, like, technology stack?

Ev Kontsevoy: Oh, so, that’s more interesting question – how did I go from being an email person to effectively ending up almost in the security space. So, what do you think happens right after an acquisition, when one technical company acquires another technical company? It happened with us, and maybe, like, when Facebook acquired Instagram, there was probably something similar there, the first thing they ask you to do is, start planning to migrate all your stuff into their own infrastructure.

Especially for Rackspace. Rackspace’s a cloud provider. It would be really strange for them to have an email service that’s not using their own cloud. And at the time, we were using SoftLayer, which is now part of IBM – old-school, bare-metal servers, and migrating to a public cloud on Rackspace, which was virtualized and had all these fancy infrastructures as code capabilities. It took us a long time, I don’t remember exactly how long it took, but let’s just say if I say 6 months, it’s not going to be an exaggeration.

And I remember having a conversation with someone in my family, maybe it was even my wife, where someone asked me like, “So, what are you doing – like, now, post-acquisition – like what are you building?” And I said, “We’re not building anything, we’re just moving from SoftLayer data center to Rackspace data center.” And that person wasn’t technical, and she said, “Isn’t that, like, copying files over the internet??” “Why is it taking six months?” Like, “You have that many files??”

And I laughed. But at the same time, it was kind of illuminating. Like, normal people think that copying software from one data center to another, it’s something that happens within few seconds.
Wouldn’t you probably feel the same, like, what is software, is it just some files, you have software on your laptop, I have software on my laptop, like, it’s just copying things around, but apparently, when it comes to data center software, to what we call cloud software today, everything takes months.

And, at the time, I just kind of took this for granted, like you’re sure it’s a complex problem.
We have completely different security here, we’re going to have that over there, over here we are using this kind of load balancing, over there is going to be different kind of load balancing, and the code needs to be updated, and so on and so forth.

But then, when I became a “racker” – that’s how Rackspace employees called themselves, I was a proud Racker by the way, I love that culture – so, once I became a racker, I got exposed to vast representation of cloud users out there, companies who use cloud computing. And I was talking to them usually trying to understand how can we improve, how we can make our cloud offering better.

And I was amazed how frequently they will bring this problem that I had with Mailgun. It’s like, “Hey, we’ve built this application, and it’s running on AWS, and now we’re trying to run it on Rackspace, and it’s really challenging. Can you help us?”

Or they would say, “We want to use Rackspace, or AWS, or Azure, some kind of cloud provider to build applications, the development environment, but for whatever reason, we need to actually run it in Luxembourg, like in the data center that is supposedly compliant with whatever regulations there are under.

So, how do we have staging environment in one place and identical production in a completely different place? And they kept coming to us looking for advice. And sometimes, we would be able to sell them something, you know, like DevOps as a service, or security as a service. But generally, I just saw this trend is that people feel like they’re chained to their cloud environment.
It doesn’t even matter how amazing that environment is.

But not being able to just take your production and have like, I don’t know, a hundred copies of it running all over the world – it’s extremely frustrating. And it’s limiting to a lot of use cases. You know, latency is important. Because the laws of physics, they don’t really change. So, you have to be able to run your code, close to where your data sets are. Data sets are distributed, which means that code needs to be distributed.

And that’s what I became deeply dissatisfied with SaaS model, in general. I don’t think there is anything wrong with Software-as-a-Service, but there is definitely something wrong with software-as-a-service running in a single place.

And as I was talking to more and more companies, I realized that some of them – check this out – they can’t even recreate their production environment in a different Amazon account. Those are companies based in Silicon Valley by the way.

So, let me just kind of zoom into this use case: you have an application running in an AWS account that you have – you control that. Go ahead and create another AWS account from scratch, also yours, so you have full, you know, God permissions for both accounts. And then, have a full replica of what you have in one account and another. And a surprising amount of companies don’t know how to do that.

They just overtime kind of lose institutional knowledge of what would it take to recreate everything from scratch. And as an engineer, you probably understand why that is happening, because you know, when you start building your application, like in the early days, not a single line of code is written, but you’d know that you need some environment.

You’re going to go and click some buttons in that AWS panel, maybe you’ll write some terraform, or cloud formation, but not always, maybe use Ansible, so, you kind of start manually creating first layer of your future environment. Then you start adding things on top, then you start deploying your code, maybe manually at first, maybe SCP. And then, you move to something, I don’t know, maybe like Ansible, or Chef, or Puppet.

So, things happen over time, and not everything is documented. Some scripts, they run daily, maybe they are part of your CICD pipeline. Other scripts you ran three years ago, and maybe the person who did it is no longer with the company. So, the point is, almost any cloud environment today, it’s built with many layers that are created over time by different people.

And that’s the reason why they’re not reproducible. And a company needs to have, you know, we need to have seven regions all over the world instead of one. Or we need to run our software inside of someone else’s AWS account. Or we need to deploy into GovCloud because government wants to use our software. They run into all these issues that they’re chained to one specific environment. And that’s why Gravitational was born. That’s the company that a bunch of ex Mailgunners started. So, that’s maybe a different answer to your original question.

Products

Michael Schwartz: So, let me drill down a little bit more, Gravitational has two products, Teleport and Gravity. Which was the first product? Or were they both coming at the same time?

Ev Kontsevoy: It’s basically a packaging question. We initially built a solution, so if you want to run your software in many different places, you have to solve many different issues for that. You need to separate your application dependencies from infrastructure. You need to solve remote access problem, you need to solve compliance problem – because a lot of these companies, like the reason they needed to be in the different place is because of compliance requirements.

And we had – what I would just call a code base, a bunch of GitHub repositories. We have this culture internally that we create GitHub repository per library. So, we break everything we built into these libraries. Each library has its own repository, and then we compile the software, and then, we produce solution.

So, originally, everything we built was just a collection of these repositories. And we started to sell the solution called Gravity, and Gravity includes everything we do. Gravity is a complete platform. With Gravity, you can take your AWS account – technically, it’s a Kubernetes cluster, but let’s put that aside for now – and you could save it all into a single file. That’s your image, we call it “cluster image”.

Think about like doing a snapshot – it’s not a snapshot, but I think it’s a helpful analogy – and then you can move that file somewhere else, and you can create exact replica. So, you take this image that contains the full copy of your production environment, and you can copy/paste it all over the world, and you can have thousands of identical environments created from that image.

So, the question then becomes, how do you keep them up-to-date, how do you push software updates, how do you fix the vulnerabilities, how do you troubleshoot problems that happen remotely. So, you do need to have some kind of remote access to those environments. Interesting analogy that I like is software updates built into operating systems.

If you have a Mac, it somehow updates itself, it downloads things from Apple, it applies these updates at reboots, and all of this kind of is just working automatically. So, think about it, from Apple’s perspective, how is that different from running a massive software deployment to hundreds of millions of servers running on untrusted network all over the world, with unreliable internet connectivity. For a typical data center person, that is a Star Wars level tech. And that is what Gravity tries to do with data centers, with your cloud account.

And this component that allows you to securely download and apply updates, that is what Teleport is. It is basically a part of Gravity that enables this world-class security into this restricted, regulated, remote environments, where Gravity is usually running.

And at some point, we thought, why don’t we make open source available for people to use as their own software update mechanism in their own kind of applications. And we open-source that, we put documentation in a separate place. And what we discovered very quickly is that people realize that it’s a much better way to do SSH than open SSH oftentimes is. Which was completely unintentional, but it was kind of nice for us because suddenly people started to discover Teleport, and download, and use it more. And basically, it’s a really good way to access infrastructure right now.

So, whatever you’re using to SSH into your servers, or to access your Kubernetes cluster, you’re probably using something worse, so I highly encourage everyone to check Teleport out. It’s free, open-source, Apache license. So, that’s how it happened – everything was built at the same time, but Teleport, just by accident, developed its own fan base, so to speak.

Revenues By Product

Michael Schwartz: In terms of revenues, which product is more important?

Ev Kontsevoy: It’s hard to say. I think both of them are doing really well, and Teleport is definitely not as expensive as Gravity is because it’s not as foundational to company’s business. Because we have Gravity customers who basically run massive, they sell a lot of software into these remote locations and deliver it with Gravity. So, Teleport, it’s usually part of a platform, it’s not the whole platform. So, it’s cheaper per deal, but we do close a lot more Teleport deals.

Marketing Message

Michael Schwartz: Have there been some challenges around finding the right marketing message for this platform?

Ev Kontsevoy: Absolutely, absolutely. I do think we’re still searching for the right way to describe what we do to the world. There are people out there who believe that Gravitational is a company that helps you take your SaaS application and sell it as a kind of on-premise environment. And it’s fine. Yes, we can do that, and we can do it better than anyone else.

But to me, that’s not really the reason why I decided to spend significant, you know, invest a portion of my life into this company. We want to enable a completely different software distribution model. Think about it like push versus pull.

We believe that the reliance of DevOps team needs to be reduced. The fact that most companies today have to set up and maintain these complex environments, with so many moving parts, and have these massive DevOps teams that constantly struggle with this ever-increasing complexity of this environment – it just feels temporary to me. It’s got to be simpler.

The typical DevOps picture at a company, like average company today, reminds me of what you would read in a history book about early computing.

Remember those stories about old electromechanical computers that would take up the whole room in the building, and you had cockroaches and bugs crawling in, and you had special people called debuggers kicking them out with broomsticks and replacing vacuum tubes and relays, computing was like a manual job, you had to have people walk around and constantly do that.

That reminds me a little bit about like a typical cloud environment today. I think it should be sealed, fully automated with zero human presence. So, if you walk into a data center today, you’re actually not going to see that many people, probably you’re not going to see anybody at all. There’s going to be some security at the entrance, but inside, it’s going to be quiet, no people.

So, I want that to be true for virtual access as well. Even though there are no physical people in that data center, but you could be assured that there are probably hundreds, if not thousands of DevOps engineers, maintaining those machines basically manually. And the purpose of like the goal for Gravitational is to make it not so. We want this all to be completely automated, similar to how millions of Apple laptops download software from Apple, apply patches, and keep running. I see no reason why a typical cloud environment for a typical company should be very different from a MacBook.

Value Prop

Michael Schwartz: How do you convert that into like business peak? You know, because it’s sort of, like, what you’re saying is almost like a kind of “sale to the guy with the hands on the keyboard”. Is there a way to convert that into like actual value proposition for the business customers?

Ev Kontsevoy: Well, first of all, let’s be honest with ourselves – can we do this today? Let’s just take a random company that have nothing to do with, let’s say –

Michael Schwartz: – eBay.

Ev Kontsevoy:  eBay. Can they make all of eBay run similar to a MacBook, with no DevOps team or server today? No, I can’t. There’s so many problems. Like, it’s a complex challenge. So, it’s going to take us many years to actually solve all of these challenges. But what you can do, you can start looking into where DevOps teams are overloaded today and start pushing that needle.

So, for example, if you try to run the same application, let’s say in a hundred different places, you will quickly realize that secure access is a huge problem. Because all these different cloud environments, they have their own tools for accessing infrastructure. And then, you have this like open-source ecosystem that all these components need to be integrated and everything used to be secure. And it begins with SSH, and it ends with Kubernetes access, and then you have, like, internal things, like Jenkins, maybe how do you secure access to Jenkins – all of these problems, they become extremely complex if you try to run more than one production environment.

So,okay, now we have a security problem, we have this access problem – that’s what Teleport solves. So, maybe I cannot promise you that your DevOps team will have nothing to do, but I can promise you that your secure access will be taken care of. You no longer need to have a competent team of infrastructure security people.

Or, if you have one, from now on, they can focus on other things, we will take your security problem away. And it doesn’t matter if you have a single cloud environment or 56,000. So, think about any like retail business, like McDonald’s or Taco Bell, they have tens of thousands of restaurants all over the world, each of those is actually a small data center. They have computers in the back, but can you dream about updating software and those locations, using like regular open SSH and let’s say Ansible? That would be quite, let’s say, inconvenient.

So, here’s the problem that we already solved for them. I do think that our strategy will be to just declare that going from 0, which is where we are today into this bright future, where all software runs by itself magically everywhere, we need to solve 57 problems.

Alright. So, let’s outline what those problems are. I think it actually helps because maybe some other startups will help us. Maybe they will solve disaster recovery or backup problems, but we will concentrate on security first. So, that’s how Gravitational is executing today.

Both Teleport and Gravity, they are very much security and compliance oriented. Because, if you want your code to run globally, you have to take care of that first as basically problem zero. That’s why we focus on it for now.

Free V. Commercial Offering

Michael Schwartz: So, a lot of open-source companies, they open-source a funnel for customers who might want to engage commercially. What does the sales motion look like at Gravitational? Is it try by fly, and what’s the effort to bring on these large customer accounts who probably pay the bills?

Ev Kontsevoy: Look, I’m going to be honest with you. We don’t really have a clearly defined strategy that’s documented for example internally, like how do we upsell open-source users. We simply try to — I think we have a following approach, we want to make sure that if you are an individual, like a developer who is curious about where technology is going, someone who has a home lab in their apartment, or a couple of Raspberry Pi’s that they’re running a little toys on – we want to have something for you.

We want you to get access to Gravitational vision, we want you to find our projects interesting. So, we’re going to have something for you. Yes, it’s going to be free, yes it’s going to be open source. We’re not going to sell you anything because you don’t really have problems that we solve at commercial level.
So, then if you are a small team, let’s say about three, two, 20 people, and you are working on some young project, let’s say your startup, we want to have something for you as well.

Then finally, if you’re a large enterprise, let’s say you’re IBM, and you have some problem, we are going to have something for you as well. Every time, we look at the capability that we are introducing into one of our products, we will always have one of those three use cases in mind, simply the size of the team. One-person small team, and then giant team. And it just so happens naturally that things that giant teams want, they are willing to pay for them.

And things that hobbyist would want, I think trying to charge money for it – it is just ridiculous. At least for us. And that’s how we naturally end up in the split, what is a commercial offering and what is free and open-source offering.

Is Gravitational Open Core?

Michael Schwartz: Would you say that Gravitational is open core?

Ev Kontsevoy: I would say no, we are open source, like we are open-product company. Everything we make is open source. We have a tiny bit of proprietary magic dust that we apply to our open-source products, but that dust just happens to be critical for large companies. In other words – let’s talk about a simple use case – you want your engineers to SSH into their machines, in the most convenient way possible. You don’t want to like annoy anybody with additional stuff.

But you also want this to work across all kinds of cloud environments, you want this to work with, you know, IoT devices out there in the field, you want this to be compliant with all these different regulations that your customers want you to be compliant with.

You basically want the best in-class security and compliance, but you don’t want developers to be inconvenience.

Okay, which means you have to use identity-based system. In other words, if a developer, who wants to access something, they need to go through some SSO process, once a day, nothing crazy.
And, usually, if you look at small teams, what do they use, everyone uses like Google Apps and maybe GitHub, which is naturally what are open-source products for. But if you look into what giant enterprises use, you will start discovering products you’ve never heard of. Like, I think SalePoint, and you obviously want Teleport to support those things. And that’s what we’re going to charge you for.

Another thing too is, if you are a giant enterprise, you are going to have all these different teams and different groups, you might have infrastructure developers, or like NetSec team, or you’re going to have like some auditors. So, in other words, the composition of your teams is complicated. And you need highly granular role-based access control.

So, this extra granularity that only large companies require, that’s another proprietary thing, like from our perspective. So, we basically try to attach – we try to draw the line between open source and enterprise offering, basically based on a company size. Because large companies, they need things that are not even obvious to startups.

SaaS Gravitational?

Michael Schwartz: A lot of open-source entrepreneurs, they love the SaaS business model. I’m sure you’ve kicked around some SaaS ideas. Is there a SaaS Gravitational offering, or are you thinking about one?

Ev Kontsevoy: It definitely makes sense. Yes, we do run into accounts every once in a while who simply say, like, “We love your tools, this is unbelievable, but believe it or not, we right now have zero engineers available to set everything up, to get up and running. “Can you just do it for us, can you run it for us?” And we listen, and we, let’s just say we’re considering it.

Pricing

Michael Schwartz: Most of the companies in this space are using a per-user metric for gating. I’m wondering if you’re using that strategy, has it worked for you, is it a good proxy for value and a good way to land and expand?

Ev Kontsevoy: I just told you what our internal motivation is, what we’re actually building – completely autonomous unmanned, operational model. So, it would be strange for us to charge you based per on number of users if we believe that software needs to run without humans standing around.

Difficulty here comes from the fact that we’re not there yet, so yes, you do need DevOps engineers SSHing into boxes every once in a while. But I believe, if we succeed over time, like the need for that will disappear. So, if we, for example, adopt a business model that we’re going to charge you based on how many SSH users are manually accessing servers, that pricing model will not be compatible with our long-term vision.

Even today, I would argue, without even Gravitational technology, if you have a well-running operations, but you are a Cloud environment, you should not be giving SSH access to your production environment, to all of your engineering team.

Ideally, very few people should be able to do that, and ideally, there should be no need. Especially if you’re running on a modern cloud, you can simply like kill things that misbehave and recreate them from scratch very quickly.

Michael Schwartz: So, what gates do you use?

Ev Kontsevoy: It’s based on your footprint. If you’re running large applications, you’re processing tons of data, you’re present in many data centers all over the world, you have tens of thousands of services based on that, we will charge you more for our solutions.

How To Gauge Deployment Size?

Michael Schwartz: In the Kubernetes world, servers are so ephemeral. You get a lot of servers when there’s a big demand and less servers when there’s less demand. It seems like all those per server, per CPU models are so challenged in the new Cloud Native world – how do you gauge the size of a deployment today?


Ev Kontsevoy: Well, I would argue that per server, per CPU, per RAM pricing, it’s not getting obsolete. If anything, it’s getting more and more popular with – like, look, AWS themselves. That’s what they charge you for. Yes, it is more challenging to accurately meter usage, but generally I would say that usage-based billing is the future for almost everything we use in a data center today.
So, for Teleport SSH access specifically, we look at how many servers we’re using. And for different companies, we offer different options there because there are different business models, and that’s the reason why we do custom quotes for every account.
For Gravity though, I do believe that the value we provide is based on how many environments you’re going to be running. Let’s say, if today, you have a single-production environment, then tomorrow, you’re going to be in a hundred production environment – it’s the environment. Like, the number of environments, that’s the value that we give you. So, then we’re going to charge you based on how many environments you have. We don’t really care about how many servers you have in each.
And environments, they rarely jump too quickly. So, it’s kind of slower moving targets. And that’s how our pricing is built on for Gravity site.

Does Open Source Help The Business?

Michael Schwartz: Has open-sourcing the software really materially helped the business?

Ev Kontsevoy: Absolutely. Because it’s the best form of marketing you can do in our market. We are all dreamers. I believe the technical founders and companies that are started by engineers, they almost always have this dream component attached to it.

And you want to find people who agree with you that future is going to look different, the future is going to be moving this direction and not that direction. And that person is probably also technical. And the best way to communicate with that person – and it has always been like this – is to show me the code, let me play with it. Because that’s how we collectively dream together, by downloading each other code, installing it, playing it, and then communicating, and sending each other pull requests and criticism. That’s just the best way for, I think, mankind just collaborate and move the progress forward.

And if you don’t do that, if you use proprietary kind of code in the cave mode, then you’re basically guessing. You’re saying, “Hey, I’m going to go and work on this problem for a year.”, and then I present you with the solution. If solution works for you, you’re going to buy it. And if solution doesn’t work for you, you’re just going to ignore me. And that’s just a much slower way, to get to this optimal state of offering something that the world truly needs.

So, it’s really hard for me to even think differently right now. You see, with Mailgun, it was different because the problem was so obvious. The problem was basically this: the world needs to send and receive email. And there are solutions for it already, and you have them in your data center.

And now, you’re going to go be in the cloud, so you cannot take your solutions with you. So, you need to have a cloud version of it. All right, sure, here’s one. But Gravitational is much more visionary company that we just want to change the way how cloud software runs. And if you’re going to start working on that problem, doing it in the open, it’s the only way I see how it could even be accomplished.

Portability Of Startup Experience?

Michael Schwartz: This is an unusual question that I haven’t asked before, but you sort of backed the question a little bit. You know, I’ve actually started more than one business – Gluu’s my fourth business – and one of the challenges I found in starting the second business was I applied a lot of the lessons from the first business to the second business. And it turned out that the second business was so completely different that actually like I shouldn’t have.

And I’m wondering, are there any cases where – I mean, certainly you learned a lot in the first business, that helps – but was there any like things that you feel like maybe the first experience led you to something to take longer to figure out?

Ev Kontsevoy: Actually, the Gravitational in many ways is anti-Mailgun. So, Mailgun was proprietary code-based SaaS. Gravitational is open-source software that you can download and run. So, from the beginning we knew that our ability to borrow from Mailgun experience is going to be limited.

So, that allowed us to bypass a lot of these potential problems that you’re referring to. However, what was helpful and applicable is just the mechanics of starting and running the company. You know, raising money, incorporating, setting up like basic processes. So, a lot of that you could just fly without even thinking and do exact same things, simply because a lot of early-stage startups are surprisingly similar. So, copy/pasting that experience into your present, I think it’s totally applicable.

Why Leverage An Incubator For A Second Company?

Michael Schwartz: You chose to go to Y Combinator and raise seed funding and go a pretty traditional startup route. But you didn’t have to go that way, you could have probably bootstrapped it. I’m wondering, why did you think going the traditional route made sense, given that you probably had some capital and some experience and maybe could have done without it?

Ev Kontsevoy: Because it worked previous time. You see, I’m a technologist, I’m not a professional entrepreneur. Like, incorporating, raising money, doing all these things – it’s boring stuff. So, it worked wonderfully for us at MailGun, going through this traditional sequence, through Y Combinator seed stage, and so on and so forth. We just did the exact same thing, we would concentrate and spend my time on actually building interesting products and solving problems, because that’s really the reason you’re doing it. Everything else feels almost like distraction.

Yes, you have to do these things, but at the end of the day, they’re not differentiating, they’re not going to define if you’re going to be successful or not – it’s simply getting resources, and office space, and processes, and 401k plan, whatever, just getting it done as soon as possible and moving forward – that was the goal. And look, Y Combinator, they’re very incredibly efficient at getting all of their startups through this early stage, so I highly recommend it.

Team

Michael Schwartz: So, you’re currently in the Bay Area, are you planning to recruit most of the team in the Bay Area? Maybe you’ve already, like, diversified quite a bit – what are your thoughts about building the team in the next couple of years?

Ev Kontsevoy: If you’re asking me, like, what I recommend – I don’t recommend anything. I think it always depends on founders and company culture. There is always this popular question, like, “Shall I go 100% remote, or should I have an office?” I don’t know the answer to that question, there are pros and cons, but what we’ve decided to do is that we want – there are smart people all over the world –we don’t want to discriminate based on either they are in Bay area or not. We want them to be involved, we want them to join the company. And we quickly realized that Seattle actually is the capital of cloud computing of the world. It’s not Bay area.

If you want to recruit engineers who understand what kernel variables are, who understand differences between file systems, who can troubleshoot lost packets in the network, you will have a much better time finding that talent in Seattle because every single public cloud provider is there. You know, Azure, AWS, GCP, it’s all sale companies, even smaller clouds, like former CenturyLink Cloud, in the Oracle Cloud, original team was based there.

So, Seattle, it’s the highest concentration of cloud computing experts. And for that reason, our engineering is actually based in Seattle, even though the company is headquartered in Oakland Bay Area. But we’re also open to hiring people all over the world. We have a small office in Toronto, we have remote people on the east coast, and Germany and Italy. So, we’re constantly evolving in our views on what kind of culture we want to have. It is challenging, it’s not easy.

How To Scale Beyond Startup Phase?

Michael Schwartz: So, you’re in an interesting stage in the company’s development, where you’ve had quite a bit of success, and you’re sort of scaling to the next level. Any advice for entrepreneurs who find themselves in that situation, in terms of, like, how to adjust to this new sort of focus on sales and marketing, especially for technical founders.

Ev Kontsevoy: You just gave them advice – do not ignore sales and marketing. Think seriously about sales and marketing. Something that I learned in my journey, going from engineer to entrepreneur, was that building a sales team, building a marketing team, is absolutely similar to building a product.

So, just like you have an engineering team with your processes, you know, for example, no one can commit to master directly, you have to do your own branch, and a pull request with a code review. And all good engineering teams, they have processes, and then the coding style, and like which programming languages we allow, which ones we do not allow – building this takes experience, building this takes a lot of brains, and doing it well requires a lot of energy and discipline. It’s really tough. So, this is why top technologists are so expensive. And that is absolutely true to yourselves and marketing teams.

Doing marketing and having a marketing machine that’s operating properly also takes a lot of brains. No, it’s not obvious, no, you can’t just read a couple of Golden Books and go do it yourself. And then, the same thing with sales.

So, underestimating the effort and sophistication of sales and marketing activities I think is quite common amongst engineers. So, simply building and expecting that the users will come – it rarely happens. You have to just approach those problems with, I would say, seriousness, and everything else will come from there. Because if you’re not stupid, if you do have engineering approach to everything, simply putting yourself into that frame of kind of mind, will help you solve sales and marketing challenges.

Advice For Entrepreneurs

Michael Schwartz: Last question, any advice for new entrepreneurs launching a business around an open-source software project or product?

Ev Kontsevoy: Yes. I would just say, forget about that word, don’t call yourself entrepreneur – that’s a distraction. Think of yourself as a product person who tries to solve someone’s problem, and just focus on that until you have overwhelming evidence that it is indeed happening. Because at the end of the day, company is just like a vehicle for allocating and distributing resources. This is what it is. It’s deeply secondary to what you actually trying to do. So, if you want to change the way how backups are done, just focus on that and just forget about incorporation, what kind of company you want, what kind of investors you want – all of that, it’s not primary to your success.


You have to understand what your solution is going to be, how it’s going to be different, how it’s going to be better, who is going to like it, who’s going to not like it – solving all of these problems and just focusing on that before you even begin to think about entrepreneurship is probably key.
Because one common thing I see in “entrepreneurial circles” is that people basically start with this, “I want to have a company.”, and then, they start looking for problems to solve. It just feels very unnatural to me.

Closing

Michael Schwartz: Ev, thank you so much for going over a little bit on time and for sharing all your experience, and best of luck with Gravitational.

Ev Kontsevoy: Thank you very much! Thanks for having me, Mike.

Michael Schwartz: Great job by Ev, isn’t it? Editing by Ines Cetenji. Transcription by Marina Andjelkovic. Cool graphics from Kamal Bhattacharjee.

Music from Broke For Free, Chris Zabriskie and Lee Rosevere. The podcast Twitter handle is @fosspodcast. Follow us. Retweet the episodes, help us get the word out.

Next episode German-British-Kiwi, Martin Buhr from Tyk, one of the coolest open-source API Management companies around.

Stay safe everyone. Until next time, thanks for listening.

Episode 47: Jenkins Software Delivery Automation and Management with Tracy Miranda, Director of Open Source Community CloudBees

Intro

Michael Schwartz: Hello and welcome to Open Source Underdogs. I’m your host Michael Schwartz, and this is episode 47 with Tracy Miranda, Director of Open-Source Community at CloudBees.

CloudBees is a company behind Jenkins, the famed project, which is used to automate building, testing and deploying software.

Many commercial and open-source projects use Jenkins as part of their continuous integration and delivery infrastructure, including my company Gluu.

Jenkins was forked from a project called Hudson, started by Sun Microsystems in 2005. After Oracle acquired Sun, Hudson was forked and rebranded as Jenkins.

Tracy has been an entrepreneur, a developer, a technologist for around 20 years. She was active in the Eclipse community, serving on the board of directors. She’s also one of the founders of the Continuous Delivery Foundation, which operates under the Linux Foundation.

Hopefully that gives you a little background, so let’s get on with it. Here’s Tracy. Thank you so much for joining today.

Tracy Miranda: Thanks, Mike. It is my pleasure to be here today.

Joining CloudBees

Michael Schwartz: For 10 years, you founded and ran your own consultancy, specializing in Eclipse development – how did you end up getting involved in CloudBees?

Tracy Miranda: Yes. I think the common thread there is definitely open source. So, I think that’s something early on in my career I’ve always been drawn to, especially because of the innovation that you find with open-source communities. And it came at a time I was looking to just make a change in the career and focus a bit more on some of the community building aspects.

And as I was talking to people out in the industry, I got introduced to Kohsuke Kawaguchi, who’s the creator of Jenkins, and at the time was the CTO of CloudBees. And the more he talked about the next stage of CloudBees, and what he wanted to do with Jenkins, the more exciting it sounded to me, so I could not resist the opportunity to join his team and lead the open-source team and try that future direction.

History of CloudBees

Michael Schwartz: So, for the non-geeks in the audience, can you talk a little bit about the history of Jenkins, and how that impacted the development of CloudBees?

Tracy Miranda: Yes, yes. So, Jenkins is a built automation server. It is most commonly used for continuous integration and continuous delivery, which are big parts of delivering software. So, it’s a tool that’s been around for 15 years. Many might know it originally in its first incarnation as Hudson, but it evolved over the years and became Jenkins and became very rapidly adopted by developers and focused on delivering software everywhere, just because it gave you a lot of flexibility.

And it was the first tool that sort of helped you integrate and build your software. And it was really what we’d say is the start of this whole field of developer productivity engineering.

And around it, so companies like CloudBees emerged, offering more Enterprise version. So, when it came to scaling or features around governance and securities, and CloudBees would offer Enterprise Jenkins. And that’s just sort of evolved and evolved, and now the whole space is currently really doing very well as we deliver more and more software every day.

CloudBees Products

Michael Schwartz: So, CloudBees has a number of products and services. For 2020, what are the most important products, with regard to revenue, and what are the most important projects for your future growth?

Tracy Miranda:  In 2020, well – let me talk about the direction we’re going first of all, and then I can bring that back to the present – so, we see just everybody’s delivering a lot more software, and software has become critical to every industry. So, you know, whether it’s a bank or a travel company or insurance company – you name it – software’s a differentiator for them. So, the more software we have, the more we kind of start to talk about like software factories. And you can use the factory metaphor as well to apply it to this.

So, in that model, we talk about Software Delivery Automation, and Software Delivery Management automation is just – the name says it all – it’s everything you need to do to get the software delivered, pretty much like a factory. And then, the Software Delivery Management, or SDM, is the part where you have the business intelligence coming in, how do you make the decisions, what to release when, and to who. So, that’s the direction we’re headed in, and we’re building out all the different parts that contribute to integrating all the tools.

Today, what a lot of companies have is basically focused on continuous integration and continuous delivery, so, tooling around tools like Jenkins, we also have SaaS versions of CICD tools, and then, any tools that help you deliver faster. So, we’ve got a whole kind of portfolio, depending on your flexibility and what you’re trying to achieve.

Market Segmentation

Michael Schwartz: CloudBees is in a very horizontal market. As you mentioned, you are serving customers in basically every industry. Given that, does CloudBees segment solutions or the marketing effort, either vertically, or by use case, or in any other way?

Tracy Miranda: I think probably the most clear segmentation, which we will kind of see, is whether people want to manage it and have things kind of on-premise themselves, or whether they want software-as-a-service. So, that tends to be a key differentiator.

And oftentimes, it will depend on the industry. So, certain industries might have very strict compliance or governance around it. So, perhaps, it always has to be an in-house solution. But then, perhaps some new startups, so, in different segments can afford to go with much more as a service model, where they don’t really want to deal with the nuts and bolts, and the upgrades and the security patches – they’re just happy to focus on what they need to do to get their software out the door.

Why Open Source

Michael Schwartz: Without open source, there probably would be no Jenkins, at least as it currently exists.  And therefore, I guess perhaps no CloudBees. But going forward, why does continuing to invest and contributing to an open-source community materially help the business?

Tracy Miranda: This is my key role at CloudBees is, it’s kind of overseeing the whole open-source strategy. So, you’re absolutely right, CloudBees is based on this massive open-source project, and as we grow and continuing to evolve, we’re going to do a lot more in open source and in different ways.

I think there’s lots of different benefits we see to open source, so, on one side, if you take kind of just the engineering side, there’s obvious benefits from working with the community – you’d get fast feedback, you’d get people contributing.

A lot of the developers we hired in the early days would come from open-source communities, and then they’d even have the advantage of they are already up-to-speed with the processes and the ways of working and the code base.

But then, there’s also other kind of strategic science to open source as well. Open-source projects tend to spread like wildfire, I had someone using the term, kind of the open-source tsunami. And they have a tendency to change the direction of industries, to take something like Kubernetes, which caused a big shift in the whole sort of cloud infrastructure.

So, in that way, we also kind of look at technologies for them to be open and for them to drive the future direction of the industry and help us to get to an innovative place. So, we always want to be involved with open source and find ways to just create those kind of win-win situations for both the community and the company.

Open V. Commercial Features

Michael Schwartz: You mentioned previously that it was an Enterprise version of Jenkins, and I’m wondering about, today, is there still software that’s non open source, and if so, how do you decide what to open-source and what to keep private?

Tracy Miranda: Yes. I know that’s a key thing, and it’s constantly evolving. So, we have an internal process, and we’ll kind of look at the way things are evolving in the market. In general, like you take something like Jenkins, and we have a lot of plugins added by different groups and different individuals in some cases.

One thing that CloudBees do is, for the software like CloudBees Core, or CloudBees CI built on top of Jenkins, is we also offer kind of tiers of plugin, so we know which ones meet a certain level and meet the requirements for Enterprise type customers.

So, this is focused specifically on things like security and governance and running things at scale. So, typically features in those areas, or verifying plugins, will be the areas we’ll tend to kind of have as the more closed source. And anything developers tend to use, this tends to be pretty open.

Open Source Strip Mining

Michael Schwartz: I’m sure you’ve heard this term “open source strip mining”, where large companies take open-source software projects and commercialize them. You know, you have a SaaS, you are offering themselves, but is this something that you’re concerned about, or any thoughts about this sort of phenomenon?

Tracy Miranda: I’ve definitely heard the term, yeah, it’s a pretty controversial one. But I think it is something that is always a consideration. So, you take something like Jenkins X, which is a new open-source project. It’s not related to Jenkins, as the name might indicate, but it’s actually a complete new CICD tool based on Kubernetes. And it’s one of the best ways to do Cloud Native CICD.

So, a lot of Jenkins X is open source, and you could conceivably imagine another company taking it and wrapping it up and delivering it in a specific way, but I think the reality is that open source is always evolving. And it’s more about kind of the vision in the direction it’s going. And the key thing I guess from CloudBees’ perspective is, we have a lot of the people who are driving that direction working for CloudBees.

So, I guess that the people, at the end of the day, are a secret source. So, even if other people want to come and extend it or do it in a different way, I think we’re always kind of focused on what’s the vision, how is this going to evolve, how we’re going to keep pushing the industry forward. It’s a concern, but we try not to spend too much time focused on that, just more time focused on what do the users want and where are we headed.

SaaS V. License?

Michael Schwartz: In terms of monetization strategy, is the Enterprise license the majority of the revenues, or is SaaS the biggest part of the revenue stream?

Tracy Miranda: Yes. Enterprise licenses are definitely the main focus. I think that will evolve over the next set of years, but, for now, that’s certainly the case.

Pricing

Michael Schwartz:  Few questions about pricing, which is hard for a lot of startup entrepreneurs. Many organizations are using Jenkins for free – is it hard to move these customers to a paid offering? What type of gates do you define? Is it per developer? And is pricing still evolving with new offerings, or have you achieved some stability in the pricing area?

Tracy Miranda: Yeah. No, I think this is an area constantly evolving. You know, Jenkins is a great tool, and a lot of people can do a lot of things with that anyway. So, we’re always looking to add value on top of that. So, we find a lot of the customers who see the value of CloudBees, they’re focused on what they need to do as a business, they don’t really want to be messing around CICD is not their value add, so they want kind of the complete package. And that includes the ability to get support and the ability to know things are going to work for them.

When you are sort of doing things in open source by yourself, you tend to run the risks yourself. You can pick up plugins and you have to decide, are these going to work for me, are they going to have the security patches attached. And what happens if something goes wrong? You know, you can’t pick up a phone and kind of call up the open-source community and ask them to fix your thing in a timely manner. That being said, it is a constantly evolving space.

So, I think kind of the offerings and the bundling and the way that works is always evolving. And like we will do things as well, like offer kind of more analytics on top of that, which give people sort of more insights in what they can do with their systems, and yeah, that’s just constantly growing,

Partnerships

Michael Schwartz: What have been some of the more important partnerships for CloudBees in terms of specially impacting the business?

Tracy Miranda: In today’s world, I think you really can’t succeed as a company on your own – we had a recent kind of partnership program, which I think we’ve got a whole bunch of companies who we were working with. My main tendency is to be on the open source and on the Continuous Delivery Foundation – it’s not partnerships in the traditional sense, but a lot of companies on the open-source side we’re working with closely.

And the other big one today is the partnerships with the cloud providers, and with those we have really strong relationships. I think every cloud provider has a marketplace out there, and you can easily access all CloudBees products very easily from the cloud marketplaces. I think this year we’ve also named the Google Cloud partner of the year, so, yeah, a lot of strong relationships, especially towards a whole Cloud space.

Project Governance

Michael Schwartz: You have a lot of experience in this area, so I can’t resist asking, but companies can host their own open source and build their own governance infrastructure around their project, or they can move to a foundation that can help maybe attract a larger community. What’s the strategy of CloudBees there, and how’s that evolved over the years?

Tracy Miranda: Yeah, a great question. So, Jenkins itself pretty much had its own governance, and that worked well and served the community really well for the first kind of ten, fifteen years. You know, it is very alike with model software in the public interest, it provides some great services.  But, eventually, it got to a point where there was some kind of sticking points in the community. These were things sort of shared widely with the community.

Some key things like just having a business entity so that we could get signing certificates, having a more kind of ability to hire for roles that want developers, but other kind of things that are key to software projects, but you don’t necessarily get contributions for. And again, the ability to build a bigger community.

So, these are kind of some of the limitations that we hit. So, Jenkins got to a scale, where it needed to grow past that and to get companies interested and understanding it, they needed a really kind of known model, which is why it then looked at setting up Jenkins in an open-source foundation. And that led eventually to the Continuous Delivery Foundation forming, which is, as the more we talked to folks, the more it made sense, not just to have a single project foundation but to have something where a bunch of folks could come together and work towards a bigger vision.

So, that’s been the key thing. The creation of the Continuous Delivery Foundation is what have helped launch over the last year. And that’s been a major kind of change, both for Jenkins and for CloudBees as a business.

Fostering Diversity at CloudBees

Michael Schwartz: You have been an advocate for a diversity. And I am wondering have you been able to have an impact on how CloudBees builds the team?

Tracy Miranda: Yeah, I think diversity is super important for all sorts of reasons, but especially for business ones. I am very lucky in my position, I head up the open-source team, I’m a hiring manager, so, in a great position to kind of influence that at CloudBees.

So, I have a great team, and I’m happy to say very diverse on kind of multiple accesses. You know, gender and age, and from where we are across the world. So, that’s been really nice.

We also have lots of initiatives at CloudBees. One of the things I’m pleased to say is, there’s a lot of people doing things like CloudBees, and kind of constantly changing the status quo, which is nice, because it’s not always something I have to do, and then I can just kind of focus on my main job. But, yeah, a lot of great folks pushing things in the right direction.

Pandemic Impact On Diversity?

Michael Schwartz: We’re recording this episode in May of 2020, so the pandemic is on everyone’s mind. It’s easy to look at all the negatives, but being an entrepreneur, I think I’m inclined to look at positives. Is there any way we can spin the pandemic as a positive around creating more diverse teams?

Tracy Miranda: That’s really interesting. But I think by moving online and by a lot of companies had this almost artificial limit on, where people can be hired from and all having to live in specific areas, which are often cities, which often have big barriers to entry in some cases. I think by going virtual, you do remove some barriers, you do make it easier for people to be hired from wherever they are, and all of a sudden, that does open up the field for people you can hire from. So, I think, in that way, it can be very positive.

How To Catalyze Gender Diversity In Tech?

Michael Schwartz: Just speaking from my own personal experience, my company is very globally distributed in terms of team members, we have team members from like every continent, except Antarctica. So, we are doing an okay job in terms of diversity, but in terms of getting more women on the team, we’ve faced some challenges.

I know you’ve talked a little bit about this topic, but maybe you can share why do you think there aren’t more women in tech, and what are some of the challenges that women face? And how can we maybe help more women get into the tech business?

Tracy Miranda: I spent a lot of time over the last three or four years trying to understand for myself, because I think at the beginning of my career, I took it a bit for granted. I thought this is just the status quo, this is how it is, but I think it is down to kind of a number of factors all coming together. And you know, unconscious bias tends to be a big feature.

We’ve got just a ton of research that shows how lots of different things have compounded things over the year. I think there’s a great NPR Podcast as well, which talked about the times of women started dropping out of computer science courses. And it was almost because computers in general were marketed towards boys. And it was very difficult for them to sort of coming disadvantages to the courses, and there was not a lot of empathy for that. So, I think that that’s kind of one factor, but there’s a lot of other things in general that play out, just networks and how people bring people into companies.

So, the good news is I think we have more awareness than ever before of what it takes. And then, there’s a number of things we can do. The bad news is, you almost have to keep at it constantly, and things change very, very slowly. But we know, for instance, just representation matters hugely. So, having more women voices, having more women in higher position kind of modeling — I think there’s a great expression “You can’t be what you can’t see.”

And then, just having more not just mentors for women but sponsors who are ready to kind of pull them up in the right channels, help them to get and meet their goals much faster. And I think we’re getting a lot more systematic approaches in place to do this. And actually, I was really glad to see with your podcast, you have a lot of the recent guests have been some very frankly incredible and awesome women. And I think that’s places you start, just having that representation, having those people talking and telling their story.

Advice For Open Source Startups

Michael Schwartz: Thank you. We are doing our best. So, last question, you run your own company for a decade, and you’ve been around open source for a long time, so I’m sure you’ve seen some successes and failures of entrepreneurs who have tried to use open source as part of their business model. If you were starting out from fresh today, you wanted to use open source and build a business around it, do you have any advice for that person about how they should go about it?

Tracy Miranda: I think there’s a lot that gets said about kind of open source and the relationship with business models. I think I completely buy into it. Building off open source has so many efficiencies and so much kind of leads to a lot of serendipity.

I think you see a lot of startups today embracing open source and understanding that it’s not just open source in the sense of code, but what you’re really doing when you embrace open source is building out a community. And I think people understand more than ever how key developers are to any product and how key that community is.

So, not that open source is the only way to do it, but it’s such a great way to do it, and I think the main advice would be: if you’re doing it, you have to commit to it completely. You can’t kind of be half-hearted about open source, you have to commit to the vision and to the community and constantly growing it and tending to it like garden. And then, it will play huge dividends. And we have seen the companies who have done really, really well off open source. It’s just kind of really sort of impressive.

Closing

Michael Schwartz: Tracy, thank you so much for spending some time with us today. And best of luck with CloudBees and with the Continuous Delivery Foundation.

Tracy Miranda: Thanks very much for having me. It’s been great.

Michael Schwartz:  Thanks to the CloudBees team for helping us to promote this episode on social media. Editing by Ines Cetenji. Transcription by Marina Andjelkovic. Cool graphics by Kamal Bhattacharjee. Music from Broke For Free, Chris Zabriskie and Lee Rosevere.

The podcast Twitter handle is @fosspodcast.

Next week we talk to Ev Kontsevoy, founder and CEO of Gravitational. Stay safe everyone. And until next time, thanks for listening.

Episode 46: Create, Deploy, and Manage Modern Cloud Software – Pulumi, with Joe Duffy, Founder / CEO

Intro


Mike Schwartz: Hello and welcome to Open Source Underdogs. I’m your host, Mike Schwartz, and this is episode 46 with Joe Duffy, Founder and CEO of Pulumi.

Pulumi is a platform that lets organizations manage infrastructure in the cloud of their choice, using the coding platform of their choice. It’s delivered as either a cloud service or a software. Joe’s doing a fantastic job executing the Pulumi business plan. No point spoiling the show for you – let’s just dive right in. Joe, thank you so much for joining the podcast today.

Joe Duffy: Hey, Mike. I’m glad to be here, thanks for having me.

Pulumi Products

Mike Schwartz: In one of your past interviews, you described Pulumi as the name of the band, the name of the album, and the name of the song. We’ll take more into the business later, but can you describe the current Pulumi product offerings or maybe I should say super powers?

Joe Duffy: Yes, superpowers, yes. We just launched that sort of as a new marketing theme for ourselves. We started Pulumi because we really have this belief that everybody should be able to leverage the full capabilities of the cloud. The cloud is kind of changing everything about how we build software, and yet, we found that for most developers, the cloud was still sort of an afterthought, which harkens back to the days of virtual machines and N-tier applications.

And on the other side, we found infrastructure teams that are, well, frankly using not-so-great tools, and really what we thought what Pulumi is, “Hey, we can bring decades of programming language innovation, and great tools, and developer platforms, and apply that to the cloud infrastructure space, and really supercharge people’s ability to use the cloud in how they build software. We’re also breaking down some of these barriers between the different sides of the organization.

So that’s our focus, you know, open source was super important to us from day one. And we offer a SaaS for teams and Enterprises that are adopting that open source.

Seismic Changes In Programming From 2004 To Today?

Mike Schwartz: You started at Microsoft in 2004 as a developer and went on to lead teams as a director of engineering. Looking back, what are some of the most fundamental changes in software development that you’ve seen over the years, or what would utterly shock the 2004 Joe Duffy?

Joe Duffy: I think you know a lot has surprisingly remained the same, but the cloud really is the biggest change – it changes everything about what we can do. It’s incredible when I look back, I think at 2004 even, and I was a developer before that, but really back then, like multi-core, multiprocessor systems wasn’t even a thing. And I spent actually a good deal in 2000 working on that.

The fact that every piece of software is a distributed application now, every piece of software has access to infinitely scalable compute and data, and AI, machine learning – all of these capabilities are just an arm’s length away.

Whereas, back then, I mean, we couldn’t even dream of using anything close to those sorts of capabilities. And I think that’s partially why we started Pulumi – we were excited about supercharging people’s applications with those capabilities.

Insights From Microsoft?

Mike Schwartz: From a business perspective, what would you say are some of the most important things that you learned in your 12+ years at Microsoft, or what was most helpful to you to lead Pulumi?

Joe Duffy: It’s definitely interesting, I did not plan on being there that long. I was about to do my own startup before going to Microsoft, but I actually went in part because I knew it was kind of like an extended MBA program for how to build an Enterprise software company.

I think it sounds just, like seeing that sort of innovation at scale, seeing how you keep existing customers happy while still innovating and pushing the boundaries of what your platform can do was really fascinating to see that at Microsoft, and to see how you can effectively innovate and do research while you’re also doing product development. I think that’s a really key thing to be able to do.

Also, a lesson learned over the years was, it was really hard to figure out kind of like what business units actually made money, how did they make money, and how did the money get redistributed across the company. I spent a fair bit of time just reading the PNL breakdowns, and all the investor statements, and trying to figure out, okay, what’s actually making money.

And the funny thing is, there’s a lot of lost leaders in a company like that. In fact, a lot of the open-source investments, frankly, are sort of lost leaders for the real money-makers, used to be Windows, now it’s more Azure at Microsoft specifically. But you see the same pattern, you know, AWS, Google, Cloud, other major players in the cloud, where a lot of the developer tools are really just there to get you to use and pay for their computing storage, and that was an interesting thing to see from the inside at that scale.

Marketing

Mike Schwartz: Pulumi is still a relatively new venture. The marketing team is probably trying to catch up with a momentum of product and engineering – what have been some of the challenges with messaging and extremely complex IT offering?

Joe Duffy: Marketing has been the one part of the company that is constantly changing. I think the product – we’ve really had a very product-led approach in everything we do. The community is everything for us, and so, we lead with the community and everything we do. Even revenue, we only started focusing on last year, and we’re finding that a very inbound-oriented model with open source and SaaS, being a great combination, is working well for us.

So, the challenge really is, how do we find the right people – and that is, the people for which Pulumi is a great solution – and tell them the right story at the right time. Because you can’t be constantly changing your cloud platform every day, so there are particular times we need to find people.

I think that’s been a bit of a challenge. You know, in the early days, it’s probably very common, we tried to tell a more exciting sort of long-term story than the product truth. Especially with the open source, I think you got to get the product truth story nailed first. And we got a little ahead of ourselves. Thankfully, we course-corrected after talking to a lot of end-users. And frankly, I just got out there and went to as many conferences and talked to people as possible – that helped to hone that product truth messaging.

And then, over time, I think you got to be patient. You’ll get there for the longer-term messaging, and it’s important that people know what your DNA and what your company stands for. But even more important than that, on day one, especially with open source, is to understand, what does this product do, why do I care. Especially in the cloud space, where it’s like, there’s a new open-source project every week, if not more frequently than that. And it’s a lot to stay on top of.

Value Prop

Mike Schwartz: So, that leads into my next question, which is, what are the most important value propositions for your customers today?

Joe Duffy: Yeah. We started out thinking they were all technical, and it turns out actually the cultural sort of human component is turning to be important for us. I think the first is, our two main customers, are practitioners, are infrastructure teams, dealing with complexity.

Modern cloud transformation is complex. I mentioned it’s a difficult space to navigate, there’s so many options – many of them don’t work at scale. So, Pulumi, for them, helps them tame the complexity of modern cloud architectures, multi-cloud architectures, modern, even single-cloud but increasingly multi-cloud. So, on the infrastructure team, that’s the thing that’s really helping.

For developers, increasingly developers want to use the cloud in their software. They don’t want to go learn this completely foreign, frankly not as good toolchain. They’d rather just use the tools and techniques that they know and love, and really start incorporating the cloud more into their software. So, it’s great for them.

And then, if you look at the organization, it really helps those two sets of people collaborate and work together. And that’s the cultural part that’s actually fueling most of the growth within our existing customers.

Market Segmentation

Mike Schwartz: Do you segment the market at all? I heard in a previous interview, where you said at the time, you weren’t looking at vertical segmenting, but what about other ways, like size of customers, or how do you look at the market or break it down into something manageable or tackable?

Joe Duffy: This is something we’re learning over time. I think it’s naturally segmenting itself. We have an even spread of customers across SMB mid-market and Enterprise customers. And you know, the takeaway is, like, everybody’s doing cloud. So, everybody is a potential customer for us.

Honestly, running a company, it kind of makes it difficult sometimes to prioritize. The Enterprise needs are not always aligned with the community needs. And so, I think we’ve done a good job of balancing those. For example, we did SAML SSO identity integration very early on, which really was an enabler for us to add more Enterprise value-add features. So, we did a lot of the foundational work that helped us to cater to this broad spectrum.

I’ll also say, we see some verticals, just naturally emerging. And, again, they sort of fall along the same lines of what I was mentioning earlier. You know, folks that are doing modern cloud initiatives. And in certain industries, there’s more of that, like connected cars for example, we’ve got a number of customers in the connected cars vertical that we didn’t plan it that way, but it’s a great partnership with them.

I’d say that the number one thing though is, we listen to our customers, we listen to our community, and we try to let them take us where they need us to go.

Customer Interaction

Mike Schwartz: Interacting with different size customers can be a challenge. Large customers expect one level of support or integration and small customers another – have you seen a big delta there? Or, how do you manage the expectations for some of the larger customers who want more?

Joe Duffy: There’s definitely a very big difference in the engagement model. And I think for us, the key thing was community first for everything. So, we wanted to build a community, nurture the community, build a great community that has bodies or values and is a warm and welcoming place. And what that’s led to is, the community helps the community. And that helps actually, I mentioned this inbound model, where we’re really focusing on open source plus SaaS.

Our goal is that people can get up and running without needing a human to intervene, like they don’t actually need to talk to a sales person. They can download the open-source to get up and running very quickly. People tell us that getting and starting flow is one of the easiest they’ve ever experienced, and we spent a lot of time making sure that was the case.

We’ve got a community Slack, where literally thousands of people are helping each other, and the whole team is encouraged to participate. And so, that takes care of sort of that inbound transactional sort of customer and actually frees up our internal folks on customer pre-sales engineering and post-sales engineering, along with our sales force, to really focus more on those higher target accounts that do want a little bit more white glove service, might want to do a proof of concept, might want some more training and advice as part of the evaluation.

Monetization

Mike Schwartz: Let’s talk a little bit about monetization. Previously, I guess, you had a consumption-based model, where you were pricing based on number of services, but you’ve moved to a per developer pricing model. I’m actually curious, why didn’t the consumption-based approach work?


Joe Duffy: We thought long and hard about this, and we started designing the system so that the open source and SaaS work naturally with one another. So, we have a very high attach rate for people who download the open source. 80% of the people that do that actually use our SaaS, which is great, we have a free tier as well for unlimited individual use. And so, it’s only when you get to a team that you start paying, or Enterprise.

We invented this concept, basically pay-per-project was the previous model. What we found was a few things. And honestly, our hearts were in the right place. We really avoided per user for as long as we could because we want the whole organization to be able to use it freely, we don’t want to stop growing within a group, land and expand is important. But what we found with per project is, no two projects are alike.

Especially in a world of microservices, it’s very common to have mega-projects sitting alongside thousands of little tiny projects. And we didn’t want folks to feel like their architectures were influenced by the pricing model. That felt like an anti-pattern to us, and that was sort of some of the feedback we got on that pricing model.

Although we really did want it to be, “Hey, you pay for what you use.”, and the idea was, “Hey, if you’re using more, you’re seeing more success, and so, you would expect to be paying more.” Per user was just easier for people to model out, easier for people to kind of gauge how much they expect to be spending today versus tomorrow. And frankly, it’s just a familiar model for anybody who’s using a lot of other SaaS products that our customers are using, whether that’s PagerDuty, or Gitlab, or GitHub, or a lot of those other sorts of systems.

I’m not saying per user is perfect, it certainly isn’t, but it’s kind of the least bad that we found today.

SaaS V. Software Revenue

Mike Schwartz: Is most of the revenue from the SaaS platform or from the Enterprise software product?

Joe Duffy: It’s actually a good breakdown, you know. Honestly, it’s about 50/50. Now, it’s importantly, our Enterprise product is actually sold as a SaaS, as an option. So, you can either run, you can use the SaaS as the online hosted version, or you can use a self-host, on-premise version of that.

I’ve been pleasantly surprised at how many people are willing to use the online SaaS because the COGS for us to deliver that service are just so much lower than having to do on-prem support, and installation, and upgrades. And I think my takeaway there is, people now, even more so than even two, or three, or especially five years ago, they are used to depending on cloud services, whether that’s GitHub, or AWS itself, or pick your favorite SaaS.

I think these organizations are getting more comfortable with that sort of dependency. We also architected the system, so that you don’t need to share PII, or Cloud credentials, or anything like that with our SaaS. So, when we go through a security review with one of these Enterprises, they almost always walk away comfortable with where we’ve drawn those boundaries.

Single Versus Multi-Tenant

Mike Schwartz: In your SaaS offering, would you say it’s a single-tenant design, where, each customer has their own sort of database and infrastructure, or is it a shared multi-tenant type of platform?

Joe Duffy: It’s primarily multi-tenant. There are some resources that are per organization, things like, we have a Secrets Management element to the product, and each organization gets their own dedicated hardware encryption key for example. But for the most part, it’s a multi-tenant architecture, unless you use the self-host version, in which case, it doesn’t talk to any shared resources, it can run entirely behind your firewall, it never phones home, so kind of have those two basic models.

Is Pulumi Open Core?

Mike Schwartz: Would you say that Pulumi is open core?

Joe Duffy: I don’t say that, and although some people tell me I shouldn’t be so pedantic on this point because it’s a familiar model to people, but we don’t hold things back from the open-source platform. So, the way I see it is, the entire Pulumi platform is open source.

So, you can use Pulumi entirely offline, and you’re not missing out on any features that are in the platform itself. It’s just that we have a SaaS product that you can choose to use. And that service itself is not open source. So, it’s almost like sort of GitHub. GitHub, you get the Git tool, Git is 100% open source. And then, you’ve got GitHub, and GitHub is a SaaS that you can choose to use or not when you’re using Git, often it’s the easiest way to go.

But that thing is not actually open source. So, that’s the model that we have adopted, where the SaaS, and importantly, the SaaS provides value. And that’s the other thing, where I kind of have some qualms about, where we’re not artificially hampering your experience. The SaaS is there, and you might pay for it because it actually provides significant value that’s worth the money. It’s not that you’re forced to pay for it. So, that’s I think a key distinction as well.

Has Open Source Materially Helped The Business

Mike Schwartz: SaaS provides a lot of the features of a try by fly. So, has open-sourcing really materially helped the business?

Joe Duffy: Yes. I would say especially in the space that we’re in. And I think it would be different for different SaaS products. Like, if you look at PagerDuty, there was something where everything is about the SaaS, and there might be some ancillary tools around it – we’re sort of the inverse of that.

I think it’s table stakes for our space, for developers to change the way they’re writing code, for infrastructure teams to bet their whole organization on this – they need to have something where they have confidence that they’re always in the driver’s seat. And if they need to take things and go, they can do that. So, that was important to us.

The community I mentioned, everything is about community for us. Because of the bet on real programming languages that we made, we allow people to share and reuse packages and contribute to the ecosystem – we have tons of extensibility points. So, if you want to — we’ve had community members bring up, integration with Datadog for example, great, you can do that sort of extension.

If you want to integrate with Spinnaker – we just did a Hackathon with Armory a couple weeks ago, where, if it wasn’t open source, that vibrant ecosystem around it just would have never come to be, and that is essential not only today for how we scale the business, but the long-term sustainability and differentiation of the company itself in large part depends on that.

Foundation?

Mike Schwartz: I was reading today about Google, looking at different foundations, where they might contribute Estio. And I’m wondering, when you have an open-source product, and you’re also hosting it, it’s sort of like enlightened despotism. You know, you’re controlling the roadmap, and you’re making the code open source, but that could always change. We’ve seen a change in some companies.

What are your thoughts about a long-term – does Pulumi ever move to a different governance model, where the roadmap almost becomes part of the community too?

Joe Duffy: I think, never say never. It’s not something that we’re looking at now. I would say if the community takes us in that direction and it’s important to the community, we would definitely go in that direction.

There are a few things. Like, one, we are open in our planning process, we are open with our roadmaps, we are very community-oriented, and how we do all of that. And so, I think, because of that, our end-users feel like they’re part of that process, probably even more so than if it was in a foundation, frankly.

Because a lot of times, in foundations, there are special interests. They’re just not as visible. I think Google definitely has some influence in the CNCF, and so, it’s not a bad thing. You kind of have sponsors, you can have people in the driver’s seat, but I’m just saying it’s not, like, in one model you have no influence, in the other model you do have corporate influence – in all the models you have that level of influence. And I think, really, our community trusts us, and our task now is to make sure we preserve that trust and nurture that trust.

But if there are strategic alignment in projects, I think we would be more interested in partnering up with a foundation. But it’s not something that’s on the immediate radar.

Team

Mike Schwartz: Switching tracks a little bit, is most of the team in Seattle?

Joe Duffy: Yeah, we’re about one-third distributed as far as Europe, East Coast, sort of all over the world, but the two-thirds of the team is here in Seattle.

Mike Schwartz: What are your thoughts about growing the team in the future?

Joe Duffy: The situation, at least at the time of the recording, with the Covid situation, we’re all getting really good at working remote. And that foundation of starting with a third of the team being remote, I think instilled a lot of the foundation we needed to be successful in this new environment.

I wouldn’t say we’re actually suffering too much from it. And I think, if anything, it’s actually helped with our existing remote employees feel like they’re more included in the daily dialogue, we’ve introduced a lot of new practices.

So, in terms of growing the team in the future, I think we’re going to be a lot more flexible in terms of, I don’t know, if we’ll go 100% all remote, you know. I think some people have said they actually enjoy working with people in person, but I think we’re definitely going to be a lot more remote going forward.

And frankly, from here, most of our focus on growth is in the go-to-market side of things. We’re Series A- funded company, we’re looking to that Series B in the not-too-distant future. And really, as we start to build more scalable and repeatable go-to-market motions, we’re going to scale up marketing, we’re going to scale up sales, and so that’s really the focus for us, at least for the next 18 months.

Partnerships

Mike Schwartz: Are there partnerships right now that are critical to Pulumi as business model?

Joe Duffy: I would say all partnerships have been essential. And we’ve done a fair bit of partnering. And that’s an area that, as we look to repeatability, I think one of the challenges is, sometimes I say, “Hey, we’re really good at standing on the top of our own roof, shouting into a megaphone in our own neighborhood, like writing blog posts and tweeting to our existing followers, and nurturing our existing users and helping them be successful – you got to do that. That’s super important.

But what we’re starting to get better at now is leveraging those partnerships to, you know, get into adjacent channels, where there’s actually natural synergy between them. I think that it’s a tough thing to do, you got to nurture those relationships over the long term, but then, some of them start to pay off.

So, the major cloud providers have been great partners with us, but we’ve intentionally built our system to integrate with a lot of other systems, whether those are source control systems, CICD systems, cloud infrastructure providers – in each one of those is a partnership opportunity that we’re just now starting to learn how to leverage to basically grow top of the funnel, while also giving customers a more complete solution because each of these is just really one piece of the puzzle.

Pandemic Impact On Open Source

Mike Schwartz: As you mentioned, we’re recording this episode in April 2020, in the midst of this unprecedented global pandemic. Is there a scenario where the new world that’s emerging will somehow be more fruitful for open-source startups?

Joe Duffy: I think we’re learning to flex a bunch of new muscles, especially when it comes to marketing, more online digital campaigns, events were huge for us in the past. And I think in open-source generally, QCon, it’s great to connect with your colleagues and learn what they’re up to, see how you can incorporate their ideas into what you’re doing. 

DevOpsDays, a great conference that’s very open source oriented, that I personally went to almost a dozen of them last year – those things aren’t happening now. They’re all moving online, and I’ll say it’s a little bit of a stark contrast. It’s not quite the same watercooler kind of informal conversation, it’s kind of hard to have these large group settings, connecting over Zoom, where it’s 30 people on a screen, taking turns, talking to each other.

I think we’re going to invent tools, we’re going to invent new ways of basically moving that conversation online. I think we’re going to come out much better afterwards in that dimension. And that will benefit marketing, that will benefit open source because open source really is about that community dialogue. So, yeah, I think we’ll come out stronger afterwards.

Advice For Open Source Entrepreneurs

Mike Schwartz: Any advice for new entrepreneurs who are launching a business with open source as part of their business model?

Joe Duffy: I would say, we thought long and hard about the monetization strategy. I think the temptation is to launch the open-source project as soon as possible. And frankly, that is a good strategy, you always want to get out there sooner, so you can start getting that sort of virtuous cycle of customer feedback and community building. But it’s really tough to get in a situation where you’ve launched an open-source project is growing vibrantly, but you have no idea how to monetize.

For me, I wanted to build a product company, I didn’t want to build a services organization. That’s a very different playbook. It’s low-margin, lots of people, very expensive to get to scale. You really want to focus on selling product. And if you’re going to do that, it requires really thinking deeply about where that boundary is between what’s free and what something people would pay for.

And my advice is, the thing that people pay for has to be something of value that they want to pay for. You can’t trick somebody into paying for something – it really needs to be valued. And that means you can’t necessarily open source 100% of your value.

Closing

Mike Schwartz: Joe, thank you so much for sharing all these insights today, and thanks for your time.

Joe Duffy: Thanks, Mike. I had a good time. I appreciate the chat.

Mike Schwartz: Special thanks to the Pulumi team for wrangling Joe onto the podcast. Editing by Ines Cetenji. Transcription by Marina Andjelkovic. Cool graphics by Kamal Bhattacharjee. Music from Broke For Free, Chris Zabriskie and Lee Rosevere. The podcast. Our Twitter handle is @fosspodcast.

Next episode we talk to Tracy Miranda, Director of Open Source community at CloudBees, the company is behind Jenkins. Stay safe everyone. Until next time, thanks for listening.

Episode 45: Continuous Deployment with Tracy Ragan, Creator and CEO of DeployHub

Episode 45 of the Open Source Underdogs Podcast: An interview with Tracy Ragan, CEO and Co-Founder of Deployhub.

Episode 44: Devops, Security, & Cloud Automation Puppet with Yvonne Wassenaar, Chief Executive Officer

Intro


Mike: Hello, and welcome to Open Source Underdogs. I’m your host, Mike Schwartz, and this is episode 44 with Yvonne Wassenaar, CEO of Puppet. Yvonne is the third CEO of Puppet. Luke Kanies was the founder, we interviewed him in the episode 22.


Sanjay Mirchandani succeeded him, and Yvonne took over from Sanjay in January of 2019, about a year before we recorded this episode. A CEO who takes over a company like Puppet needs a different skill set than your typical founder. Whereas the founder needs deep domain knowledge, usually a hands-on approach to business development, CEOs for companies, in later stages of growth, need this intangible corporate leadership ability. It’s hard to say what it is, but you know what it is when you see it. Yvonne has it, and she also has the values and an understanding of the culture that complements where Puppet is in its corporate life cycle. I don’t want to spoil any of the content, so I hope you enjoy this interview. Here we go.

Why Take On The CEO Role At Puppet?

Mike: Yvonne, thank you so much for joining us today.

Yvonne: Absolutely. It’s great to be here, Mike.

Mike: When you joined Puppet early last year, as CEO, why did you want to take on this enormous responsibility, steering the ship with hundreds of employees and thousands of customers?

Yvonne: You frame Puppet so well in terms of, it is a large employee base. We do have a lot of customers, and I’d extend it even further into we’ve got a massive community around the globe. And I did think really long and hard around was I the right person to take on the responsibility to bring Puppet and the impact of Puppet, the company, in the community to the next level.

And the reason I said yes to that that question, to myself and to the board, is, as I thought about the opportunity, Puppet to me represented a perfect place for my step, next step in my journey, for the following reasons.

One, the values that are represented by Puppet, and the Puppet community aligned really well with my own, in the sense that we are really focused around – you know, being open-source core kind of the democratization of technology diversity and inclusion, having impact at the practitioner level, and really making a difference in the world around us.

And to me, I feel life’s very short, and having strong value alignment is really important. And what Puppet represented resonated very much with me.

The second thing is really around the technology and the problem that we solve. I deeply believe that Puppet and the technology that we build and work, standing upon with the community and with our own team, makes a difference in the world around us, makes a difference not only in eliminating soul-crushing work, which is what Luke started with, but makes a difference in terms of enabling companies to achieve the agility that they want, in a secure and scalable way.

And as an ex CIO, the risk of cyber security I think sometimes is underestimated, and it’s really beholding upon all of us to think about not only how do we leverage technology to make the world a great place, but how do we do it in a safe way.

So, to me, if I think about the values, and I think about the actual product and offerings that we’re bringing to market through the community and with our commercial offerings, that resonated really well. So, the third component was, “Can I personally make a difference?”
 
Given my experience across companies like New Relic, VMware, and my time in Accenture, I felt I had a good breath of experience that I could, not necessarily bring the answer, but ask the right questions and bring the right team on board to really deliver our true potential as a company.

So, those three things combined, all aligned up, and having been here a year, it was definitely the right decision. It’s been a great ride, I think we’re doing amazing stuff, and I can’t wait for what’s yet to come.

Why Expand Product Surface Area from Configuration Management?

Mike: In the past, I might have described Puppet as being a Configuration Management Platform, but today, Puppet’s moving into areas like continuous compliance, incident remediation, and continuous delivery – why expand the product surface area? And I’m also wondering, how do you evaluate the risks that come along with that expansion?

Yvonne: Puppet as a Configuration Management Platform, I’d even say tool, has been the market perception of who we are. And that very much is grounded on where we started.

To me, the fascinating part of your question really comes down to the fact that the big shift that Puppet made in this last year was going from talking about what I would call “feature functionality”, which what Puppet does, is, really, we automate infrastructure in really, really powerful ways, to talking about the use cases and the business problems that we solve.


So, what’s interesting is, from a technology standpoint, what Puppet has built out over the years is going from a declarative approach to infrastructure automation, which is where we started, which is, we’re turning environment to a known, good state, to extending that into both declarative and task-based automation, which we leverage our open-source project, Bolt, to support and drive. And Bolt integrates with Puppet enterprise. So, it’s both declarative and task-based, both agent and agentless. Now, we are extending even further into workflow, event-based automation.

The tool has gotten more robust in terms of the types of things that people can do with it, but the real shift, I think, from an impact standpoint, is, we’ve started to really be able to harvest from our customers, what do they use that tool in capability for. So, you know, certainly some people are using Puppet truly to manage the configurations in their environments, and that’s the main driver. They’re looking for that efficiency and scalability of what they’re doing.

We also found, however, that some people are deeply dependent on Puppet for compliance. And that understanding that that’s the business use for the tool, or one of the business uses for it, allows us to better serve up and meet those needs.

And interestingly, from an incident remediation standpoint, again, there’s a lot Puppet does from a declarative model standpoint that was always kind of remediating your environments in some way, shape or form, if you think about it. But it’s a very simple extension into integration with security scanners like Tenable, Qualys and Rapid7, to really start to go, having a scan, and then, manual process, and sorting through PDFs and Excel files, to get to business impact to saying, “Hey, I can ingest that information, make it contextually aware in the environment, and allow people to act on it in a much automated way.” Which not only reduces the work effort, but very importantly, to my earlier comment on cybersecurity, reduces the time to remediation of a known vulnerability, which improves your security profile.

So, the big shift, I think Puppet for a while has been making the tool or the platform more robust, but the shift that I think you’ve seen in the marketplace perspective is more around how we characterize what our technology can do in the context of business problems and business outcomes.

Priorities After Joining as CEO

Mike: In your first few months as CEO, what were your priorities, and did you feel like you needed to pivot the business after coming in after the founder? And I’m wondering, was there really a pivot needed? Or did you see that it was more of a requirement to incrementally improve what Puppet was doing?

Yvonne: Yes, it’s always challenging when you take a company over as CEO, in part because there’s a huge piece of the culture and the connection with the people that comes with that top job that you have to be sensitive to.

When I look at the journey of Puppet – Luke actually ran the company for the first many, many years very successfully, and the creation of this new market, and the proliferation of the technology at that practitioner level, there was actually another gentleman, Sanjay Mirchandani, who took over from Luke and ran Puppet for three years. And what Sanjay focused on was really selling higher up into the enterprise, and kind of, to your previous question, looking at going beyond configuration management, what was important in the marketplace.

As I took Puppet over a year ago, the key things that I noticed, one was that we were very much on the right trajectory, and it was more some fine tuning and focus that we had to drive to the business. And my real time and attention in the first year, first and foremost, was on appreciating that a CEO change, no matter how great I may or I may not be, is an experience that you need to work through with your employees and with your community.

So, my first focus was on the team and the community and really aligning around purpose. And kind of your first question, why was I even there, did I care about the same things they did, were my values aligned, how are we going to come together as a team and really drive the next level of the journey – I think that’s important advice for anybody taking on a senior level role.

Start with the people, and then, really, from a business perspective, looking at how could we get the biggest impact with these things that we have, how can we simplify and focus what we are doing to those that would make the biggest difference.

So, we did trim the product portfolio a little bit, we doubled down on areas where we felt we had differentiated capability, we started to focus a lot more on the engagement with the community, we had drifted a little bit away from that which happens sometime.

So, really looking at, we did our first ever in person contributor summit, looking at how could we really nurture both, the community who has gotten us to really where we are, as well as being in meaningful service to our enterprise customers, who, at the end of the day, are a critical part of the business model as well, and scaling what is now a relatively large company that has a strong open-source base, and also has a sustainable, monetary business model to care as well for.

Puppet Value Proposition

Mike: What would you say the value proposition is for Puppet today?

Yvonne: I believe that Puppet has gone from being a kind of a practitioner tool that eliminates soul-crushing work, which is a really, really important thing that we have extended a prawn, that value proposition, to being a platform that enables business agility in a safe and secure way. And the way that I see us, really bringing this to market is, if you think about the modern enterprise and open-source projects, they are here to service to everybody. We really focus our commercial efforts on what I would call the Global 1000. And in that segment, those companies are going to be in a hybrid, or multi-cloud world for many years, if not decades, to come.

And Puppet is uniquely positioned to, in some regards, be their automation everywhere platform, be it in the data center or into the cloud, and increasingly across the Internet of Things. And we’re able to do that because we have a portfolio of automation capabilities, so different types of automation are actually required for different types of use cases in needs.

And so, whereas before, the world was a little black and white, you know, it’s either declarative or it’s imperative, and there were religious battles, it’s like now we realize that many different types of automation are needed when you operate at that scale. And we offer all of them in a coherent way. And we’re starting to build out the intelligence from that practitioner level up through the executive level, and helping people do things, all the way from, get the work done, to create the reports and the insights that the auditors need to get you through that compliance check.

So, for me, the real value proposition for Puppet in the commercial space is being that automation everywhere platform that gives you the action that makes things like your ServiceNow and Splunk implementations complete, because they might be able to tell you what to do or where the problems are.

But it’s really when they integrate with Puppet, that you get that completion of that loop, that everybody needs to truly get the business impact.

Market Segmentation

Mike: So, Global 1000 is still a very horizontal market with all sorts of different vertical segments. I’m wondering, from tactical sales and marketing perspective, when you’re trying to convey business value to these different segments, do you have to change the marketing a little bit? Or is there any vertical marketing or segmentation going on, and how you look at the customers, and how to sell to them?

Yvonne: Yeah, absolutely. I love the question that you asked because there are so many horizontal technologies in the world, and I work with many companies, back in the day, BEA, and VMware, all very horizontal in terms of a capability. What’s interesting, however, is the importance that you highlight, which is differentiating how a product is built versus how a product is bought and consumed.

And that’s when you do benefit I think from taking a more vertical or use case approach to a technology. And, for us, for example, we do a lot in highly-regulated industries, and financial services is a great callout.

So, even though the Puppet product offerings are the same, whether in service to retail, or financial services, or tech, or government, how we speak about the technology can start to vary in terms of those segments.

And at the enterprise level, referential buying is a real thing. You know, if I’m a large bank, I’m greatly comforted if I know five other large banks also use that same technology. And you can start to help them understand the financial services banking problems that you can solve, and as I mentioned, compliance or certain compliance requirements in those industries.

So, you can start to make it much easier for your customers to get value out of your technology and to trust your technology, when you can speak in their language, and when you can connect them with their peers, who are in a similar way using your technology to solve problems.

So, what we have done – to answer your question from a segmentation standpoint – one is, recognized where are our open-source solutions most relevant and valued, and continuing to feed and nurture those. And then, being really thoughtful on where our commercial offerings are most valuable, and drive the greatest impact.

And on the commercial side then, further sub-segmenting into vertical industry, and then, as we talked about use case, are you looking to solve problems around incident remediation and reduce time to vulnerability remediation, are you more interested in compliance reporting.

At the end of the day, I like to kind of joke, Puppet is a Swiss army knife, they can do a lot of things. That’s a blessing and a curse. And when you work with large enterprise, then, more specific you can be on the problem you solve – I kind of use the analogy of an IKEA furniture – at the enterprise level, they really don’t want the big box of IKEA furniture showing up in a bunch of little pieces, without an instruction manual they have to solve it themselves.

Some people like that and get a lot of joy. It’s usually not my customers, they want to have a simple easy way to get to business outcome. So, we’ve really done a lot to make that clear and easier for them.

How To Balance Open Source Investment

Mike: I thought it was interesting how you mentioned that you were, let’s say, investing a little bit in the open-source community, for example, an event for contributors. I’m wondering if you could talk about how do you prioritize investments in the commercial product versus the open-source product?

Yvonne: I think about open source a lot. For me, personally, I think we are where we are in terms of the rapid technological advancement because of open source, and how that’s really proliferated around the globe in so many ways. And I do believe that it is a great way to democratize access and contribution to technological development, particularly with underrepresented groups in countries and locations, where they may not have otherwise been able to participate at that highest level.

So, I’m a big believer in the whole concept, and I’m really proud to work at a company that appreciates and celebrates that, and invests in it. What I think is really important in the seat that I sit in is appreciating the fact that open source has in our case almost moral and principle value, but it’s also a critical component of our strategy. It is not the business model itself, but it’s a key part of our strategy.

And I think of open-source in a couple different components. We have open source tools, Puppet open-source Bolts, those are tools that our community members can contribute to and benefit from. We have open-source content, which, in our case lives on the forge, which makes the tools even richer. And we have some people who only contribute to content, and some who only contribute to the tool, and some who contribute to both. And then we have the users of that open-source content.

And to me, it’s important when I think about the open-source community, I think about all those constituencies because they’re all critical players even though they’re playing in different roles. And I’m very proud to say we have over 75% of our commits still coming from the community. We have a very active community.

For me, what’s important is that we are continuing to nurture the creativity, the innovation, the access, in what I would call that “ground level of capability”, and that we’re allowing people, who have interest in ownership and institutions that we’ve built, to be able to contribute and get the benefits over time.

So, we do a lot of things, from – we did a contributor summit in Budapest last year, we are doing Puppet camps again, so we’ve reinvested in that, more currently, in the process, we’re making them virtual just because of the environmental challenges, this coronavirus. But we are looking for ways that we can help people who are part of the Puppet community be able to have a platform to speak about, what they’re doing with the technology, the impact it’s having, and help others.

We have obviously community managers, we’ve got slack channels, we’ve got some interesting ways that we’re looking at engaging with the community from the support perspective. So, there are many different aspects to it.

And to me, one of the beautiful things is I think open source has evolved a lot in the last decade. And I like to think of Puppet as one of the folks who are leading through that evolution, and how you continue to give back, and you know, garner benefit in a very, very productive way. So, super-excited about what we’ve done. I’m sure we’re looking to evolve, but I do think it’s part of what makes Puppet special.

Evolution of Sales Motion

Mike: So, originally, I’m sure open source was one of the primary let’s say distribution channels for finding customers who are going to engage with you commercially. But I’m sure that the sales, you know, processes, and motion has gotten very mature as a company has grown. How does it work today? Would you say that the open source still really is a driver for business? And, if it’s changed, like, how have you adapted to that change?


Yvonne: The go-to-market side of Puppet has evolved a lot. And open source has, as you suggested, played a critical role, and I believe it still does, but it’s shifted.

In the beginning, a lot of people who bought the Puppet commercial products came from the community, and they were the practitioners who were bringing that technology into that environment.

Many of the open-source users never felt the need to actually go and buy commercial products, they scaled up, and they built their own UIs and their own ways of advancing the open-source project in their company.

And so, we did go through a phase, where, in the early days, there was a lot of inbound. And what I would say is, now, the two things that have shifted, one is, as our ability to drive impact across an enterprise has increased, as the maturity of our solutions have increased, we’re actually selling to higher-level individuals in a company.

So, what I’d like to say is, we’re not just selling to the hands-on keyboard people, we’re selling to people who may never actually touch Puppet, the technology themselves. And yet, the fact that there are Puppet practitioners in their company is super important. So, I think one open source serves us today because it keeps a rich set of talents in the marketplace that can work on, and scale and execute the technologies that we’re bringing to the enterprise customers.


The other thing that we found is, many of our enterprise customers have in some way, shape, or form, or division, used, or are using, open source. And they have just set a point where it’s no longer differentiating for them to do all the work around, upgrading the open-source and everything else, to do it that way. And they rather move to the commercial version, take advantage of the incremental feature functionality, have a simpler upgrade process, have 24/7 support.

So, for us, I would say, in some regard, open source is still the land, people are using it, and then they’re starting to realize open source isn’t free. You’re just making different choices, do you want to have the engineering talent work on, keeping your open-source implementation healthy and current, and to build around it.

That’s the right choice for some. For others they are saying, “Hey, open source was a great way to get something started. Now it’s starting to run a critical component of my business. Maybe I’m better off, from an opportunity cost perspective, to engage with Puppet, to have Puppet provide me those services of incremental feature functionality, and reporting and support. And I can spend my valuable engineering talents time on other things that might differentiate me as a retailer, or manufacturer, or a bank.”

Is Puppet Open Core?

Mike: Would you say that Puppet is open core?

Yvonne: What I would say is, Puppet has – and I think this has been the big shift in terms of how we think as a company – certainly Puppet open source is a very mature, very impactful projects that many people can build on top of, frankly, around globe, which is wonderful to see.

What I would say is, as we think about the broader Puppet, what we are looking at is, how do we create open-source capabilities that people can stitch together in different ways to self-problems. And we don’t just look anymore at, we have to be the sponsor of those open-source projects, we absolutely contribute upstream to other projects, we leverage other open-source solutions in some of what we do. For example, Terraform and Puppet work great together, there’s actually some great webinars on how you leverage Bolt and Terraform to drive provisioning, and configuration and actioning on that.

So, we’ve really taken a much more open-minded approach, and thought about open source, almost from a component or an ingredient standpoint, that can be stitched together into whatever solution that you need. And some of those solutions we stitched together in a commercial way for our large complex enterprise customers. And others were providing the componentry that companies can stitch together in the way that they need if they want to do something all open source, or put their own secret sauce magic to it.

Pricing

Mike: Pricing is I think really hard for every company, surprisingly difficult. And it seems like the impact and the value of Puppet is so enormous to organizations – how do you find the rate gate to figure out or to find the right strategy for pricing? And you’ve only been there for a year, but have you seen that change? Do you think that the pricing model that you’ve figured out is going to be stable?

Yvonne: Pricing is an incredibly challenging topic I think to your point for pretty much everybody, and to me, what I learned early on, back in my consulting days, is one of the best ways to think about what the right pricing model is, for your company is, to start with the value chain of what you’re bringing to your customers.

If I take an early-day example of like an eBay, you know, market place, you are bringing value creating community. You’re making value by letting people sell through that community, you’re making value by letting people buy through that community. You are making value by providing different ways to attract attention.


You can kind of map out all the different value points, and then, you can make decisions on where do you want to price to be able to get a return on the value you’re creating. So, eBay for example, could have chosen to say, “Hey, you’ve got to pay to get in, and then everything else is free.” Or, you can get in for free, “There’s value in there, but let me give you that for free, and you’re going to pay these other steps.”

So, I think every company needs to go through that process and figure out where the value is, their driving for their audience that’s worth having an exchange. The interesting thing is, it can easily become way too complex. So, simplicity is an important rule of pricing in my experience, and then longevity.

Particularly if you’re in the enterprise space, you don’t want to be changing pricing all the time, and it runs through your systems. So, I feel Puppet, in terms of where we’ve come from, that we have a pricing model that has worked well for us and for our customer base, on where we’re at. Are there opportunities to fine tune it and evolve over time? I’m confident there are. I’ve never seen a company that hasn’t at some point in time started to shift and think differently about their pricing.

But, to me, whatever you do with pricing, it has to center around what is the value that you’re bringing your customers, and can you come up with something that’s simple and easier for them to understand that will scale out for a meaningful period of time. Because a hard thing to do is change your pricing all the time. That’s an easy way to upset your customers, and make a lot of enemies in procurement. And nobody wants to do that.

How to Encourage More Women in Open Source Business?

Mike: Yvonne, you might have noticed that the male to female ratio in Open Source Underdogs is currently 41:2. And we’re trying to improve that ratio this year, but it does reflect the reality of the tech market, which is that men are overrepresented, especially at the C-level. What can we do as an industry, or even more tactically, what can I do, as a founder of a software company, to improve that ratio?


Yvonne: I love that you’re asking the question, what can you do to improve the ratio, because I believe at the end of the day, it has to start with individual ownership in action. And we can talk about really lofty things we could do, but at the end of the day, we need to create the future reality that we want. And we all have a role in it, whether we’re male and female, different types of necessities and so forth, if we want a diverse world, we have to create the opportunities for that, or diverse roles in leadership I should say.

And what I believe you could do, first and foremost, I appreciate this opportunity, just showcasing Puppet and myself, and having different types of role models in your podcast. I’ve had numerous women come up to me and tell me that they aspire to be a CEO, and in part, they aspire to be a CEO because they see me doing it. That’s incredibly humbling, but it’s also a great reminder that, for many people, if you can’t see it, you can’t believe it.


So, I think, first and foremost, showcasing different types of role models, that it’s not just one type that a successful leader looks like, but there’s many. The second thing is sponsoring and encouraging people to step up to that next level.

What I have found working with underrepresented folks is that – myself included – we can often tend to be much risk-averse. So, encouraging people to retire to build that confidence that they can go to that next level. Sometimes to give them that nice gentle push, maybe not so gentle sometimes, as I had in my career. Sometimes, you just need that.

So, I think creating the models, I think giving the pushes. And then giving the opportunities, take a risk on somebody. You’ll be amazed at what they’ll do with the right sponsorship and support. So, I think there’s a lot we can do across the board, but those are three tactical things that, at an individual level we can engage in, things that I try to do all the time.

Advice for Founders

Mike: Last question, any advice for entrepreneurs who are looking to use open source as part of their business?

Yvonne: Absolutely. I live in Silicon Valley, and I run into a lot of people who get really confused on open source, and – when I say “get confused on open source”, they confuse perhaps a desire and a belief around the power of open source as a way to democratize technology and bring important solutions into the hands of everybody, with the fact that somehow you’re going to have to figure out how you’re going to make money.


And so, to me, it’s really important to understand you can get both, I think Puppet does both, but you have to be really thoughtful what is the role that open source is going to play in your business model, because it is not a business model into itself. That’s kind of a rule number one.


The second thing that I would say is, community, community, community. I don’t think that you’re going to get a lot of benefit out of just open-source thing, the technology you build if you’re the only one building it. Certainly people might use it, they’re not going to pay you for it, they might benefit from it, they might like that it’s open source, but I think part of what’s made Puppet powerful from an open-source perspective is the community engagement, and the fact that we’re collaboratively building these different open-source projects, and that we are collaboratively building content – that is what I think truly makes open-source most powerful.

So, I really think if you’re going to do an open-source solution or have that be part of your solution model, how are you going to invest in, and engage, and nurture, and grow, and sponsor, and give a voice to your community, so that you keep them engaged, so that it truly is really executing open source at what I think is the most powerful level and form.

Closing

Mike: Yvonne, thank you so much for your time and sharing your great insights today.

Yvonne: Great. Mike, thank you, it’s been wonderful. And, again, I really appreciate the opportunity.

Mike: Special thanks to the Puppet team for helping to coordinate this episode. Audio editing by Ines Cetenji. Transcription by Marina Andjelkovic. Music from Broke for Free, Chris Zabriskie and Lee Rosevere.The podcast Twitter handle is @fosspodcast.
Please, tweet at us if you have any comments on this episode. Next time, we talk to Tracy Regan from DeployHub, a great technologists and founder CEO.

Stay safe everyone. Until next, time thanks for listening.

Episode 43: Native-Cloud Visibility and Security With Kris Nova, Chief Open Source Advocate at Sysdig

Intro

Mike: Hello, and welcome to Open Source Underdogs, the first podcast recorded in 2020. I’m your host Mike Schwartz, and this is episode 43 with Kris Nova, a Chief Open-Source Advocate at Sysdig.

Kris, who also goes by Nova, has contributed to Kubernetes and several other open-source successful software projects and startups. She’s currently a leader in the Falco project, a next-gen intrusion detection tool that is an “incubating” project at the Cloud Native Computing Foundation also known as CNCF.
My mission this year is to interview more women who are open-source business leader, so when the opportunity presented itself to interview Nova, I couldn’t resist. But this podcast was a bit of a challenge for me. I interviewed Loris Degionni, the CEO of Sysdig, a few episodes back, so I wanted to stray little from my normal business model format.

It was also really tough not going down the Cloud Native rabbit hole, although I think ultimately I couldn’t resist. So, it’s slightly more tacky than normal, but I hope you enjoy it. Personally, I found Nova’s perspective really thought-provoking, but you didn’t tune in to hear me, so without further ado, here we go. Nova, thank you so much for joining us today.

Nova: Yeah, thanks for having me.

Mike: So, how did you end up at Sysdig?


Nova: Well, I had come out of my third startup that had gone through an acquisition, and, you know, I took some time off from work, I did some traveling, and just kind of — it was the first time in my life and in my career, where I was able to take several months off of work and just kind of mentally reset. And I started to evaluate the industry I was working in, and I wanted to stay working closely with Cloud, and Cloud Native infrastructure, and Kubernetes, but I wanted to pivot a little bit.

And I started looking at the available spaces or sub departments of the industry. And one of the things that really stood out to me was the security. I felt like security was one of those things that you kind of look at it always as an afterthought.

You don’t really ever wake up and design new software on day one to be the most secure implementation. So, I felt like we were finally there with Cloud Native, and started having more involved security conversations. I felt like there was just a lot of room for innovation in a field that I already knew a lot about starting off, with a new spin on it, which was getting involved with security. And then, Sysdig reached out, and here I am.

What Is Falco?

Mike: Sysdig makes a ton of data available from the kernel, as I understand it. And Falco, the project that you’re working on, tries to filter that data to make some actionable security information, maybe about intrusion detection.

Nova: The definition that kind of really made it sing in my mind and resonated with me was, when Loris, our founder, I think you might have already spoken with him, the way he explained it to me was, basically we take the kernel as the new source of truth. Traditionally, if you look at how you would be auditing or attempting to observe a system, the network was usually kind of the most fundamental element you could get down to and, the thesis behind that was, if it’s happening at the network layer, we know it’s true, and we can trust it.

And as we moved into Cloud Native, we realized that TCP packets were not the smallest element anymore. So, we took it even down later further than the network, which is where the kernel comes into play.

I think you said it best yourself, we take a lot of information coming out of the kernel, and then we try to turn that into something meaningful for a human or a team. And that’s really what Falco does. It tries to be that connection point, that adapter between what would otherwise be an unreasonable amount of information coming out of the kernel, and then actually, trying to give you something that can help you tell a story.

Has Falco Been Good For Business?

Mike: Falco looks like a pretty impressive tool, and I’m wondering, has it been able to drive business opportunities for a Sysdig, the company?

Nova: I think if you look at open source, and what that means to anybody doing open source in any industry, it’s got a new way of thinking about how you engage with other people in the industry, other organizations in the industry, other folks in the enterprise.

And I think the easiest way that I can describe, the success I’ve seen with open source is, just looking at it as there’s fundamentally a difference between building a solution for someone and building a solution with someone. And I think open source is the latter of the two, is it gives you, and it gives your organization an opportunity to collaborate with other folks in the industry. And that’s where we’re seeing a lot of these hybrid solutions.

You know, we could have open-source software called Kubernetes running in a public cloud provider, using a CNI implementation from a startup in San Francisco, all of which being secured with Sysdig. So, we’re seeing these multi-level, multi cardinal solutions because people are building an open source, and realizing that it’s actually more effective to build a small tool that is easily consumable than it is to try to build this monolithic solution to every problem under the sun.

Has CNCF Been The Right Home For Falco?

Mike: Falco has been incubated at the CNCF. And I’m wondering if you have some thoughts about whether CNCF was the right home for the project?

Nova: I’ve been involved with the CNCF for years now. Like I mentioned earlier, I’ve worked at a few startups, we’ve donated, and built, and contributed to a handful of projects that ultimately ended up in the CNCF. And I think if you look at open source in the enterprise, and having a neutral third-party organization such as the CNCF, that can just help with things like governance, and infrastructure, and supporting the projects. And doing it in such a way that it’s neutral and unbiased for the project itself, ultimately just makes for a healthier project in a more wholesome experience for the maintainers and the end-users.

I think the CNCF does a really great job at embracing this idea that ultimately in open source the end-user is the new customer. They’re the new consumers of the open-source project, and giving them that customer-like experience is something that you really see with the CNCF, and I think really drives healthy communities.

Introducing Governance For Falco

Mike: So, one of your goals I guess, when you joined Sysdig, was to help build the governance infrastructure for the Falco project. Have there been any challenges along the way for making that happen?

Nova: I feel like when I joined, Falco was already on a trajectory to being a first-class security solution in Cloud Native that is open source. And I think I was able to come in with, you know, like I said, I’ve done this a few times, I’ve been involved with the CNCF for years, I’ve been working on other more household projects such as Kubernetes, or Helm, or Envoy. And I think I was able to come in and bring everybody together and kind of double down on our approach to open source.

I think there’s a lot of work that we had to do, that we have yet to do, but ultimately, it all comes down to this idea that, at the end of the day, Falco belongs to everyone. It’s not Sysdig’s tool, it’s a tool that was originally started by Sysdig and has already started to grow and be used in new and exciting ways.

We have end-users who are using Falco for things that we never even dreamed of originally. I think having that open-source governance, that open-source model of “We’re going to make our decisions in the public, and we’re going to give the broader community an opportunity to get involved with these decisions as we’re making them.”, has been a really big part of the direction that we needed to take the project over the past maybe six months or so.

Falco Ecosystem

Mike: In addition to end-users, have there been any other vendors who joined the Falco ecosystem? Maybe who are looking to commercialize Falco as part of their product or make an offering?

Nova: I mean, that’s something that we’ve tossed around with at Sysdig. And I think any time you have successful open source, somebody’s going to automatically go to, “Okay, how do we wrap this up and stick an SLA on it, and then start offering some sort of first-class support for a project.

And in my mind, once an open-source project reaches that stage, like that’s a sign of success. That’s ultimately where you want to end up. I think Falco is right on the cusp of us getting to more of an enterprise open-source solution.

I’m excited to see both, how my company Sysdig is able to take these new ideas and run with them, and potentially see other organizations and other companies in the industry do the same thing as well. So, I feel like we’re on that horizon of this finally happening for the project, which is pretty rad.

Trade-off Of Moving To A Foundation

Mike: I guess moving your project to a foundation, it’s a lot of bull thing to do for the governance of the project, but not all open-source companies do that. What are some of the trade-offs that you have to make when you decide to move your project to a foundation, and to move the governance to sort of a more open process?

Nova: In Falco, we always talk about exchanging of velocity for altitude. And I feel like in open source, we have that same paradigm of, as you go either more on the foundation side of things or more on the agile side of things, you’re going to be exchanging enterprise opportunity with the ability to be agile.

In other words, if we, as a company, had an open-source project, and we didn’t have open-source governance and open community around it, we would ultimately be able to iterate much quicker, and it would be a much more simpler and less complicated process for us to drive features, and to deal with debt, and to build a new functionality. But we would be sacrificing this ability to build with other folks in the ecosystem.

If you look at Kubernetes, if you look at a lot of the sub-projects of Kubernetes, they do operate at a less agile speed or less agile velocity, but ultimately, that has empowered many different companies in the enterprise to come together and start working on building holistic solutions for everyone.

I think a great example here is, there’s an infrastructure project called Cluster API, I had helped start this project, I think two years ago now, when I was at Microsoft, and the whole point of the project was, for us to come together and start to standardize how folks install and manage Kubernetes. And it’s taken two years for us to get where we are today, so it’s happened a little bit slower than most people might be used to.

But, we now have a standardized holistic API that anyone in the ecosystem can use. And we’ve actually seen large Cloud providers, VMware, Microsoft, Google, they’ve all come together, and they’ve actually started building to this new interface. So, again we’re exchanging that velocity for that ability to be collaborative.

Coalescing Ecosystem

Mike: Remember, when I interviewed Matt Mullenweg from WordPress, he mentioned something very similar how we could build it faster if we just build it ourselves, but the community slowed us down, but we ended up with better software.
And one of the other things I remember from that podcast was, well, just thinking about it, WordPress is really such a central part of so many ecosystems. They’re not monetizing Automattic, the company behind WordPress isn’t monetizing every user of WordPress. There’s companies that do WordPress hosting and WordPress development, so there’s this big ecosystem around WordPress, which is really impressive.

And I’m wondering, do you see the Falco project as coalescing that kind of ecosystem? And how do you get there? Or, is that even desirable?

Nova: I think the CNCF enables this type of collaboration. If you look at the projects, this is something that is baked into the governance model. When we were proposing Falco to move from the Sandbox, which is the most introductory level a project can be at, to incubation, which is where we are now, there is an entire section and an entire conversation around this concept of vendor independence, which is effectively this idea that if one vendor, who is working on a project, decided to take a step back, or take a break, or pull resources back, would the project still be able to grow, and prosper, and be healthy in the same way it is now?
And that’s a fundamental philosophy in the CNCF. So, I think you’re going to see that with every project. I think us doubling down this for Falco was really critical to us getting where we are with Falco.

Surprising Falco Use Cases?

Mike: So, you alluded to some of the interesting business use cases that maybe you didn’t anticipate when you designed the product. I’m wondering if you could share with us what some of those are? Because I was also wondering, it seems super interesting, but how do people actually use it?

Nova: I did a presentation of KubeCon in San Diego, with a gentleman named Abhinav from a company called Frame.io, and he went into a lot of detail about how they’re using Falco in a very limited way, which is funny, because I spend the first half of the presentation talking about how Falco can audit the entire kernel, and how we can start to process and assert various signals in the kernel that go for every system call that would potentially be running in Linux. And then Abhinav walks on the stage and says, “Oh, we only use it for three.”

And it was just kind of this funny moment, where it’s like, if that’s what they needed in their pipeline, which if you go, and you watch the video, you can see the use case, and why they were only interested in a subset of these metrics here.

You can actually see that Falco is dynamic and configurable enough for them to use it very concretely in a very small, but very precise way for exactly what they needed. So, I think you see that in a lot of different open source, but especially in Falco.

Can Falco Consume Non-Kernel Data?

Mike: Can Falco consume information from other sources, other than the kernel, and make sense of it in sort of the same way?

Nova: Yeah, absolutely. One of the things that we’ve been circulating in the Falco community, and I think this is a great example of us not being able to move as quickly as we wanted, but in exchange, we’re getting feedback and insight from the community is, we’re working on a long-term supported release called Falco 1.0.

And one of the things that we learned pre 1.0 was that there was actually a lot of value in taking other input sources other than just the kernel and enriching the Kernel information with these other input streams.

So, a big feature of 1.0 is going to be making secondary input streams much more dynamic and much more configurable, so that folks can start to plug other information into Falco when it comes time to building that story or that alerting system that they’re looking for, when it comes to detection, and anomaly detection, and insecurity.

Is There A Marketing Strategy At Sysdig For Falco?

Mike: Is there a marketing strategy at Sysdig for Falco?

Nova: Yes and no. So, we obviously have our corporate marketing strategy, we have an entire department here. And we have a lot of similar goals, but I feel like they’re implemented in different ways. I think the easiest example here is Sysdig targets customers and users of our platform, whereas Falco targets end-users, which effectively are customers, but the relationship is a little more like, “We’ll give you a foundation in the scaffolding to come and build with us.” And you’ll be able to do that effectively for free, but you’re not going to be getting a lot of the first-class features that you would be as like a commercial partner, or a commercial consumer of what Sysdig has to offer.

So, again, depending on your use case and what you’re looking for, it kind of gives us an opportunity for folks to get involved with — it’s going to cost more, but it’s going to be easier and more resilient, more reliable and more powerful. Or you can take the free open-source approach, which is going to require rolling up your sleeves and getting involved in the community.

And I think what’s really interesting from a business perspective is watching as different implementations change from one side to the other over time. And seeing how 2019, it was a commercial user, and then moving forward, they moved over to open source. Or flipping that around and going from open source to commercial.
So, it’s exciting to have that flexibility, as departments grow, or their organizations, as their needs change, as their systems change, what they might be looking for from us – it could potentially change. And having sort of an array of opportunity and avenues for them to get involved has been really powerful for us.

Difference Between End-User / Customer

Mike: What is the difference between an end-user and a customer?

Nova: I think the easiest way to say “This is an end-user.” is someone who takes advantage of open-source software in its most raw form, whereas a customer is an exchange for goods and services, where we’re willing to provide some sort of monetary compensation.

So, again, we’ll use Kubernetes here. Kubernetes is open source. If you or me wanted to go and go to github.com/kubernetes, we could potentially download Kubernetes and install it on some servers, and then try to go sell those servers that have a working version of Kubernetes running on it, with some sort of service agreement. But there’s nothing that’s really preventing us from doing this.

And in the same way, other folks who have been contributing to Kubernetes for years and maybe even were, like Google, the original creators of Kubernetes, they have both the open-source avenue as well as the more commercial avenue. And I think you see that with tools like how GKE is Google’s Enterprise version of the open-source software that you could go download for free.

Who Ideally Would Join the Falco Community?

Mike: So, if you could see more partners join the ecosystem, what kind of partners would you like to see join the Falco community?

Nova: Honestly, I would like to see the security industry come together and start working together as a community more and more. Like I mentioned earlier in the interview, moving to security, I had to relearn a lot of things. One of the things that hadn’t really been in my career up until recently, after joining a security company, was this concept of very strict competition, and this concept of, if I have some piece of intellectual information, I’m going to kind of withhold that. And that becomes part of our IP and what we have to offer. And I think we saw the same paradigm infrastructure in Cloud

And, ultimately, if you look at the security industry, following applications, following infrastructure, following DevOps, it’s ultimately in my mind going to end up in the same way, which is the industry coming together and realizing that it actually makes more sense for us to work together on something that it is for us to fight each other.

I would love for more folks, whether their security vendors, or security consumers, or even just users of security tooling, at the end of the day, to come together and start exploring different ways of securing systems, and open-sourcing, and collaborate on that.

Is Open Source Security a Trend?

Mike: I think that’s actually true. I remember speaking with Michael Howard from MariaDB, and he mentioned to me that – I don’t know if it was on the interviewer or after – security software is not inherently open source that normally it would be commercial, proprietary, licensed, all the above, to keep it closed. And so, I do think it’s the idea of, there aren’t tons of open-source security tools, so, are there other open-source security tools that maybe you can identify that you can think of this as a trend, or is Falco really at the forefront of this?

Nova: I think – and if I get too often with ranting about security, please, please feel free to stop me – but I think if you look at security, having a holistic approach to two main categories is really what you want to see, when it comes time to taking security seriously and fully locking down a system.

So, I think to give a really simple example of this. If we look at solutions like Kubernetes RBAC, which is role-based access control, just describing who can do what, and when, and how they can do whatever it is they’re trying to do. And potentially rejecting requests if they do not meet whatever criteria you set forth.

But we also see this in Linux with things like Seccomp and SELinux. And it’s this idea of, we’re going to try to prevent somebody from doing something if they’re violating some sort of policy we have in place. So, there’s other CNCF tools like open policy agent as a great example here. There’s an open-source tool from Microsoft called Gatekeeper. That is an implementation, a concrete implementation of open policy agent. That attempts to effectively do the same thing pod security policies do, and Kubernetes, but from concrete implementation of OPA or open policy agent.

But, again, we’re in the situation where these solutions, everything I just mentioned, all attempt to prevent somebody from doing something that they shouldn’t be able to do. Or to prevent some application from doing something that it shouldn’t be able to do. But if you look at the history of security, that’s only part of the story. One of the things I’ve been saying that I really feel like it’s a powerful statement is, at the end of the day, there’s no such thing as perfect software.

Even Linux, the most well-known open-source operating system in the world, the largest open source project in the world, we still get CVEs, there’s still exploits. There was Heartbleed, there was a handful of critical CVEs that have happened in my lifetime. And those are fundamentally never going to stop. And anomalies and things that you aren’t expecting are fundamentally never going to stop.

So, I think having this preventative side of things that you see with tools like access control and policy enforcement, running those in concert with tools like Falco that are more of a detective side of things really gives you like your kind of coming at the problem from two different fundamental perspectives, which kind of I wish you to double down on your security approach.

So, short answer, yes, we see a lot of other tools, but we don’t really see anything that’s as focused on runtime detection, has to do with something say like Falco, or maybe even Wireshark, which was Loris’s original project.

How Can Companies Adopt Cloud Native?

Mike: So, you’re the author of an O’Reilly book on Cloud Native infrastructure, which I just ordered?

Nova: Thank you. You should buy several copies of it, for all of your friends and all of your family.

Mike: Makes a good Christmas present. But this is a very new knowledge domain for enterprise IT staff, and reading your book is a good place to start. But I’m wondering if you have any more thoughts on how companies can get up to speed on Cloud Native infrastructure?

Nova: I think the book is a good starting point, but more importantly one of the things that I really want to stress with folks, to really have an understanding of what this phrase “Cloud Native” even means. And you can go to cncf.io, and they actually have like an entire essay that was put together that attempts to define what Cloud Native means to them.

But I feel like it’s kind of like a personal choice or a personal journey you have to go on. It’s like buying a car. Ultimately, at the end of the day, you’re going to buy the car with the features that you need, that you like, but that whole process starts with, doing test driving things, and doing research, talking to people, and going to look at cars, and spending time understanding why this car may be better in this situation or might be better in this situation.

And I think Cloud Native infrastructure follows the same paradigm of, you have to look at the ecosystem as a group of resources. And you can take these raw resources that are available in the ecosystem, my book included, and those raw resources become part of what you would use to potentially build out your finalized system.

What To Look For If You Want To Join an Open Source Project?

Mike: A couple last questions about your experiences as a veteran of being a part of open-source startups. If you’re looking to join an open-source startup, what would be some of the things you would look for that would be good signs that this company knows how to use open-source as part of their business model?

Nova: I guess there’s two answers here, coming at this from somebody who’s — I’m in a very senior, very high visibility role, here at Sysdig, so I almost wanted to join a company that needed some guidance and needed some help. If I was to join a company that was perfect and open-source was already solved. You know, they were already doing everything “by the book”, it wouldn’t be very interesting or exciting for me, and I would hope that they would not be as interested in having somebody like me come in. And for lack of a better term, do what I do best, which is helping to drive open-source adoption and collaboration.

For me, I wanted to find something that had opportunity to grow, and had opportunity and potential for us to move into really, really great things. And I felt like Sysdig was that perfect intersection of high potential with the right place at the right time with security.

Now, if somebody isn’t as insane as I am, looking to get involved with something that’s going to be a lot of work and a lot of effort, I would say the first thing I always look for is, how are decisions made, both at the company, both on your team and both with open-source projects. And another thing that I always kind of view as a red flag is this concept of open-source announcements.

If you think about it, an open-source project by design should be open to the community, you should be able to go, and read, or watch, or listen to the decisions that are made, the features that are driven, the choices that the community is deciding on. And you should be able to at the very least observe these, and if not, potentially shape and govern these things.

So, anytime I see somebody doing some sort of open-source announcement, to me, that’s just evidence that it wasn’t an open-source project to begin with. That it was built behind closed doors, and then ultimately, hand it over for the sake of publicity, and not originally built in open source, as you would see with a lot of the other CNCF projects, like Kubernetes, like Hellman, like OPA, like Falco.

Advice For Open Source Entrepreneurs?

Mike: Last question about open-source entrepreneurship. So, if you were in the shoes of an entrepreneur who wanted to use open source as part of their business model, do you have any advice for that entrepreneur?

Nova: Get in there and roll your sleeves up. At the end of the day, open source is, you’re not going to have that first-class experience of, “Click here, put in your credit card number, and then poof.” Everything works like it’s going to take understanding what’s going on, it’s going to take contributing to the code, contributing to the project. And you’re really going to have to accept the fact that you are just as responsible as the open-source project as everyone else working on it.

Mike: Nova, thank you so much for joining us today – first guest of 20/20, yay! Thank you so much.

Nova: Thank you. It’s been really nice talking with you.

Closing

Mike: Special thanks to the Sysdig team and Amanda McKinney, 280blue, for helping to coordinate the episode.

The link to the presentation that Nova mentioned can be found on the episode webpage on opensourceunderdogs.com. Transcription by Marina Andjelkovic.

Music from Brooke for Free, Chris Zabriskie and Lee Rosevere. The podcast Twitter handle is #fosspodcast.

I have a big announcement: I just found out that my talk about the podcast was accepted to OSCON in July. If that happens, I’m really looking forward to sharing some of my thoughts on what all these episodes mean.

The next episode features the current CEO of Puppet, Yvonne Wassenaar, who brings us up-to-date on Puppet success in business models. Don’t miss it.

Until next time, thanks for listening.