CyberWire Daily - Karl Mattson: Defer gratification. (CISO) [Career Notes]

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. Learn more at zscaler.com slash security. My name is Carl Mattson. I'm the Chief Information Security Officer for No Name Security. I grew up as a military brat. My dad was in the Marine Corps, and we moved around quite a number of times and traveled a lot. And so even as a young child getting to travel in China and Asia and through Europe. So for me, it was a relatively obvious path for me to join the military and kind of do the same thing,

Starting point is 00:02:04 which is exactly what I did about a year after high school. I think the real presenting question for me was how to do a college education and military service at the same time. And that's really why I chose the Army because they had the best packages ultimately for not just GI Bill, but other programs to get a college education while in the service. And so that was the branch that I chose. And I really lucked out also because I received the assignment of a career field as an intelligence analyst, which in the military is kind of like winning the lottery for a job. So I got to chance, you know, I think I was 19 or maybe 20 years old when I received my first security clearance in my

Starting point is 00:02:56 first role working with NSA. And that's a real, that was a real career break for me. a real career break for me. I think that my career at NSA works a lot like it does in the commercial world for somebody who works in a SOC. So I worked as part of NSOC as my first assignment. So the first couple of years were,'ll call it shift work incident response. And that's developing reporting products and escalation paths, handling incidents in a way that 25 years ago at NSA was standard practice, but only really became the kind of the normal pattern in the corporate world in maybe the last decade. But I think that for an average SOC analyst working in a SOC today, that's pretty much exactly what my job at NSA was like. And then after a few years of that,

Starting point is 00:03:48 then kind of graduated to more like a long-term analysis role. You'd call it day shop and being a little bit, you know, working your way up the management chain a little bit, but it very much felt like a security operations role with today in security. I had a number of roles where I got deployed overseas, spent a couple of years in Korea, a year in Morocco, traveled around a bit. And then when I got to be about 30 years old, I decided that it was time to grow up and get a normal job and perhaps start a family. So I moved home to Minnesota and worked for Target Corporation in IT and corporate security for a few years. And then the calling kind of came back to cybersecurity. So first at Target, later at PNC Bank in Pittsburgh. And then I got my first break as a CISO working with City National Bank in Los Angeles. So Citi National Bank then followed by PennyMac

Starting point is 00:04:46 Mortgage Company. So about 10 years in financial services as a CISO and security executive. That really kind of brought me to NoName today. The majority of the first probably 9 to 12 months really was building out the internal security risk and IT functions, including the stack of technologies, bringing aboard the talent and sort of establishing the program fundamentals. amazing luck bringing in extraordinarily talented people who now have been in place for over a year and need very little of my expertise or guidance on a daily basis. And so my focus sort of increasingly is towards industry events and customer success, certainly, but customer-facing or outward-facing because, you know, by and large, the team internally at NoName is spectacular and needs little more than me than the occasional chipping in of an opinion. I think my leadership style is largely to look at each individual and sort of take them as they are and where they want to go and wrap their job responsibilities and expectations around them. see the role they're in as, number one, it's a well-compensated and rewarded position,

Starting point is 00:06:27 but it's also an opportunity for them to build their career into what it is they aspire to do. So we want to center our security program around those skills, and then we fill the gaps with new people or new talent or services when that doesn't match with the team you have. I have for probably 25 years now been in sort of an operational mode of incident response or late night phone calls because something happened. And that was in 1998 and 1999. And it was the truth all through my career in the corporate world as a CISO as well. And so to some degree, I think I've developed, I think of this probably as a good thing, but like emotionally calloused in the terms of measured. So if there's a fire drill occurring, I don't think that I'm phased at this point. And that just is my normal mode of operation that I've adjusted to over time.

Starting point is 00:07:32 So I don't think a CISO who gets too high or too low is durable in the role. That also requires a little bit of attention to your own health and your own self-care really does make a person more resilient on a personal level. My recommendation would be to consider deferring gratification as long as possible. So, for example, people early in their career looking at government service. Those positions don't, you know, make anybody rich overnight, but they are amazing career cornerstones to build on. The longer you go through a journey as a professional, like opportunities, like advising companies, a lot of CISOs want to get into advisory work. And that's and that's wonderful and it's rewarding. But defer that. Use those

Starting point is 00:08:26 opportunities to build relationships rather than make money right away. I have had the privilege of building a couple of security teams in my career. And also, I've been an adjunct university professor for about a decade. And when I get a phone call or text message from a former student or a former employee on the team, that is overwhelmingly the most rewarding part for me, is that those relationships have a feedback loop to me on a personal level. I think that's my sign of success is when those relationships persist over years. People come and go from different jobs and companies and career fields and those relationships that stay the same. That's what I lean into and say that's my sign of success. Thank you. sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up,

Starting point is 00:09:49 they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of

Starting point is 00:10:05 your data and keep your private life private by signing up for Delete.me. Now at a special discount for our listeners, today get 20% off your Delete.me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindelete me.com slash N2K and enter code N2K at checkout. That's joindelete me.com slash N2K code N2K.

CyberWire Daily - Karl Mattson: Defer gratification. (CISO) [Career Notes]

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.