As the co-founder of HashiCorp, Mitchell Hashimoto is credited with being the creator of Vagrant, Packer, Terraform, Consul, Vault and other DevOps tools. In addition, he's an O'Reilly author and a top GitHub user, whether guaged by followers, activity or contributions. That's quite a set of accomplishments for a young man who's still on the younger side of 30.
On Thursday, Hashimoto will be a keynote speaker at this year's All Things Open conference in Raleigh, North Carolina, where he'll also be giving a presentation, "Secrets, Certificates, and Identity With Vault," that afternoon.
Last week, while preparing for IT Pro's coverage of ATO, I had the opportunity to ask him some questions in an email exchange:
IT Pro: In June you stepped down as CEO at HashiCorp, a position you'd held since co-founding the company with Armon Dadgar in 2012, while remaining the company's CTO, a position I believe you share with Dadgar. What prompted you to give up the CEO position?
Hashimoto: I believe everyone has a "superpower," a skill you're exceptional at relative to other people -- a skill that you look at anyone else in the world and say "I can take them, bring it on" or that you have some hubris about. For me, that skill is building product. I don't mean just slinging code, but actually designing a solution to a problem and going through with it. I believe this about myself, but I've also been told this by others, including our own board. They've always been supportive of me as CEO, but also always encouraged me to "grow into my superpower." That means: hire an exceptional VP marketing, because my superpower isn't marketing. Hire an exceptional VP sales, because my superpower isn't sales, etc.
As this continued and as we built the executive team at HashiCorp, we found someone whom Armon and I immediately knew would be an exceptional CEO. In the journey to grow into my superpower, it felt right to bring in an exceptional CEO. What followed was many months of "dating" -- as I like to call it -- with this new potential CEO. Both sides have to understand each other, believe in each other, and agree with each other. Ultimately, this became the case and David McJannet joined as our CEO and my title changed to CTO.
I'm still growing into my superpower, but I'm closer to the product now than I have been in years and it all feels very right.
IT Pro: The dual role of CEO/CTO would seem to have been a natural fit for you. As a tween, unbeknownst to your parents, you launched Cheat Neopets, selling cheats you developed or found for the virtual pet game site Neopets. Then, as a student at the University of Washington, you raked in something like $500,000 from a service you offered students using a program you developed for registering students for classes. How did those early successes affect you as you moved out into the "real" world of serious career choices?
Hashimoto: My history starting businesses, projects, and more all played a critical role as I graduated and moved into real industry. I think the most important skill I gained was being versatile. I like to believe that I'm able to play many roles and think more holistically around the problems we're trying to solve and the solutions we're making to solve them. As a concrete example, our community often praises us on building software that is fun to use with good documentation while being extremely scalable. This is a small example, but it shows that we're not only focusing on strong internal technology, but on the design around the tool, the help process, etc. That is all still a smart part of the bigger whole, but I see a lot of projects on GitHub come and go (and fail) because they focus so heavily on only one aspect.
IT Pro: You've been an open source proponent for a long time, perhaps since you were a boy living at home with your parents. What first sparked your interest in open source?
Hashimoto: As any young child, I didn't have access to much money, or any money, most of the time. My parents provided for me comfortably, but I wasn't given any spending money above what I could earn on my own. I started programming before I could legally find a job, so I had no income. The only way I was able to learn to program was via open source software, since I couldn't afford to buy any software or even buy books. I had to find blog posts, example source code, etc.
This really started my love of open source as a valuable learning tool. It grew quickly from that to appreciating the value of community and open growth versus only paid engineers improving a project. I'm happy we're at a point now where even large enterprises are valuing open source very highly.
IT Pro: It wasn't that long ago that convincing the enterprise to adopt open source solutions was a pretty difficult sell. Although that situation has changed, with even Microsoft jumping on the open source bandwagon, I wonder if there are still companies that resist the suggestion to try open source solutions?
Hashimoto: Of course. Change takes a long time to propagate fully and I also will be honest and say that I do think there are still unanswered questions about open source in enterprise.
However, everyone is headed in the right direction and I'm confident we'll get there. As you said, really big important legacy companies like Microsoft are quickly becoming leaders in the open source world. This is important messaging to the resistant organizations, to show them "see, this is okay."
IT Pro: What are the unanswered questions about open source in the enterprise, in your opinion?
Hashimoto: I think the unanswered questions mostly revolve around inexperience. We haven't seen enough large-scale successful open source companies to know what happens to commercially supported open source over a long period of time. We have a handful of poster child examples, such as RedHat, but in the grand scheme of things very few are comparable. I think there are still legal questions and lack of precedent around various licensing and copyright of open source. And I think some still question whether open source is really technically better than pure commercial software.
While I raise these issues or questions, I want to make it clear that I'm obviously on the optimistic side of things and believe that open source is here to stay. It can ship faster than pure commercial software, and it's more stable and secure.
IT Pro: How about the IT workforce? Are there still people, say working in DevOps, who're comfortable working within the Windows ecosphere but who're lost when it comes to Linux and open source?
Hashimoto: Definitely. I think the early DevOps movement had a bias towards Linux and Mac, but it is far past that point now. I've met some incredible engineers and contributors to our projects that only work on Windows issues or Windows improvements and are really just wizards when it comes to Windows, but know almost nothing about the other operating systems. I actually wish there were more of these folks earlier, since I think DevOps software generally was always "Linux first" and had issues running on Windows until later versions. We're guilty of that too sometimes.
I think Vagrant is a good example of software that helped bring a lot more Windows users into the DevOps fold. Vagrant didn't fully support Windows well until near 1.0, but once it did we saw a huge growth in download numbers and it gave Windows users an easy way to experiment with Linux from the safety of their machines. In addition to that, Vagrant can run Windows, too, so Linux users can learn about that ecosystem, though I've found they're a little more hesitant.
IT Pro: You're involved in cloud security through your Vault project. which you'll be talking about at All Things Open. What changes do companies need to anticipate in how they handle security when they move to the cloud, whether that be public, private or some sort of hybrid setup?
Hashimoto: The biggest change is the move from perimeter security to application security.
Historically, security was able to be done at the perimeter with a combination of various firewalls and intrusion detection systems. In many cases, you could quite literally point at a hole in the wall with network cabling coming in and say "this is where we can be hacked. This is where external traffic comes in." Driven primarily by the rise of cloud, this is no longer adequate nor best practice. There is no longer a single entry point to networks.
In addition to that, companies are now more interested in protecting against internal threats. The best solution to this is application-level security, where every connection between any two applications is secured. Firewalls, auditing, etc. are done on that level versus only on external-to-internal connections. This, of course, increases the complexity of security exponentially; you go from having to have a single strong set of firewall rules on the perimeter to, worst-case, having N-squared rules (for each two applications) to define security. This isn't realistic and therefore there is a need for better security tools.
This is the core of what Vault is trying to solve; we're trying to enable application-level security. Vault can store everything from secrets for a single application to being a CA to enable mutual TLS between applications in your data center, all while auditing all usage and API calls.
IT Pro: Hashicorp will turn 4-years-old in November. Happy birthday, by the way. Any advice for any coders out there who are thinking of quitting their day jobs to follow in your footsteps with their own startup?
Hashimoto: I think the hardest lesson I've learned is that it is much more work than I ever imagined. For anyone thinking about quitting their day jobs, I would encourage them to follow their dreams, but I would also warn them that it will be many more times as much work as you may be used to in a standard day job. Given that, I could only imagine doing a startup for a problem you're truly passionate about. It's easy, when the excitement is on and things are new, to work on just about anything, but when you're years into long hours, long weeks, and various ups and downs, you need that passion to hold on to to continue.
Again, everyone has a superpower, a skill they're exceptionally good at relative to the rest. As a founder, your goal will be to find a way to leverage that superpower, but at the same time, you'll have to exercise other skills -- some you may not even have yet. I consider my superpower to be in engineering, but at various times during the four years of HashiCorp, I've had to wear a marketer hat, a sales hat, an evangelist hat, a support hat, an HR hat, a secretary hat, etc. And the people involved in the company expect you to be able to do those jobs. There are times I've found myself doing something where I've thought, "I have no idea what I'm doing, but I'm expected to do this well" and just started laughing. In those times, you lean on advisers and other experienced people around you. You won't like it, but you have to do it.
The good news is that as the company grows, you get to get closer to your superpower and closer to your true passion. It all takes time -- a really long time. HashiCorp in year one was so different than year two than year three and so on -- not only as a company but just for me personally. Throughout it, you'll learn a lot and you'll have a lot of fun, but it'll be a lot of hard work.
That's my advice. I see and talk to too many people who start a company through the lens of "fast paced success." Startups are super fast paced, but there is a lot of slogging in there you have to be prepared for.