Secret CSO: Graeme Cantu-Park, Matillion

What metrics or KPIs do you use to measure security effectiveness? “We all measure security in different ways, but at the top level for our security team we measure maturity against the NIST Cybersecurity Framework.”

Headshot of Graeme Cantu-Park, CISO at Matillion

Name: Graeme Cantu-Park

Organisation: Matillion

Job title: Chief Information Security Officer

Date started current role: January 2020

Location: Manchester, UK

Graeme Cantu-Park is an Information Security expert and with experience in multiple sectors, including e-commerce, fintech, and software. As a former UK Special Forces Officer, he is well-versed in team leadership as well as delivering upon technical engagements and managing large, diverse and complex teams. He serves as the CISO at Matillion; the data productivity cloud. He lives in Northwest England with his wife and children and enjoys skiing, do-it-yourself hobbies, and gym training in his spare time.

What was your first job? My first real job was answering phones for the QVC shopping channel while I was at school! In hindsight, I think it was a great grounding because it gave me a lot of client-facing experience early on. Learning how to deal with different types of people – both customers and colleagues – is a solid foundation for any career, and I was lucky to get that experience at the very beginning of mine.

How did you get involved in cybersecurity? I got into cybersecurity in the same way many people in my generation did. When I was ten or eleven, I started playing with computers - mostly building them. Later, I would play around with security-related tools, trying to break things and then rebuild them.

But it wasn’t obvious to me then that I would end up in cybersecurity. From there, it took me over a decade to go from cracking security tools to entering the professional cyber world.

What was your education? Do you hold any certifications? What are they? I grew up in the pre-YouTube and Reddit era, so I learned a lot about cybersecurity and computers from message boards and other resources. I wanted to join the army straight after my A-levels, but was advised to get a degree first, so I opted to study E-Business at the University of Liverpool.

Later in my career, I also studied for Masters degrees in both International Security and Cyber Defence and Information Assurance at the Defence Academy, I also obtained a few cybersecurity certifications later in my career, namely OSCP and CISSP.

Explain your career path. Did you take any detours? If so, discuss. I knew I wasn’t made for a desk job or what you might deem a ‘typical’ career, and after a work experience day in a British Army barracks, I decided that would be my next step. So when I graduated from university, I went to Sandhurst to become a military officer and subsequently spent over a decade doing all sorts of things, including tours to Afghanistan, and honing my tech skills. Initially I joined the Royal Signals as an Officer, later climbing the ranks to Major, and at one point was stationed in an Electronic Warfare unit in South Wales, where we were responsible for intercepting and protecting signals transmissions.

I then joined the Special Forces (UKSF), where I spent a lot of time working on computer network defences. From there, I then ventured into the private sector, firstly at Banco Santander where I helped build security for a startup fintech organisation, and then as the Head of Global Security Operations for The Hut Group, a high-growth organisation where I built out their operational security from scratch.

From there I joined Matillion. We had 150 employees when I joined, and I was the company’s first security hire. But the company has grown massively since then; we’re now over 650  people and have a dedicated IT and security team. 

Was there anyone who has inspired or mentored you in your career? I’ve worked with a fair few inspirational people throughout my career, people who have ‘dug in’ to complete challenges in the most austere conditions imaginable. I take a lot of inspiration and mentorship from my fellow CISO community; peer groups where lifelong bonds have been formed by people who are facing the same challenges in different organisations.

What do you feel is the most important aspect of your job? Ultimately the job of a CISO is to protect the business from security related risks, but arguably the most important aspect of my role as Matillion’s CISO is the ability to create and sell high quality products. Good security ensures there is no friction for our customers in terms of compatibility and ease of use, which is a strong benefit for the company.

What metrics or KPIs do you use to measure security effectiveness? We all measure security in different ways, but at the top level for our security team we measure maturity against the NIST Cybersecurity Framework. This serves as a progressive baseline of industry best practices to allow us to score our security effectiveness. Beyond that, at a more tactical level we look at misconfigurations and product related vulnerabilities, along with the time to patch or remediate the vulnerabilities. We also track most used reports, security issues in sales and other customer focused metrics.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It remains difficult to recruit for security roles at a senior level. But I’m reluctant to attribute that fully to the skills gap; to my mind, there are definitely issues with hiring processes as well as a lack of talent supply.

In certain cases, expectations can be too high and many firms demand an unrealistic amount of experience, which immediately precludes an array of top talent. In reality, we should be giving more opportunities to younger candidates, or even placement students, who have all the energy and passion for security despite having little to no experience. I’ve seen in my time at Matillion that it usually only takes a few weeks for them to start delivering valuable results, so I’m a firm believer that investing in a candidate’s potential as well as their experience is extremely important.

Cybersecurity is constantly changing – how do you keep learning? I try to take a growth-led mentality: no product, person or process is ever complete. This is part of the Matillion values.

In practice, that means I’m always trying to understand what problems clients are facing and how we can solve them. So I keep a close eye on developments and trends within the cyber world. but also outside of it, too. My network of CISOs is usually a great source of practical knowledge, but I often also tap into our network of venture capital investors to stay on top of wider trends.

What conferences are on your must-attend list? My two top conferences are DefCon and InfoSec, which are both research-led conferences and fascinating to attend from a learning standpoint. But if I’m honest, I don’t attend many conferences. I tend to get more value from community-led events and chatting to CISO peers.

What is the best current trend in cybersecurity? The worst? We are seeing a greater focus on effective cybersecurity spend, which I think is the right way to go for companies inside and outside the industry, especially in the current economic climate. There is a lot of focus by big players on offering full stack security solutions. Office 365 E5 offers a plethora of security solutions all baked into the core platform, from EDR to CASB and SIEM.

The worst trend for me has to be aggressive marketing off the back of a breach; “did you know our solution could have prevented this?” It is rare that a single solution would be the answer to a multi-staged attack and I find it particularly poor form.

What's the best career advice you ever received? Whenever I’ve been confronted with an important career decision I’ve asked myself, “when you’re older, whisky in hand in front of a fireplace, will you be happy with your decisions and proud of what you’ve achieved?” I try to live up to that ambition with everything I do!

What advice would you give to aspiring security leaders? Never stop learning! We operate in such an ever-changing environment that it can be difficult to keep up with the latest threats and technologies, so it’s crucial to maintain that mindset of self-improvement, as well as the humility to admit that your knowledge is never complete.

What has been your greatest career achievement? I’ve had a lot of proud moments in my career, but passing my UK Special Forces selection has to be right up there. Getting into the UKSF is an immense challenge both physically and mentally, and I’m fortunate to have been successful in my first attempt. The testing here focuses on mental determination and resilience and knowing that I have been able to come through that means that I will not shy away from future challenges.

Looking back with 20:20 hindsight, what would you have done differently? Not much; I have regrets, don't we all? But I have enjoyed my path to date. I had a great time in the Military, made friends for life and had unrivaled experiences and opportunities. There may have been more glamorous options and tactical decisions that I wish I had done differently but I have ended up exactly where I want to be in a high growth, high culture tech company.

What is your favourite quote? My favourite quote is from Littlefinger in Game of Thrones: “Chaos isn’t a pit. Chaos is a ladder. Many who try to climb it fail and never get to try again. The fall breaks them. And some, are given a chance to climb. They refuse, they cling to the realm or the gods or love. Illusions. Only the ladder is real. The climb is all there is.” It’s particularly apt for early stage start up organisations where there is a huge opportunity available for those who are able to identify it and pick themselves up when things do not go to plan.

What are you reading now? I'm reading JK Rowling’s The Ickabog to my children if that counts! I’m not always the biggest reader, but of course I love to consume new content and Blinkist is excellent for that. It's an app that allows me to cram the key themes of a book into five minutes, and I can refresh on great books like Patrick Lencioni’s 5 Dysfunctions of a Team or try new titles. I have just finished Lead with a Story by Paul Smith.

In my spare time, I like to… Switch off! This sounds simple, but is difficult with a job like a CISO where there is the constant fear of the phone ringing in the evening with bad news. Switching off from work is important for mental health and resilience, so ensuring you have well thought through callout plans is important to allow you to switch off. I enjoy practicing mindfulness to try to focus on the present and decompress.

Most people don't know that I… Used to work at Disney World in Florida! I was not a costume or face character (the ones in fancy dress), but served as a lifeguard in the resorts. It was a great experience and again a humbling look at how customer service done right can have a lasting (and magical) impact on all guests.

Ask me to do anything but… Stand on the edge of a tall building. Despite being a parachutist I have a huge fear of heights. I recently took my family up to the KingPower tower in Bangkok and pretty much crawled out to the ‘glass tray’ on the edge of the building. I hate heights, but I hate sitting within your comfort zone more. I try to find things that regularly push me far outside my comfort zone and look for an adrenaline kick.