CSO Conversations: Matthew Hansen, Regional CSO of Americas West

CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.

What motivated you to pursue a career in cybersecurity?

I started my career working in the risk consulting practice for a Big 4 firm and learned that cybersecurity was a critical component for customers in highly regulated industries. A significant influence on shaping my career in risk management was primarily focusing on the financial services, pharmaceuticals, aviation, and oil and gas industries, each of which has unique regulatory and security requirements.

How has your past audit and regulatory compliance experience shaped your approach to cybersecurity today?

My journey of risk management consulting and internal audit has given me broad exposure to a number of industries, frameworks, and regulations. But I believe it presents a common theme: companies have implemented the Three Lines of Defense framework. Often, operationally speaking, employees still overlook risk management as “not their problem.” I’m motivated to be an agent of change and help companies address their risk through an Identity risk-based lens.

What are your thoughts on the importance of vulnerability management in cybersecurity?

Like everything in the tech world, the vulnerability management landscape is constantly evolving. Organizations need to prioritize not only how they protect their businesses and stakeholders but also how they tactically respond to weaknesses before attackers can exploit them. With budget and resource constraints putting more emphasis on automation efficiency and AI, we see organizations scaling at incredible speeds in reducing their risk of exposure or attack.

If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?

When looking at your organization's identity evolution, don't just “throw the kitchen sink” as the only solution. Instead, try to create specific, measurable, achievable, relevant, and time-bound goals to methodically tackle cybersecurity problems.

In your opinion, what is the impact of cybersecurity awareness in today’s organizations?

The First Lines of Defense in any organization are its people. Throughout my career, I’ve found that cybersecurity maturity and security awareness among your employees must be in unison for a strong fabric of cybersecurity DNA. You cannot have one without the other. The level of maturity and strength of your security culture can have a double-down effect on increasing accountability, promoting ownership, and strengthening how your organization manages risks. 

In what ways do you demonstrate Okta’s corporate values in your day to day?

Okta’s core values are deeply rooted principles that guide our day-to-day decisions and actions. This translates to a unique set of tenets that drive our interactions with customers to help build trustworthy relationships, uplift their identity posture, reduce security friction, and produce positive security outcomes. To make Okta and our customers the most secure companies in the world, we’re placing big bets to deliver on our OSIC initiatives and elevate Okta as the industry leader in Identity and cybersecurity.

In your opinion, does achieving compliance equate to a strong security posture?

Yes, and no! Let me explain… For SaaS companies like Okta, our maturity measurement is gauged both internally through various compliance frameworks like SOC2, ISO27001, NIST CSF, etc. and also by our customers.

But what you read and what you see can have disparities. For example, suppose your company completes a SOC2 attestation with a clean opinion and no control exceptions. In that case, it's a sign of success based on those controls your organization has defined and implemented. Or is it just a piece of paper that shows an independent audit firm assessed your controls based on prescriptive guidance but with no substantive value to the organizations receiving the report? Therein lies a core problem, your controls were assessed with a subjective assessor.

Regulators are starting to pick up on the quality of attestations and are putting more emphasis on third-party risk functions to objectively observe control execution with their own eyes. Attestations are still needed and are a great tool to measure your internal control effectiveness. But perception is a two-way street and if we want to elevate the measurement of success in the cybersecurity industry, we need to cast a broader net to our audiences to truly understand what a strong security posture should look like.

From your perspective, what is the most fulfilling part of your role as Regional CSO?

As a self-proclaimed ‘Agent of Change,’ the most fulfilling part of my role is participating in security and compliance discussions and helping our customers tackle the challenges head-on. While every customer engagement has a different look and feel, at Okta, we’re all working towards a common goal to elevate the Identity industry and make Okta and our customers the world’s most secure companies.

How do you describe your Regional CSO role to non-technical friends and family?

In the words of my amazing wife, “Matthew helps protect our daughters' data and privacy.” 

What key challenges do you predict the cybersecurity industry will face this coming year?

While Artificial Intelligence is buzzing in everyone's mind and will become a game changer for organizations, I believe the risk concentration in the cybersecurity supply chain will be the next layer of scrutiny organizations accelerate with. With the adoption of large enterprises investing more in Cloud-based solutions over the last 5-10 years, we’ve seen the evolution of attacks become more persistent and successful. While this reliance on Cloud-based tools can enhance operations, many of those tools depend on open-source components, opening the door to compromise thousands of users at once.

Concentrate that risk with large vendors, handling thousands of customers, and the attack vector can disrupt entire industries. For example, you buy a smartphone, and the supplier that manufactures the processor has identified a security flaw. The phone manufacturer can check its Software Bill of Materials (SBOM) to see which models use that processor and issue a fix or recall the device. 

Organizations need to work with their critical vendors and assess the supply chain. SBOMs are important tools in your risk management program that help improve transparency, so organizations know exactly what they’re using and can address security issues before they become problems.