Secret CSO: Mathew Newfield, Unisys

What do you feel is the most important aspect of your job? "... I believe the most important aspect of my job is to educate others on how to be good stewards of safe cybersecurity practices."


Name: Mathew Newfield

Organisation: Unisys

Job title: Chief Information Security Officer (CISO)

Date started current role: March 2018

Location: Reston, VA

Mathew Newfield joined the Unisys leadership team as the Corporate Chief Information Security Officer in March 2018. He leads the Unisys Corporate Information Security team with responsibility for design, development, and implementation of the company's corporate information security and risk programs across all regions and functions. Mathew has over 19 years of experience in Information Technology with a focus on Security, Software as a Service Operations, Risk Auditing and Management, and international Mergers and Acquisitions. Prior to joining Unisys, he was the Director of Global Managed Security Services for IBM where he had responsibility for delivery services in 133 countries and managed a staff of 1,500 security professionals.

What was your first job? My first real paying job was in the restaurant business at a McDonald’s in Northern Virginia as a line cook working the 4 a.m. shift making $4 an hour.

How did you get involved in cybersecurity? I took some basic programming courses, such as Fortran, while in college and had an interest in technology as it emerged. I was curious and full of questions. Luckily, I had a mentor who gave me opportunities to learn about technology and security, which tapped into my passion for solving complex problems.

What was your education? Do you hold any certifications? What are they? I graduated from George Mason University with a degree in Industrial and Organizational Psychology. There was no such thing as cybersecurity in the early 1990s, and I believe studying psychology was a decision that has served me well in my career. It gives me a different lens through which to see the human element of cybersecurity risk and resolution.

I have received many certifications, including MCSE and CCNA, over the years. The most recognised and enjoyable certification I have obtained is CISSP, which I have had for more than a decade.

Explain your career path. Did you take any detours? If so, discuss. My career path has not been linear by design. After my pivot from the restaurant business, I held roles as a systems engineer, a network engineer, a security consultant, and in information security and corporate security. 

I made a point to pursue cross-functional experience in all areas of security in an effort to gain a diverse perspective. The ultimate goal was to gain a good understanding of all the functional roles that reported into a CISO so that I could effectively build and lead a security team.  

Was there anyone who has inspired or mentored you in your career? Yes, I have been fortunate to have worked with some great leaders over the course of my career. One leader who stands out the most I crossed paths with early in my career: Jim Murphy, the former CFO for Cybertrust. He gave me opportunities to learn and was willing to take the time to answer my many questions. 

Most importantly, he helped me bridge between technology and the business. I believe this to be instrumental in how I align cybersecurity priorities to deliver desired business outcomes.

What do you feel is the most important aspect of your job? As a CISO, my responsibility to the corporation and Unisys clients is to identify risk, assess risk, and recommend actions to mitigate that risk.

However, I believe the most important aspect of my job is to educate others on how to be good stewards of safe cybersecurity practices.

What metrics or KPIs do you use to measure security effectiveness? Measuring security effectiveness can be a subjective exercise. I believe it most beneficial to design the security scorecard around the key goals of the business. The focus should be on putting mechanisms in place to allow the security function to showcase performance that is directly connected achieving business goals.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is no surprise that the labor market is quite competitive. The cybersecurity unemployment rate is 0% and has been for the last several years.

Our talent management strategy at Unisys has allowed us to attract and retain diverse security talent. In the cybersecurity field, I find that some skills can be taught, and some can’t.  

Clearly, security skills are important. However, I also look for candidates who are knowledgeable, well rounded, curious, can solve complex problems, think outside of the box, and are trustworthy and loyal.

All roles are hard to fill - partly because there is a misperception of the skills needed to be in the cybersecurity field. I believe it is about finding people with passion and capability.

Cybersecurity is constantly changing – how do you keep learning? I read a lot! However, I find the most valuable learnings come from talking to my peers and experts in the cybersecurity field. In fact, I recently partnered with Alan Shimel on a video interview series called CISO Talks that is hosted on TechStrong TV in an effort to bring those people together to explore emerging security topics.

What conferences are on your must-attend list? There is definitely implied value in attending conferences; however, I don’t have a must-attend list. I find myself at conferences where I was asked to participate either as a presenter or a supporter of a person, organisation, or affiliation that will enhance and/or compliment my responsibilities to the cybersecurity field or Unisys.

What is the best current trend in cybersecurity? The worst? The best is the shift from cybersecurity prevention to response. My philosophy is protectionism is dead, long live response because it’s not a matter of if you are breached, it’s a matter of when and most importantly how you respond. You don’t have enough budget to prevent an attack by investing in a myriad of protective technology. I am motivated to see organisations focus more on their approach to respond to a breach, even periodically simulating an attack to help bring a level of clarity to exposure, allowing the team to address the gaps that may exist.

Worst trend…let’s call this the Bothersome Trend. The attack surface for organisations has increased with a large number of people engaging virtually, whether they are working from home or learning from home. Bad actors are launching targeted attacks to exploit vulnerabilities of people who are relying on their home networks now more than ever.

What's the best career advice you ever received? Build a personal brand story based on your accomplishments in every job you have and make sure people know you for the right reasons.

What advice would you give to aspiring security leaders? Relationships are the most important thing for you to build and cultivate. It’s not always what you know, it is who you know – and, more importantly, who knows you. Build relationships with people you can learn from and lean on in your adult life and in your career.

What has been your greatest career achievement? Surrounding myself with strong team members who demonstrate a strong sense of curiosity, accountability, and loyalty.

Looking back with 20:20 hindsight, what would you have done differently? I would have gotten into the cybersecurity field sooner.

What is your favourite quote? A quote that I reference often is from the movie “The Day the Earth Stood Still” featuring Keanu Reeves. It’s about how people will change only when they’re on the precipice of destruction. Some may take this as a negative, but I think it’s a realistic perspective on what really drives a change in behaviour.

What are you reading now? Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, written by Andy Greenberg.

In my spare time, I like to… I like to build things, build lots of different things. One of my favorites is a 512 LED cube that I built with my oldest son.

Most people don't know that I… I grew up sailing on the Chesapeake Bay with my dad and brother.

Ask me to do anything but… give a presentation while eating brussels sprouts.