Secret CSO: Matthew Ireland, NTT Research

Name: Matthew Ireland

Organisation: NTT Research

Job title: Chief Information Security officer

Date started current role: March 2021

Location: I work in Sunnyvale, CA, but live near Des Moines, IA

As Chief Information Security Officer for NTT Research, Inc., Matthew Ireland oversees information security, privacy, risk, compliance, physical security and more for the organisation’s three research labs and its collaborators. Ireland is a technology leader with management experience in security services, consulting, financial services, healthcare, manufacturing, law enforcement and emergency services and has three decades of technical experience in information security, IT systems, networks and enterprise operations.

What was your first job? After earning my associate degree, my first job was working as desktop support for Mercantile Trust & Savings Bank in Quincy, IL.

How did you get involved in cybersecurity? A wonderful woman named Stacey Eddy-McGrath was my first IT Manager at my first adult job with Mercantile Trust & Savings Bank. She took a risk by hiring me several months before I graduated with an associate degree. She saw my potential, encouraged me to become a Certified Novell Engineer (CNE) and a Microsoft Certified Solutions Expert (MCSE) within the first 12 to 18 months of having the job and formally set me on my current career path. Unfortunately, she passed before I was able to share these successes with her, but she taught me invaluable lessons about management and helping to foster the careers of junior staff members.

What was your education? Do you hold any certifications? What are they? I earned an Associate of Applied Science Degree in Computer Systems and Networking from Indian Hills Community College in Ottumwa, IA. After, I attended Capella University to earn a B.S. in Information Assurance and Security. Then, I continued with Capella University for an M.S. in IS/IT Management.

Among others, I hold Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC) and Certified in Homeland Security (CHS) certifications.

Explain your career path. Did you take any detours? If so, discuss. I’ve known since grade school that I wanted to pursue a career in technology. Starting on a TRS80 (and, shortly after, a Tandy 1000) and with subscriptions to TRS-80 and BASIC magazines, I learned quickly how to push technology past its design limitations. In high school, while taking classes at a community college, I even managed to gain access into the high school’s Novell network (fortunately, the statute of limitations has since expired).

As a young professional with Mercantile Trust & Savings Bank, I expanded my knowledge of networking, training and gaining CNE and MCSE certifications. I used that knowledge to advance as a server administrator with Glenayre Electronics, continuing to expand my horizons to LAN and WAN, then Checkpoint firewall SME.

But in 2008, while working for a company called Harland Financial Solutions, I pondered my career path and faced a distinct obstacle: After several false starts, I had not yet earned a degree beyond my associate. Recognising a ceiling in my career advancements, I embarked on a journey to a bachelor’s degree. In just under five years of nights and weekends, I had earned a bachelor’s. With encouragement from others, I continued forward and earned a master’s degree in 2014.

With advanced degrees in hand, I joined NTT Security in 2016. After being fortunate enough to work with several different divisions of NTT, I finally worked my way up to CISO of NTT Research.

Was there anyone who has inspired or mentored you in your career? I’ve been blessed with several incredible mentors, including Stacey Eddy-McGrath, who I wrote about above.

In addition to Stacey, I greatly respect John Petrie, who asked me what I wanted to professionally be, while he was a vice president and CISO with Harland Clarke Holding Corp. in 2007. Being unsure at the time, I said, “I guess some day I want to take your job.” I was not at all qualified at the time, but John helped me to complete a gap assessment, plan my professional future and continued to check in on my future—even after I was no longer working with him.

Dave Beabout, a consulting services vice president, also took me under his wing and taught me to navigate that field. Even with no formal consulting experience, he entrusted me with the practice lead role!

What do you feel is the most important aspect of your job? Demonstrating SHARED value is vital. Security must be the department of KNOW—not the department of NO. Understanding your organisation’s business vision is also key to ensuring tight alignment between security strategy and business strategy.

Ultimately, it is important to teach non-security business leaders why they want to embrace security while also teaching security practitioners why they need to understand business goals.

What metrics or KPIs do you use to measure security effectiveness? I use several:

• Executive leadership support: do non-IT and non-security executives have your back?
• Employee Experience: does your general userbase understand that security is everyone’s responsibility? Do they feel restricted in doing their job?

Security should be as invisible as possible. Am I doing my part to ensure security controls are fit-for-purpose, appropriately managing the business risks, AND do the users feel like their productivity is NOT stifled?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill?  For NTT Research, we collaborate with a wide range of academic institutions and organisations that assist us with filling niche specialties that are unique to our business. As an industry, however, we must ensure that diversity is embraced across the board to allow individuals of all backgrounds an opportunity to apply their knowledge and experiences to the next information security breakthrough.

Cybersecurity is constantly changing – how do you keep learning? Moore’s Law continues to apply, but what sometimes seems counter to Moore’s Law is age and brain development. As mature leaders, we need to uplift those younger and more agile than us. Don’t look to younger people as “not doing it your way” – look at them as you would have liked your older leadership to look at you 20 years ago.

The next thing I do is find trusted solutions partners. I find those partners who are staying ahead and embracing the things I have spoken about previously. I’ve spent years working with and leading my local volunteer fire department, and I urge everyone to avoid what I sometimes see in some areas of fire service: “100 years of tradition, unimpeded by progress.” Don’t be afraid to change with the times.

What conferences are on your must-attend list? I believe conferences that best promote networking have the most value, and RSA is a great example. It presents a great opportunity to connect with both professional and corporate peers. And while businesses like Amazon and Walmart or FedEx and UPS may be corporate competitors, security professionals should always be on the same side. We all slay the same dragons, we just sometimes do so a bit differently.  Collaboration helps fast track the learning of what works and what works better.  We are all on the same team.

Gartner is also a fantastic conference series, and several Gartner conferences serve not only as a great networking opportunity, but also as leading-edge solutions briefings.

What is the best current trend in cybersecurity? The worst? Best trend? Zero trust—and not just as a buzz word. Let’s jump on this trend and see it get moving in the right direction. In my opinion, it is single source of truth for identity and a risk-based approach to identity (access, entitlements, reports, etc.) that is as extremely transparent to end users.

Worst trend? The worst trend is the haste by some in bringing “AI solutions” to the market. Security is an art that requires us to balance the profound capabilities of advanced computing with the innate advantages of the human mind and experience. 

What's the best career advice you ever received? Always have a plan B and a plan C.

What advice would you give to aspiring security leaders? Keep your head on a swivel, and do not get too bogged down in one thing. Also, recognise that you cannot change the entire organisation in one day. Success in security requires an organisational behaviour change, and that happens after identifying top priorities first and then gaining support from the C-suite by connecting those priorities to shared business value.

What has been your greatest career achievement? Seeing team members who used to report to me and clients to whom I have provided strategic advisory consulting continue forward in multiple areas of success. I have realised that although I can impact the world with my own hands, I can multiply my impact on the world by helping others find success.

Looking back with 20:20 hindsight, what would you have done differently? Early in my career, I was frustrated that my IT peers were not embracing security. I was frustrated that various C-suites did not understand technology and security to the details that I did. Only later in my career did I recognise the need to for shared value and the slow investment of educating others to collaborate and build that shared value over time. 

If I could go back 30 years with that one piece of knowledge, it would be scary cool how much more of an impact I could have had along the way.