Karl Mattson was at his third financial services firm when he realized it was time for something new.
“I found the pattern was familiar, and wasn’t bringing the best version of myself to work every day. I needed a new kind of challenge,” said Mattson, who for the past two years has been CISO at Noname Security, a developer of technology that detects and blocks API attacks.
“CISO roles in financial services are extremely difficult. I would never suggest that I had mastered it by any stretch. But there was a little bit of a burnout factor, and I needed a change of scenery, so to speak, to a new kind of challenge.”
Mattson had known Noname’s founders as a very early customer, so that eased the transition.
“In those early days, Noname was a very small company, so I knew everybody there,” he said. “So for me to join Noname didn’t feel like a risk or unknown because I knew the team, and I knew the platform very well. So it was a very natural fit for me to take the role.”
He landed the job while trying to find others to fill it.
“Originally the CEO asked me for advice on hiring a CISO. I introduced him to a couple of people he interviewed. But in the end, there were various factors that all supported me being a great fit for the company, and the company being a great fit for me.”
“The missing ingredient for success is not commonly a technical issue,” he said. “It’s more commonly a discussion about how we can make this simple for the customer so we’re not adding more work, that we’re actually making life easier and better.”
Mattson got involved in cybersecurity straight out of high school, when he joined the Army and was assigned to be an intelligence analyst at the National Security Agency. After about a decade there, he transitioned to the corporate sector, ultimately winning CISO roles in the financial sector. At Noname, he has dual internal CISO and public-facing CISO responsibilities.
In the latter role, his primary brief is to educate the general security community about APIs and associated risks. He does conferences and keynotes, and networks with CISO peers to build and maintain a customer base. He also runs a 20-member CISOs advisory board for Noname.
“The opportunity of joining a startup early in its lifecycle is an all-hands-on-deck experience every day,” Mattson said. “By helping to build essentially from a blank whiteboard, that really taps into everything that I have as a professional to offer.
“Everybody has to wear every hat all the time while you’re in a growth phase, whether it’s doing financial budgeting or helping recruit new engineers, or trying to pick out an office space,” he added. “The great thing about working for a startup is that you get to touch and feel everything. You participate in all facets of the business. In a startup, if it’s not there and you need it, you have to build it yourself.”
Mattson’s experience in large enterprises trained him to understand what Noname’s customers expect from a security vendor “because I was that customer for a decade,” he said.
“I can tailor my focus to making sure that we’re doing things at Noname that are in line with exactly what our customers expect. I can put myself in the customer’s shoes very quickly and help us calibrate to make sure that we’re hitting the mark for the customer.”
Not all prospective customers have enough staff or skilled enough staff to adopt Noname’s software, so the biggest challenge is to make it as easy as possible to use, and to equip teams to be successful by enabling them to use the technology, he said.
“The missing ingredient for success is not commonly a technical issue,” he said. “It’s more commonly a discussion about how we can make this simple for the customer so we’re not adding more work, that we’re actually making life easier and better.”
Mattson expects to see more CISOs shift into related roles in the security ecosystem.
“There are a significant number of CISOs who are at points of their career where they’re experiencing burnout or their resources are limited, and they have a mission that almost feels impossible,” he said. “More and more CISOs are looking at adjacent career moves, whether to a vendor or a VC firm, or an advisory role.
“We need to embrace being a farm system of talent, and to promote the healthy circulation of talent.”
The ability to manage talent is the No. 1 skill a CISO needs, Mattson said.
“Attracting and equipping and retaining key talent in an organization will be overwhelmingly the most important thing a CISO can do for the organization’s health and security,” he said.
“Then we start on prioritizing risk, prioritizing budget, and managing the department’s resources to maximize the risk reduction. The other part is business enablement: How do we position the security organization as an asset to an organization rather than a cost center. That’s an important facet.”
Corll is also looking for opportunities to train the next generation, and “give back to a community that has given so much to me.”
“I needed that mentor years ago, and I like training others and helping others. It makes me feel good when I can help somebody else,” he said.
Right now he’s directly mentoring several people.
“That first role is extremely difficult. So I like to sit down with people, virtually and physically, and walk them through how they need to present themselves, and the training they should have,” he said.
“After they get a little bit of polish, I start using the professional network to make some introductions, after understanding what area of cyber they’re interested in.”
In another expression of his desire to give back, Corll is a board member of Join the Journey, an organization that gives microloans to businesses that would not be able to find other sources of funding.
“They give microloans to women in Zambia, and it allows them to start a business,” he said. “So it changes their lives. It betters the lives of their families and their communities.
“When I learned about the organization, I knew I had to go help there. I wanted to be more actively engaged than just throwing money at it. I wanted to employ skills I have learned in life to help this organization have a greater impact.
“I’ve only been with them 18 months, but it’s been long enough to truly believe in the vision.”