Secret CSO: Karl Mattson, Noname Security

What is the best current trend in cybersecurity? “The best trend is the move to ephemeral microservices workloads.”

Headshot of Karl Mattson, CISO at Noname Security
Noname Security

Name: Karl Mattson

Organisation: Noname Security

Job title: Chief Information Security Officer

Date started current role: July 2021

Location: Minneapolis

Karl Mattson has over 10 years of experience in cybersecurity and joined Noname Security in 2021. He has established rigorous standards within operational and security excellence and helps support Noname Security’s ongoing platform progress based on their customer needs. Mattson’s key strength is labelled as coaching and educating cybersecurity companies on listening to and interpreting the pain points and priorities of enterprise customers. These insights then help drive effective product strategies, go-to-market strategies, and ongoing customer success.

What was your first job? I enlisted in the US Army back in 1998 and was assigned the occupation of Signals Intelligence (SIGINT) analyst.

How did you get involved in cybersecurity? In the late 1990s, traditional intelligence analysis of radio and satellite communications evolved slowly to include elements of computer and network communications. My involvement happened very slowly over the years.

The first role I landed as a CISO was at City National Bank.

What was your education? Do you hold any certifications? What are they? I have a BA in Business Administration as well as an MBA, plus an MS in Computer Information Systems from Boston University. I hold several professional certifications including CISSP, CRISC, CGEIT and CISM.

Explain your career path. Did you take any detours? If so, discuss. I enlisted in the Army at a young age and fortunately received intelligence analysis as my occupational field and served for eight years on active duty. I then transitioned into the corporate world, spending 10 years in the financial services industry, including five years as a CISO. My biggest career detour has been departing large organisations and corporate life for Noname Security, my first startup and first security vendor position.

Was there anyone who has inspired or mentored you in your career? The person most impactful on my career has been Jacquie Rivera, my very first squad leader in the Army and who later became a Command Sergeant Major in the Army’s Cyber Command. Jacquie has been a constant voice of encouragement and sets an incredible example that she lives up to, which I aspire to even 25 years later.

What do you feel is the most important aspect of your job? Providing members of my team with the resources, training, and coaching for them to be effective in achieving both their operational goals and long-term career progression.

What metrics or KPIs do you use to measure security effectiveness? We heavily utilise the NIST CSF framework as our guidepost for developing a mature and robust security program. The NIST CSF framework is also mapped to other standards and program metrics to reflect our program to external stakeholders.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Fortunately, Noname is a net beneficiary of the “great resignation” due our welcoming of talent from all over the world to contribute to our mission. Our flexibility gives us a great advantage in recruiting talented cyber professionals no matter where they’re based.

Cybersecurity is constantly changing – how do you keep learning? I actively participate in several CISO community forums to collaborate and learn from the best of my peers. My every day role keeps me reasonably sharp, at least with regards to the technical skills required of a CISO.

What conferences are on your must-attend list? I’ll be signing up to attend Cybertech Tel Aviv 2023; it’s a world-renowned exhibition for cyber professionals.

What is the best current trend in cybersecurity? The worst? The best trend is the move to ephemeral microservices workloads. Security teams struggle with legacy technologies which do not age well over time. Serverless functions, APIs and containers are workload types which have far shorter life cycles and risks can be addressed far more quickly…when done right, of course.

The worst trend is the deployment of automation without the prerequisite process designs and internal capacity to realise the remarkable value of automation. As a result, technology goes unutilised or even becomes detrimental to the security team as complexity and costs increase without gaining value from automation.

What's the best career advice you ever received? The best advice was to dive headfirst into a Scrum methodology for delivering security projects. Since implementing this project management framework, it has dramatically increased our team’s productivity and also helps drive each team member’s sense of ownership and participation in priorities and objectives. Team morale and retention are far better with this underlying work operating system. I credit our underlying methodology for day-to-day execution as the primary ingredient in this success. (All credit here goes to Cyrus Tibbs, Brent Kennedy, and Julio Juarez)

What advice would you give to aspiring security leaders? Moving towards career objectives long-term can be severely limited if the person is not willing to relocate or is not willing to work on projects without compensation. Not every city has a wealth of great positions open - and it may be necessary to move. Second, groups like InfraGard, OWASP, etc. have tremendous potential to accelerate one’s career through special projects and personal network development. Dive into these kinds of programs, whether or not there is compensation involved. Build the relationships and build a CV of meaningful experiences, and the job offers will come.

What has been your greatest career achievement? In 2003, I was the platoon sergeant in my intelligence unit. After several months of preparing a group of six soldiers for promotion, I had the privilege of pinning all six soldiers with their promotion stripes at one ceremony. I took great personal pride in seeing this group of soldiers through their development, and it will remain a personal milestone.

Looking back with 20:20 hindsight, what would you have done differently? I would have taken more time early in my career to develop a more thoughtful approach to managing a team. For example, topics such as handling conflict, career development planning and diversity in hiring. I arrived on several insights and techniques as a leader that I wish I had learned many years earlier.

What is your favourite quote? The old military saying, “Great organizations are those which do routine things, routinely well”.

What are you reading now? What the Dog Saw: And Other Adventures by Malcolm Gladwell.

In my spare time, I like to… Play piano, guitar and sing with my young children.

Most people don't know that I… am much shorter in real life than I appear on Zoom. It’s been noted several times to me in the COVID era when I meet someone in person for the first time.

Ask me to do anything but… I have never and will never drink coffee, wine, or beer.