Join us today with another interview in our blog series: Authenticated Answers! We sat down with Karl Mattson, CISO at Endor Labs.
At Valimail, we take our work seriously but try not to take ourselves too seriously. This value inspires us to get to the heart of what makes people unique and how it affects their careers to provide valuable advice, inspiration, and insights to people working with email daily.
In this lighthearted interview series, we connect with experts from the email, IT, security, ISP, and authentication spaces to learn more about them and their experiences.
Listen to the full interview here or keep scrolling for the highlights:
About Karl Mattson
Karl Mattson is the CISO of Endor Labs, marking his fourth time in a CISO role. He began his journey in the financial services industry, serving at City National Bank and Penny Mac Mortgage before moving on to NonameSecurity.
His connection with Valimail dates back a decade to the early days of his first CISO role at City National Bank. It was then that he met Alexander García-Tobar and the Valimail team, forging a relationship that has spanned years.
Beyond his professional life, Karl is a dedicated father to three young children. During the COVID lockdown, he crunched the numbers and realized he had changed about 10,000 diapers while working from home—a testament to his ability to juggle security leadership and parenthood.
What’s an email security myth you wish more people would stop believing?
The myth is that there is a high rate of success in managing DMARC on your own. The do-it-yourself mentality is honorable.
But in this particular area of security, managing SPF and DKIM records, companies very rarely achieve a high degree of success. So, I think the myth is that this is a do-it-yourself problem.
Managing this on your own may be doable in the startup time frame when you’re a small company with only twenty employees. But it gets complicated quickly when you start adding different technology stacks and a larger employee base. It’s just one of those things that, as a security team, you probably need to outsource to a company like Valimail, which can handle it with a white glove and error-free.
What’s the smallest hill you are willing to die on?
So, I have a very small hill that I am very committed to, and that is on LinkedIn, when I see one vendor talking trash about another. I will never, ever do business with that company ever again.
I won’t even talk to them. That’s a death sentence.
I work for a security vendor, and I’m very conscious of how companies talk about their competition. I go out of my way to be a gentleman to my competitors; I think that’s the right thing to do.
How did you get started in IT/Security? What do you love about it?
My entry to IT/security was entirely accidental. I was an analyst in the military with a non-technical role and received my assignment to South Korea. When I got there, it turned out that the NCO in charge of a data center was leaving the country at the same time.
So, I was assigned a data center to manage. They gave me the keys, and overnight, I was assigned the role of managing this IT organization. I spent the next two years learning the basics of server and network technologies, and leading an IT team—all the things that I needed to do to be a useful leader.
Being thrown into a leadership role forced me to learn things very quickly. For example, if it was something related to encryption in a network, I had to find somebody to teach me on the spot, go to the library, get a book, or Google something. I had to self-teach in the moment very quickly. It forced me to be resourceful and self-learner, and these habits have served me well.
If you could instantly fix one major security flaw in the email ecosystem, what would it be?
I think the original sin of email is that some email service providers do not make multi-factor authentication (MFA) mandatory. Still today, that just seems outlandish and irresponsible.
For many years the largest providers resisted it. Gmail is a remarkably secure platform, and it has really set the standard for the best in email security on the user side. I just can’t believe it’s still not a requirement universally.
What’s the funniest or most bizarre phishing email you’ve ever received?
I received a series of emails from someone with a creative way of incentivizing me to look at the emails. The email subject line was: “I can lick my own elbow.”
Okay, that’s the strangest thing I’ve ever seen. So I opened the email.
This person proceeded to sell software services for some company, but they also described how only one in a hundred people in the world can lick their own elbow. They offered to show me if I clicked the link or had a meeting with them.
That’s the strangest way to get me to click a link. I went to LinkedIn to find out if this person was real. I was just fascinated by the oddity of this. Even though I knew it was a bot, darn it, I wanted to click it.
What’s a non-technical skill that has made you a better security leader?
I think the non-technical skill that is the most important of all skills as a security leader is the ability to identify and retain talent. Talent management is a part of my career, which has been a strength. A CISO’s survival skill is to surround oneself with a diverse set of skills and people who have abilities I don’t.
Identifying talent requires enlisting the current team to help identify a person of a certain caliber. If we bring this person into the team, do they bring skills that we don’t have? Are they of a talented level that is going to raise everyone else’s skill level? It takes the other members of the team to identify that.
To keep them there, I think the key is to not let the organization be defined by the organizational chart. I think it is important to give talented people a little bit of autonomy to design the boundaries of their role, giving them some latitude to build a role with new boundaries.
How would you explain DMARC to your grandparents, friends, or relatives?
I would compare DMARC to the username and password that they use on a website.
Even my grandparents know that there’s a username and a password. But when emails are sent around the world, DMARC is the way that we use usernames and passwords to authenticate emails behind the scenes.
So I’d say that it’s comparable to that authentication process that you use online. But it’s the emails. And it’s how they talk to each other behind the scenes.
Liked this interview? We have a whole collection of Authenticated Answers guests to read.
