Career Notes 9.17.23
Ep 167 | 9.17.23

Karl Mattson: Remaining operationally focused. (CISO)


Karl Mattson: My name is Karl Mattson. I am the Chief Information Security Officer for Noname Security. 

Karl Mattson: I grew up as a military brat. My dad was in the Marine Corps and we moved around quite a number of times, and traveled a lot and so even as a young child getting to travel in China and Asia and through Europe, um, so for me it was a relatively obvious path for me to join the military and kind of do the same thing, which is exactly what I did about a year after high school. 

Karl Mattson: I think the real presenting question for me was, um, was how to do a college education and military service at the same time and that's really why I chose the Army because they had the best packages ultimately for, um, for not just GI Bill, but other programs to get a college education while in the service and so that was the branch that I chose. And I really lucked out also because I received the, um, the assignment of a career field as an intelligence analyst, um, which in the military is kind of like winning the lottery for a job. So I got to chance, you know, I think I was 19 or maybe 20 years old when I received my first security clearance and my first role working with NSA, and that was a real career break for me. 

Karl Mattson: I think that my career at NSA works a lot like it does in the commercial world for, for somebody who works in a SOC. So I, I worked as, as part of NSOC as my first assignment. So the first couple of years, um, we're we'll call it shift work incident response. Um, and that's, that's developing reporting products and escalation paths, handling incidents in a way that at 25 years ago at NSA was standard practice, but only really became the kind of the normal pattern in the corporate world and then maybe the last decade. But I think that for an average SOC analyst working in a SOC today, um, that's pretty much exactly what my job at NSA was like. And then after a few years of that, then kind of graduated to more like a long term analysis role um, you call it day shop, and being a little bit, you know, working away up the management chain a little bit, but it very much felt like a security operations role would today in security. 

Karl Mattson: I had a number of roles where I got deployed overseas, spent a couple of years in Korea, a year in Morocco, um, traveled around a bit. And then when I got to be about 30 years old, I decided that perhaps that it was time to grow up and get a normal job and perhaps start a family. So I moved home to Minnesota and worked for Target Corporation in IT and corporate security for a few years. The calling kind of came back to cybersecurity. So, first at Target, later at PNC Bank in Pittsburgh, and then I got my first, my first break as a CISO, working with City National Bank in Los Angeles. City National Bank then followed by Penny Mac Mortgage Company. About 10 years in financial services as a CISO and security executive that really kind of brought me to Noname today. 

Karl Mattson: The majority of the first probably nine to 12 months, um, really was building out the internal security risk and IT functions, including the stack of technologies, um, bringing aboard the, the talent, um, and sort of establishing the program fundamentals and we did have amazing luck bringing in, um, extraordinarily talented people who now have been in place for over a year and need very little of my expertise or guidance on a daily basis and so my focus sort of increasingly is towards industry events and kind of customer success, certainly, um, but customer facing or outward facing because, um, you know, by and large, the team internally at Noname is spectacular and needs little more for than me than the occasional, chipping in of an opinion. 

Karl Mattson: I think my leadership style is largely to look at each individual and sort of take them as they are and where they want to go and wrap their job responsibilities and, and expectations around them. My experience has been that when the members of a team see the role they're in as number one it's a well compensated and rewarded position, but it's also an opportunity for them to build their career into what it is they aspire to do. So we  want to center our security program around those skills, and then we fill the gaps with, with new people or new talent or services when that doesn't match with the team you have. 

Karl Mattson: I have for probably 25 years now been in sort of an operational mode of, of incident response or, or, you know, late night phone calls because something happened and that's that was in 1998 and 1999 and it was the true all through my year. Career in the corporate world as a CISO as well and so to some degree, I think I've developed I think of this probably as a good thing, but like emotionally calloused, in the terms of measured. So if there's a, um, a fire drill occurring, and I don't think that I'm phased at this point and that just is my normal mode of operation that I've adjusted to over time. So I don't think a CISO who gets too high or too low is durable in the role. That also requires, a little bit of attention to your own health and in your own self care really does make a person more, more resilient on a personal level. 

Karl Mattson: My recommendation would be to, um, to consider deferring gratification as long as possible. So, for example, um, people early in their career, um, looking at government service, those positions don't, you know, make anybody rich overnight. Um, but they are amazing career cornerstones to build on. The longer you go through a journey as a professional, like opportunities, advising companies and a lot of CISOs want to get into advisory work and that's, and that's wonderful and it's rewarding, but, defer that, um, use, use those opportunities to build relationships rather than, you know, make money right away.  

Karl Mattson: I have had the privilege of building a couple of security teams in my career, and also I've been a sort of adjunct university professor for about a decade. And, um, when I get a phone call or text message from a former student or a former employee on the team, that is overwhelmingly the most rewarding part for me is that those relationships have a, have a feedback loop to me on a personal level. I think of that's my sign of success is when those relationships persist over years, people come and go from different jobs and companies and career fields and those relationships that stay the same, that's what, that's what I lean into and say, that's my sign of success.