Secret CSO: Matthew Sharp, Logicworks

What is the worst current trend in cybersecurity? “Heavy requirements for entry-level jobs.”

Headshot of Matthew Sharp, CISO at Logicworks
Logicworks

Name: Matthew K Sharp

Organisation: Logicworks

Job title: CISO

Date started current role: April 2017

Location: New York

Matthew Sharp is the Chief Information Security Officer at Logicworks, responsible for information security governance, risk management, strategy, architecture and compliance. Sharp is a business-savvy cloud executive bringing stakeholders together in a commitment to cybersecurity best practices that balance mission, risk, and regulation. He combines his business acumen and robust background in cybersecurity operations, sales, consulting, and management to harvest tangible business outcomes and promote enterprise cyber resilience. Sharp currently advises several security organisations including Coalfire, CyberGRX, NopSec, and YL Ventures, and is an Official Member of the Forbes Technology Council and former Advisory Board Member of the Ithaca College Cybersecurity Program and Cavirin Systems. Sharp is also a best-selling author featured in the Forbes Executive Library.

What was your first job? I was a golf caddie at Green Gables Country Club when I was 12.  I carried a golf bag for 4 ½ hours to earn 14 dollars. It certainly taught me the value of money.    

How did you get involved in cybersecurity? I stumbled into cybersecurity by accident.  After I graduated from college, I worked for a 3D animation company building websites.  I didn’t love writing code, so I decided to make a change. At the time I was interviewing at Chili’s for a server position, and with Coalfire as a helpdesk manager. I got the role with Coalfire.  

What was your education? Do you hold any certifications? What are they? I obtained a BS in computer electrical engineering with a certificate in embedded systems from the University of Colorado, Boulder. Years later I got an MBA from Colorado State University.  Along the way, I was certified many times over, including: CISSP, CCSP, AWS SA – Associate, Microsoft Certified Azure Admin Associate, C|CISO, PCI QSA, PCI PA-QSA, CISA, PMP, CIPP, EnCE, DDN QTE.  I’m currently pursuing NACD Directorship Certification. 

I’m also certified as a bartender, spin instructor, yoga teacher, and as a PADI Master Scuba Diver™. For a time, I trained for a private pilot certificate. I decided after a solo flight and a cross-country flight that it was too expensive and risky for my taste. I never completed the course work.

Explain your career path. Did you take any detours? If so, discuss. I was hired at Coalfire and eventually transitioned into a pen test role. That later led to roles in GLBA assessment and PCI audit. Eventually, I transitioned into a sales role with Optiv (formerly FishNet Security). From there, I moved into an operator role to run the global security program for Crocs, and most recently I moved to NYC to build a robust cyber program at Logicworks, a leading software-driven public-cloud operations company. 

I had several detours–namely a 15-month round-the-world trip in the middle of my tenure with FishNet.  Five years later, I indulged in a multi-month trip to South America after completing my MBA coursework. That led to a brief consulting engagement in the Bahamas. Then, in 2016, I attempted to co-found an MDR company. Unfortunately, with term sheets fully negotiated, we received a call the night before we were supposed to sign.  Our fund manager informed us that their portfolio took a hit, and they couldn’t afford to take the risk on our venture. So, I joined Logicworks just over five years ago now.

Was there anyone who has inspired or mentored you in your career? Mentor: Tony Truschel, who hired me into the helpdesk at Coalfire, has been a consistent mentor over many years.

Inspiration: I’ve been inspired by many: Malcolm Harkins, Mark Weatherford, Jeff Weeks, Rich Seiersen, Jay Leek–not to mention Gary Fish, and the late Rick Dakin.

What do you feel is the most important aspect of your job? Matching the control environment to our stated risk appetite by influencing others and aligning with key value drivers.

What metrics or KPIs do you use to measure security effectiveness? Most recently, a loss exceedance curve that features Exposure to Loss by Yearly Probability.  Before our efforts in Cyber Risk Quantification, I would have said simple efficacy measures like % of agent coverage for services designated as Crown Jewels, or adherence to internal SLOs for vulnerability mitigation. The Metrics Manifesto is changing my opinion on those measures.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At Logicworks, we have been fortunate to have success in such a tight talent market, in part because of the innovative technology-forward nature of my current employer, independent recognition of a thriving corporate culture, strong diversity, and perhaps also because of the thought leadership our team demonstrates in the market.  That said, DevSecOps and IAM roles have proven most difficult for our Talent Acquisition team to source.

Cybersecurity is constantly changing – how do you keep learning? I learn from my colleagues in the business, the teams I manage, the boards I serve on, podcasts, certification bodies (DDN / NACD), industry conferences, and other literature such as the books featured in Cybersecurity Canon.

Certainly the research we did for The CISO Evolution was educational as well. 

What conferences are on your must-attend list? I think it depends on what you want.  It could be networking, efficient access to key vendors, strong content, access to talent for specific roles, etc.  I find that Gartner Security & Risk Management Summit and the RSA Conference offer me the most value, personally.

What is the best current trend in cybersecurity? The worst? Best Trend: SEC requirement for proxy disclosure about the board of directors' cybersecurity expertise, if any.

Worst Trend: Heavy requirements for entry-level jobs.

What's the best career advice you ever received? Develop project management and public speaking skills.

What advice would you give to aspiring security leaders? I wrote a whole book on the topic! Develop foundational business knowledge, communication, and leadership skills.  For more specific guidance, The CISO Evolution is available in digital, audio, and hard copy.

What has been your greatest career achievement? The CISO Evolution is my greatest career achievement to date. For me, what started as a desire to make a statement, has gradually revealed itself as an opportunity to refine how an industry identifies itself.  Given the early indications and humbling community feedback, it has become clear that in a few short months we’ve been granted a privileged position to influence many thousands of security leaders globally.  With the support of the cybersecurity community, I have only begun to recognise that this book is quite possibly a defining cornerstone of my personal legacy–that was never the intent.

Looking back with 20:20 hindsight, what would you have done differently? I love the feeling of accomplishment and learning, but I hate the struggle along the way.  If I could do one thing differently it would be to slow down and appreciate the accomplishments while savouring the process required for personal growth. If I had . . . I’d be in the same place, with much less wear for the miles. More importantly, I would have shared more tenderness and joy with the people that supported me most.   

What is your favourite quote? “Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom.”— Viktor E. Frankl, a neurologist, psychologist, and Holocaust survivor.

What are you reading now? The Metrics Manifesto and The Cyber Defense Matrix

In my spare time, I like to… Spend time with my son. Currently that means playing cars or taking him to places like Dave & Buster’s, Chuck E. Cheese, Coney Island, the swimming pool, or the river.

Most people don't know that I… worked at Victoria’s Secret for a summer during high school.

Ask me to do anything but… a repetitive task.