Self-Remediation via Okta
Engage end-users during auth to self-remediate issues
Security & Compliance Checks
Monitor your entire Linux, Mac, and Windows fleet
Device Inventory
Your fleet represented in thousands of data points
Implement Zero Trust Access
Prevent unsecure devices from accessing your apps
Achieve 100% Device Compliance
Measure, achieve, and maintain your compliance goals
Gain Fleet Visibility
Become "all knowing" across Linux, Mac, and Windows
Help / Docs Product Changelog App Security Company: We're Hiring!
From the blog

Blog

Contents

Customers

Watershed Thinks Big to Keep a Small Team Secure

At the October 2023 Oktane conference, Kolide’s CEO, Jason Meller, sat down for a conversation with Jesse Kriss, Head of Security at Watershed. In this conversation, Jason and Jesse discuss topics like human-computer interaction, client questionnaires, and how to think differently about security.

Watershed
www.watershed.com/
Industry
Analytics, data, environment
Founded
2019
Location
San Francisco, CA
Size
101-250 Employees

Why would a security pro leave Netflix for a small startup? When the startup is Watershed, there are a few reasons.

Watershed’s mission is to help enterprises find business-friendly approaches to fighting climate change. They do this by providing in-depth emissions data to customers like Everlane and Walmart so they can set and meet goals for reducing their carbon footprint. Their goal is to remove 1% of global emissions from the atmosphere each year by 2030. That’s a huge impact for a young startup with around 200 employees.

For Jesse, Watershed’s small size meant that he could make a big impact as the first security hire. “There’s such an opportunity to move to some of those better practices, to configure those in more modern ways, when you’re at 100 or 200 people,” he says.

Jesse’s background is in human-computer interaction, and in this conversation, he explains how it informs his approach to security and balancing user experience in a Zero Trust environment.

“I’ve always thought about, okay, what does this look like end to end for everybody involved? The end user, the people who have to maintain the system, the IT team that’s getting those help desk tickets when people get confused or they get locked out. All that stuff matters, you really need to think about the big picture.”

Please enjoy the video, or read the transcript below.

We’ve divided the following transcript into timestamped sections for easier navigation, but we left the conversation unedited, so please excuse any errors!

Introductions and How Jesse Inspired Honest Security (0:07-0:48)

Jason Meller:

Jesse, thank you so much for joining us at Oktane 2023. Really appreciate you coming out, and finally, glad to see you in person for the first time. Been chatting for years.

Jesse Kriss:

Yep. Yeah, it’s been a while. Thanks for inviting me.

Jason Meller:

So to the uninitiated folks who may not know Jesse, he’s actually the person who inspired me to really go all in on user-focused security. The thing that I wrote, Honest Security, was directly inspired by the things that you did while you were at Netflix.

And as you guys built out, not just the vision, but actually, your whole team put together an app called Stethoscope to really bring that to bear and get users to actually solve problems. So this feels like I’m interviewing a celebrity, from my perspective.

Jesse Kriss:

Amazing.

Where Watershed Started in Thinking About Their Security (0:49-3:03)

Jason Meller:

But of course, you’re not at Netflix anymore, you’re at a great mission-focused company called Watershed. Why don’t you tell all the folks what that is, what your role is, and a little bit more about it.

Jesse Kriss:

Yeah, sounds great. Watershed is the climate platform for enterprises, so a lot of companies across all different sectors use Watershed in order to measure their carbon footprint, to report on their carbon footprint, and most importantly, to drive action.

Jason Meller:

Nice. And what is your role there?

Jesse Kriss:

I’m the head of security.

Jason Meller:

And you were their first security hire, right?

Jesse Kriss:

Yeah, that’s right. Yeah.

Jason Meller:

So that’s got to be a little bit anxiety inducing, right? You’re coming into a fast-growing startup, you’re now the first boots on the ground who has actual security experience, all the advanced things that you saw probably at Netflix, and now you’re thinking about carrying that over to a startup. How do you even approach that first month there? What was your strategy coming in?

Jesse Kriss:

Yeah, at the beginning, it was definitely, okay, what do we have, what’s going on? I felt really fortunate to join a company that had a really strong security culture through their engineering team already. That made a huge difference.

People were making good decisions about the product, and thinking carefully about data storage, and things like that. And so, that was a relief, that was a good place to start. And then, it was really, okay, what’s the broader landscape?

How are we doing on the enterprise security things? What do our customers need? It was really interesting working on a security team at a B2B company, where, unlike in Netflix, the customers are coming and saying, “hey, we want you to have these controls,” or “what’s your story around data protection?” And so, really getting the lay of the land of, what are the practices, what are people asking for, and where do we start? Based on risk and everything, what’s most important?

Jason Meller:

And I imagine one of the places you started was SSO. Was that already there when you had gotten there, or were you the person who sort of brought to bear, no, we’re going to bring in Okta, and we’re going to do SSO at our size?

Jesse Kriss:

Yeah, we were using Google Workspace for SSO when I started, and I knew that Okta or something like it was sort of on the horizon, but I wasn’t sure exactly where that would be. I was actually focused on endpoint security first. We had some MDM tools, but they were not ideal, they weren’t matching exactly the experience we wanted. So that’s really where I started, and the move to Okta came later.

Human-Computer Interaction and How Kolide Fits In (3:03-5:31)

Jason Meller:

And I imagine that’s not just a technology decision, all the things that you’re doing are being heavily scrutinized by, “all right, is Jesse here to make our life miserable? Is he an enabler?” So how did you even approach the rollout of something as obviously rolled out as Okta? They’re going to be experiencing that every day, how do you even think through that?

Jesse Kriss:

Well, my background is actually in human computer interaction and user experience. So even before I got into security, that’s what I went to grad school for, and that’s what I did in a lot of my early professional work. So I’ve really always had that mentality of, what does this mean for people in practice?

And one of the reasons that I really enjoyed working in security is that good security folks have the same mentality. It doesn’t matter how it looks on paper, it’s all about what’s actually happening in the real world. What are the real exploits that are going to happen? What are the real mistakes that might get made?

And so, I’ve always thought about, okay, what does this look like end to end for everybody involved? The end user, the people who have to maintain the system, the IT team that’s getting those help desk tickets when people get confused or they get locked out. All that stuff matters, you really need to think about the big picture.

Jason Meller:

Nice. And you mentioned earlier that you really wanted to get visibility around endpoints at the same time. Did you see the transition to Okta, and additionally, for visibility, are those related projects in your mind, or were those sort of separate things that you wanted to tackle?

Jesse Kriss:

Yeah. Well, they started separate. They started as separate questions. I mean, really, the reason I was so excited to see the Okta integration that you all launched is, honestly, it was like the realization of the dream I had at Netflix back in 2018.

Was, okay, we want these low friction checks, we want end user remediation, but it really has to be a login time enforcement for it to make any sense and for it to really work. Otherwise, you’re just watching that graph and hoping you get from 87% to 89%.

Jason Meller:

And it only takes 1% for that risk to actually be realized.

Jesse Kriss:

Exactly. Exactly. So in my mind, I always wanted them to be connected, and it simply wasn’t possible in any reasonable, easy way. We were working on that at Netflix for a long time. And so, they started as separate projects, and then came together. And in fact, we ended up moving to Okta after we started using Kolide. It was kind of on the roadmap, it was like, “oh, this piece has finally been unlocked. We can do this. We can implement the way want it now.”

Jason Meller:

Right, so that actually hastened your Okta rollout.

Jesse Kriss:

It did, yeah.

How Watershed Uses Kolide’s Custom Checks (5:32-7:47)

Jason Meller:

That’s great. And I’d love to hear a little bit more about, all right, you have this superpower of, we’re going to get the users to do things at the point of login. What were the things that came to your mind immediately that we want to do at that … What are the initial checks that you would want to run, and then actually enforce blocking on?

Jesse Kriss:

Yeah. Yeah, so there are a few different levels here. I mean, the obvious thing for us was, is this machine managed? Is this an actual corporate device? That’s kind of a baseline. And if you’re using MDM, of course, you can use that to say, oh, yeah, it’s encrypted and everything. And so, those are good as a double check.

But really, for me, the big payoff, aside from corporate device, is the stuff that’s just really annoying to do with MDM. It’s changing all the time, like what OS version should you be on? And that’s sort of the canonical one.

But I think the other real power with Kolide is the custom checks. We can decide that there are other things we care about. We can write our own rules and say, oh, this is important for login.

Jason Meller:

As the person who cared so much about that feature being built, it’s so exciting to see you just dive into it like a fish in water, and really thinking about, all right, I have this ability to get in front of the end user.

And you mentioned this earlier, I need the ability to… Everybody says they’re doing the right thing, and I believe that they want to, but I really want to just double check that that’s happening.

It doesn’t need to be as simple as, you’re running an old version macOS, it could be deeper than that. Were there things that you tried out tentatively that you ended up keeping, or was there anything in that area that kind of goes a little bit beyond the basic posture checks that everybody talks about?

Jesse Kriss:

I did have one turned on that didn’t last very long, I was like, okay, that was maybe a little much, where I had a check that said, you should really be emptying your trash every 30 days. And there’s even a setting for it where you can turn it on on the OS.

But a few people got blocked by that, and were like, “Really? There’s nothing actually in the trash that’s important.” Like, “Okay, okay, we’ll measure the things that actually matter.” That was a little bit of a proxy, and felt like one of those small nitpicky things.

Jason Meller:

Right, you don’t want sensitive files hanging around too long.

Jesse Kriss:

We have other checks for that, which is nice. But that was one where I was like, all right, all right, we’re going to pull that one back, that’s not meaningful.

How Jesse Establishes Security Policies (7:48-10:26)

Jason Meller:

So when your position is to … Your executive leadership, obviously, everybody’s … You shouldn’t roll out something like this without concern, because this is going to be in front of everybody, it’s going to be a point of friction when it’s working correctly, you want it to be, at times, when there is a problem.

So how do you paint that vision for the executive leadership? Why roll this out? Is this part of zero trust? Do you even use that terminology? How did you sell this internally to make it actually happen?

Jesse Kriss:

Yeah. Yeah, it’s an interesting question, I didn’t use Zero Trust really as a term. To me, it was really about being able to assert a policy and say, this is what we do. And we can tell our customers that, yes, in fact, this is happening, not because we wrote up a document and we told people to read it on their first day, but because it’s actually enforced.

And bringing all of those experiences together, yes, we’re adding some friction at login time, but that’s really the one thing, everything comes together at login time. You’re not doing that, and then getting emails saying, oh, please turn on your firewall, or you’re not having your MDM say, but we’re going to auto restart. This is the one thing.

And so, I think people understand that. And the SSO part helps, too, when I first put GitHub behind Okta and Kolide, people were like, oh, I’ve got to do all these steps to log in, we’re going to do this for all the apps?

Jason Meller:

So I’ll say, as a developer, I really like how GitHub did their SSO integration, because a lot of us started out on GitHub with personal accounts, and I was very worried, like, oh, I don’t want to have a separate corporate Kolide account. I have my activity mosaic, I want it to be green.

And I was just psyched to learn, like, oh, no, when I go into my organization, that’s when I’m going to be SSO prompted. So I was always kind of psyched, as someone who’s used a personal and corporate account at the same time, to see how that worked.

The thing that I have a question to you about it, though, is, did it actually help ensure that you had good coverage on SSO because you had device trust in there? Because I can imagine you could say, “Hey, this person hasn’t authenticated in at least 15 days, and they actually have problems wrong on their device. Why isn’t that happening? What apps are we missing?” Did that ever kind of come up with you?

Jesse Kriss:

Yeah, I don’t know if this is exactly the question you’re asking, but there’s an interesting thing of, when do people actually go through this flow, and when does the enforcement happen in practice? And it turns out there are a lot of subtle variables around that, right?

Things like, oh, this application actually just has a longer session cooking, and they don’t re-authenticate every day or every week, or whatever it might be. So there are things like that. I think that’s one of the things that’s helpful about GitHub just doing, here’s your morning authentication, and you’re all set.

How Kolide Helps With Security Questionnaires (10:27-12:36)

Jason Meller:

You mentioned customers caring a lot about how this is set up. In terms of how you interact with the rest of the business, and in terms of talking about this externally, what are some of the things that you’re doing, and how do you talk about this program in a way that makes sense?

Because we all get these million-page security questionnaires, and these asinine things that are in Excel, I have a million tabs. How do you incorporate Kolide and Okta working together into some of the things there? Is that even something that you guys have to do?

Jesse Kriss:

Oh, it’s definitely something we have to do. It comes up a lot. It’s actually been really fun. I mean, not the questionnaires as a whole, those are kind of a drag.

Jason Meller:

Of course.

Jesse Kriss:

But it’s nice when people… Companies will come with their questionnaire, and they’ll say, do you X, Y and Z? And a lot of times now, we get the chance to say, oh, we don’t do that, but we do this thing, which we think is better. And they go, oh, that’s really cool, you’re doing it that way.

And so, it might be a conversation of, do you have separate admin accounts for this, or do you have a partition network for this, and do you allow BYOD? And we can say, well, we look at it a little bit differently, and we have this tool that gives us these guarantees at these points.

And then, you throw in that we’re doing passwordless with Okta, and they’re like, oh, I wish we could do that here. So that’s been fun.

Jason Meller:

And what are you guys using for passwordless today? What are the specific factors that you use? Are you using YubiKeys, or are you using FIDO2?

Jesse Kriss:

We’ve been using Okta FastPass. Yeah.

Jason Meller:

Okay, great.

Jesse Kriss:

And it’s been working really well. It’s nice, you get the multiple factors kind of in one factor, so you have the experience of getting one push notification and one biometric, and that counts as the possession and the biometric together.

Jason Meller:

Which is great, because you got to roll that out at the same time, roughly, around SSO, so it wasn’t like users felt like, oh, we’re getting sort of a downgrade, things are becoming corporate. You actually had something for them, like, you’re not going to have to touch the keys on your keyboard to log in anymore, or use a password manager, or something like that.

Jesse Kriss:

Yeah, that’s exactly right. And the way we’ve got it set up, people can use their phones as well as their computers, so they also have a backup, and they can bootstrap new devices. We didn’t have to ship YubiKeys to everybody, it was just so much simpler to roll out for that reason.

Multi-tiered vs Universal Security (12:36-15:47)

Jason Meller:

Nice. Well, you guys are, in my mind, fast-growing, you’re small and nimble, and I imagine a lot of the things that you care about are going to be things that a lot of other folks are going to care about in a year or two from now.

So in terms of, it doesn’t even have to be about device trust or SSO, what are sort of the top priorities that you want to start digging into as you look forward to a moment where Watershed is probably going to be growing exponentially in terms of revenue, but also employees? What are the top things in mind, you’re like, I need to get my arms around them, within your remit?

Jesse Kriss:

Yeah, that’s a broad question, there’s so much there.

Jason Meller:

I know that’s a big question, but I know people care about that.

Jesse Kriss:

Yeah, let’s see. On the enterprise security side, I think we’re actually in a really good place now. I think we’ve got the right foundations. For me, the next kind of realm of this is around access and automation, and really having…

I feel like right now, we’re at the point where we have the tools to do the right enforcements, but it would be really great to have sort of a cleaner conceptual model of, this is who should be allowed to get access to things, and then, this is how we implement that through various systems, whether that’s Okta or Kolide, or things like Opal.

There are a lot of tools that can allow for the implementation of pieces of it, but I really want to step back and say, what is the overall policy and governance? Which sound like scary big company words, but if you draw the picture and say, no, we have reasons for when people get access to things or when they need device trust.

And to be able to have a unified vision around that, that then carries through to implementation, I think will be really valuable.

Jason Meller:

Now, are you worried about a multi-tier security layer story? So you have like, level one, level two, level three. That’s what I hear from customers all the time, say, we want to do that. But then I hear about their implementations, and I think the number one thing I hear is confusion around, all right, am I going to be able to anticipate in advance, am I going to be able to authenticate into this app or not?

Do you think that there’s a balance between having just a universal signal to the user, you can logging into everything, but everything’s sort of on even playing field, versus a tiered system where they may not have intuition around if it’s going to work, and they kind of have to knock on the walls, but you can make their experience a little bit better?

Has your opinion changed now that you’re at a much smaller company, that there isn’t maybe that many tiers that you have to think about?

Jesse Kriss:

I’m a big believer in the tiered system, so yeah, I don’t think you need that many of them, but it’s really critical for us, because it’s things like, enforced OS upgrades are great when you need them, and it is annoying to have that for everything.

And we have different people who are working with us who have different relationships. We’ve got contractors, some people don’t have managed devices, and we need to align that to our policies, even for a small company.

So we have one policy that says, okay, if this authentication policy in Okta, you are absolutely using a Watershed managed machine, no question. Then we’ve got one that’s similar, that’s that, or, okay, you’re meeting some health checks, and you don’t have Kolide, and you’re not on MDM, but we know your disc is encrypted, right? That’s still very practical for us. And I think there are relatively few companies that can really reasonably get by with a single tier.

Future of Device Trust for Vendors, Contractors, and Startups (15:48-19:59)

Jason Meller:

I think that makes sense, and that’s something that I’ve heard a lot, as well, is folks really, after they’ve solved their internal concerns around, okay, are my users using the right devices, and do they have the right posture.

They immediately start thinking about contractors and suppliers that are often allowed on the same exact apps or on the same private networks, and they’re just sort of taking their word for it that they’re doing the right thing.

And the challenge with the MDM model is, you can only be on one MDM, so they want to be on their own, they don’t want to be on yours. And then, you’re kind of stuck in this place where, do we want to provision all of our suppliers bespoke laptops just to solve that problem? Do you see Kolide and other device trust solutions maybe help filling that gap and setting the standard?

Jesse Kriss:

I would love for that to be true. I think in practice, it’s not as plausible as it once was. I think back in the early Stethoscope days, that was very much the thought of, this is lightweight, it’s not MDM, anyone who needs to authenticate into our systems can install it. It won’t be a problem, there’s no conflict. But one of the side effects of macOS becoming more secure is that you need more permissions in order to run these checks.

Jason Meller:

Right, you definitely need at least ROOT, you need all the entitlements.

Jesse Kriss:

So the mechanics of it, and then, there are all these notifications and warnings, and some things are made intentionally hard to do so people aren’t tricked into doing them. So I think we’re in a little bit of a tricky spot now, where it’s so much easier to roll out these tools with MDM, and to do it in a smooth way.

And I’m not really sure what the path forward is. I would love for there to be a better answer of, yeah, here’s this kind of middle ground tool that you can run without ROOT, that you can run without needing all these extra permissions.

Jason Meller:

100%, 100%, yeah, no, I agree, it’s clear that Apple is going to protect their privacy and consumer side story first, and they’re going to always emphasize that over, I think the needs of the corporate world, and us as IT and security practitioners have to be very creative in terms of how we approach that.

And I think more and more, I think we’ll see a shift, but it’s going to take a long time. One more question for you, now that you have this done, I imagine the other thing that you have to really wrestle with is just the explosion of SaaS and the amount of vendors that people want to buy. Now that you have this, has that changed your perspective on what you expect from the vendors that you’re working with in terms of their security posture?

If you were to create a questionnaire, would you put on that questionnaire, what is your BYOD story? How are you limiting which devices can even access these tools? And going beyond just the simple question of, do you even have two-factor off? Which is kind of the standard thing to ask, but people don’t really delve beyond that.

Jesse Kriss:

Yeah, I think it’ll change over time. I think right now, it’s great if people have those things, and I would hope for that in the future. I don’t feel like it’s a super realistic expectation yet, I feel like Watershed happily is on the front edge of a lot of this stuff.

Jason Meller:

Why do you think that is, though? It feels so obvious to me that shouldn’t be the case, but you’re exactly right, when we survey customers, about half the people that come to us, they have no story here at all, and they’re not even really thinking about it yet. Why did you arrive at it so early, and why is everybody sort of a year or two behind?

Jesse Kriss:

Yeah. I think it’s a combination of things. Certainly, my work at Netflix set me up to think about this a little bit differently and to have a different angle on it. And then, one of the many reasons I was excited to join Watershed is that it was a small company, and it’s easier to get things done in a small company. You can roll in and say, oh, 200 users? Yeah, we’ll switch MDMs, yeah, we’ll install new tools, yeah, we’ll switch to Okta.

And it’s a little bit ironic, because people think of some of those tools as bigger company enterprise tools, but there’s such an opportunity to move to some of those better practices, to configure those in more modern ways, when you’re at 100 or 200 people, and get that in place.

And so, I think for the larger companies, it’s both the challenge of implementation. And there aren’t necessarily people in those companies that are thinking about changing the model of how that works, right? It’s more about like, okay, can these existing tools or patterns be implemented in a good way?

How Our Mental Models for Security Have Changed (19:59-23:22)

Jason Meller:

Got it. And I lied, I have a couple more questions.

Jesse Kriss:

Yeah, sure.

Jason Meller:

That spurred a few more. I’m curious, even a company as young as Watershed, were there any workflows that actually broke as a result of moving to SSO, and then you kind of found out, oh, maybe it’s a good thing that those broke, or this is now an opportunity to kind of change the culture around something? Was there any of those types of moments that …

Jesse Kriss:

That’s a good question. I don’t think there was anything that straight up broke that way, where we had to really scramble and say, “oh, this isn’t going to work at all,” which was a pleasant surprise. I think the closest thing that it makes me think of is that there’s…

We use Google Endpoint protection, as well, specifically for securing the Google Cloud console and API use. And that’s great, and it’s very similar, and it’s confusing that we have both, and we kind of need to maintain both.

So that’s an area where I just wish there were a little more, I don’t know if consolidation is the right word, but to be able to solve across the board with one solution, rather than say, oh, well, here, you need to use this, and here, you need to use that, right?

Jason Meller:

… Right, and I would say that I think a lot of people are feeling that fatigue, even as a partner. There’s always this draw of like, we love how everything works together, but it would be great if it was just a little bit more…less vendor-y.

And I totally get that, and I think that ultimately, people have this noble goal of wanting to accomplish this, and right now, they’re willing to do it with whatever tools that they can find. The amount of people that we talk to every day, they’re just like, we didn’t even know you existed, we were just trying to build our own thing.

They did exactly what you did at Netflix, they’re just trying to cobble something together, and they’re making a lot of unnecessary user experience trade-offs, like, oh, we can’t really change it just for … We can’t block just one device, we’re just going to block the whole user even if one device is bad, and things like that.

And I think what I’m hoping to see is the vendor community is catching up a little bit, and they can be a little less bespoke, ball and wire type solutions, and people can actually get the support. Because it’s critical, it’s auth, and probably shouldn’t be something that’s running in a server underneath a cabinet somewhere, right?

Jesse Kriss:

Yeah, definitely. And I think there’s a piece here, too, about people’s mental models for these types of systems. A lot of these changes are, I think ultimately, pretty confusing for end users of all kinds. You’ve got passkeys, you’ve got device trust.

For such a long time, we had this mental model of, you have a username and you have a password, and that’s it. And then two-factor was like, okay, I have this other weird thing and sometimes I get text messages, and people got their heads around that.

But all of these changes now, the mental model for it and the expectations around that, are really shifting, and I also don’t think we’ve really landed on consistent UI patterns for it.

Jason Meller:

Yes, it’s all very new.

Jesse Kriss:

And so, I think that’ll just settle down over time, and it’ll be easier to streamline some of this experience.

Jason Meller:

It can’t be understated how long we’ve been dealing with username and password. And MFA, you’re right, it was a huge shift, but it was additive. Now we’re taking away… the core thing like our security blanket. We understood it, we kind of knew the risks associated with it, and now it’s gone, we don’t have passwords at all.

And now we’re dealing with all this tech, and we’re really trusting a lot of external parties that they have the crypto right, or if it’s a hardware token, that it’s made well and there isn’t something weird inside of it that’s going to mitigate all of its security.

The Costs and Benefits of Blending IT and Security (23:24-End)

So I totally get that, and I think that that’s why it’s so important to really invest heavily in the user experience side of this. As you know, it’s your entire background, these solutions will not work unless users feel like they don’t actually even have to activate their conscious thought, they just sort of float through the process, and then, the only time in which they’re disrupted is when it really should happen.

As soon as they’re not out of that mindset, then it’s kind of game over from there, and then it becomes an IT ticket. One more, how is the relationship between you and the existing IT support stuff? I imagine, it’s a small company, you guys are pretty close. Do you see that diverging, or your interests starting to wander in different directions? What do you think that looks like in a year from now?

Jesse Kriss:

Well, the year from now part is a good twist. I was laughing a little bit, because one of the side effects of starting in endpoint security and doing all this at that level is, very quickly, leadership at Watershed was like, hey, Jesse, could you also do IT? Could you take over that function?

And so, we are very tightly integrated, currently. In fact, there’s a combined security IT and infrastructure function now, so it’s kind of the polar opposite of larger companies, where the infrastructure security team might be miles away from the infrastructure team.

And I think it’s really one of the advantages that we have is, we can plan these things together, we can make these changes together. We can make sure that the pieces really fit together and that the goals align.

Jason Meller:

Oh, yeah, vertical integration that way is, I think, one of the best ways to achieve that. I mean, as a startup CEO, I have to wear three hats, and there’s often times where I’m like, this wouldn’t have happened unless there’s really like, only one or two people thinking about it.

But then there are other times where I’m like, the two hats that I’m wearing, there should be natural conflict there that isn’t happening, and perhaps there’s something being lost in that process.

And I imagine you might feel that way when you have to really balance the user experience side of it versus the visibility needs of the security apparatus that you’re building.

Jesse Kriss:

Yeah, they’re tradeoffs for sure. Sometimes it’s really nice to have someone who can solely advocate for one side of the problem and really push it.

Jason Meller:

Nice. Jesse, thank you so much for coming out here. Huge inspiration to me. Kolide wouldn’t be where we’re at today without the work that you did at Netflix.

Jesse Kriss:

Thank you so much.

Jason Meller:

I just remember reading it and being like, this is exactly it. I wasn’t able to fully articulate the right vocabulary to get there, but you had it exactly right, and I think you were five or six years ahead of your time even then, when it came out.

And it’s still ahead of its time, we’re still a very early stage company, but folks are finally understanding, in a world where we’re moving away from VPN, SaaS is sprawling everywhere, really need to get the user experience out of this right, otherwise, you can’t really do device trust, you’ll have to roll it back. I mean, it just generates all this misery for everybody.

Jesse Kriss:

Yeah, absolutely.

Jason Meller:

But thank you for the inspiration, and thank you for talking with me today.

Jesse Kriss:

Yeah, thanks, Jason. Thanks for having me.

Jason Meller:

Thanks, appreciate it.

Jesse Kriss:

Yeah, absolutely.

Want more perspectives from Kolide customers? You can watch more of our Oktane fireside chats here on the blog or on our YouTube Channel!

Share this story:

More articles you
might enjoy:

Customers
How Commonlit Balances Student Security and Employee Privacy
Kolide
Customers
For Databricks, Zero Trust Means Putting End Users First
Kolide
Deep Dives
The Twitter Whistleblower Story Is Worse Than You Think
Elaine Atwell
Watch a Demo
Zero Trust Access
Designed for Okta
Watch a Demo