This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden: Mariano Matei is VP of Cybersecurity and AI at Azure Solutions with over 30 years of software engineering experience. As a certified Chief Information Security Officer, he specializes in AI integration for advanced threat detection and predictive security measures within biotechnology, pharmaceuticals, and medical device sectors. He’s the author of the forthcoming book, Security Metrics. a measurement driven approach to cyber risk reduction, as well as an established filmmaker. Mariano, thanks for stopping by Barcode. definitely. We have a lot to catch up on. But for the listeners that don’t know you, if you don’t mind, talk me through your background and what ultimately led you into a cybersecurity career.

Mariano Mattei: Thanks Chris, I’m happy to be here. Thanks for having me. Sure. it’s an interesting career. I graduated way, way, way back from Temple University in software engineering. I got out of college and started working for Navy radar missile guidance system programming. was really exciting. I did that for about five years and then went private and hooked up with a great company called Soft Switch. And they eventually got bought out by Lotus, which eventually got bought out by IBM. the majority of my career was with IBM. And then we segued from software to managing what we call the SWAT team, which was a global team of highly specialized problem solution people who could handle high stress situations. SWAT is exactly what it sounds. No one else can find or fix the problem. IBM says get boots on the ground. I fly myself or one of my people out on site. know, everybody’s mad, nothing is working, everything’s on fire, and you have to take control of the situation to find and fix the problem, whether it was IBM software or not. what was interesting was I got really good at reading sniffer traces using Wireshark. And that’s when the light bulb went off about 15, 20 years ago, and I said cybersecurity’s the next big thing. We found maybe 80 % of our problems by doing that. and a lot of it ended up being something malicious. when that light bulb went off, I went straight forward into cybersecurity. I’ve been doing consulting for the last 15, 20 years as basically a virtual CISO for companies, sometimes as a data privacy officer as well. And it’s more than just strategic. recommendations. I to get my hands dirty. I still code. I still do a lot of AI innovation. it’s a great time to be in cyber and AI and have that coding experience as a background.

Chris Glanden: definitely. And I think that technical expertise and that that technical passion never really leaves you. it’s hard to escape that. being a consultant, being a VC. I’m sure that that, security teams struggle to communicate risk effectively to that C suite or to the executive level. And I believe, that metrics can help, bridge that gap. But those metrics are misused or misunderstood. from your perspective as someone who has written a book on this and has researched it, talk to me a little bit about how security leaders can ensure they’re using metrics to drive decisions rather than just generating that nice looking PDF.

Mariano Mattei: Thank I mean, I the nice looking PDFs, but the whole reason why I decided to write this book was I work with a lot of companies and I was surprised to find that I think I ran across two that collect metrics and report on them. And the thought was you would never go to a board meeting and not have your CFO put up slides that show exactly financially how the company is doing. I mean, they would be fired, why aren’t cybersecurity professionals doing something similar? You have, most of the data is already there. And I tell people this all the time, start with the metrics you already have. You already have numbers. Now you’re not going to use those numbers to tell a story. I mean, it just seemed insane to me. I started doing research. I said, there’s got to be a book, something on this out there. And there wasn’t. I mean, there’s a lot of really good books on how to measure cybersecurity, how to measure A lot of technical mathematical books. know, there’s there’s evaluating using, risk using fair, for example. All of those were great, but there was nothing that just.

Chris Glanden: Yep.

Mariano Mattei: me, because we’ve been going to conferences together for some time now. I tend to just to talk normal. I don’t want to talk too technical. I can. I could talk to the engineering team. I could talk to the development team. I could talk to the network analyst. But to put it in plain language for the C level, for the board level collect metrics that help tie back into the business to show or tell a story, and that’s the important thing. That’s the whole reason why I came up with the idea for the book originally.

Chris Glanden: . and I definitely want to talk more about that. But I think, teams that there is metrics there, There is metrics. Sometimes it’s not. There’s no substance there, with those metrics that they do include, are you finding that rely on?

Chris Glanden: some metrics that just aren’t actually useful at the end of the day? How could security teams focus on metrics that truly matter and make a difference?

Mariano Mattei: that’s really the hard part, That’s the hard part. How do what you’re collecting is really tying back into the business? Which goes to the question, do you really know what business you’re in? I remember someone told me at a conference, they said, if what makes your company money, if you really understand what makes the profit in your company, you’re golden. You’ve got job security. And everything you do should be towards that goal.

If you understand what drives profit, you have job security. Share on X

Mariano Mattei: it’s very, very similar when you’re collecting metrics, not to collect metrics for the sake of collecting metrics. How does each one of those metrics tie back into a business function that makes money for the company? And that’s the hard part. Now, I’ve been on job interviews where I’ve had a CISO ask me, he found out I was writing a book. He interrupted me. says, what’s your top 10 metrics? I said, I don’t have a top 10.

Mariano Mattei: He didn’t the answer. I didn’t get the job offer. But I don’t have a top 10. You have a top 10. Your company has a top 10. Do what your top 10 is? Because you should. And it’s not just about collecting metrics and reporting on metrics, but it’s what are the ones that are really going to help the business.

Every metric should tie back to making money for the company. Share on X

Chris Glanden: . and I love that because there’s no straightforward answer because those metrics could vary, They’re variable. Exactly. they hate to hear that. But I mean, it’s the truth. unlike financial and operational metrics, security metrics are often difficult to

Chris Glanden: quantify because often security is perceived as a preventative of business rather than producing tangible output. in your opinion, what are some of the biggest challenges organizations face when trying to quantify their security effectiveness and, how can they they overcome those challenges?

Mariano Mattei: I think one of the keys here is relationships and communication. for example, most often the CISO would report into the CIO. And regardless of if it’s the CIO, once in a while it’s the CFO. And quite frankly, I would prefer the CFO because now you can talk the language that the business understands. they have all the numbers, Your CIO may have the numbers for their specific department of which is usually IT, of which cybersecurity is usually a percentage budgeted of IT expenses. And there are gray lines, how do you really substantiate if you want to talk in terms of numbers, which I think is where you should end up if you’re doing a report for the C level or the board level. is talk in financial terms, How do you translate that into financial terms? how much is, for example, the data that you’re protecting? How much is your code worth if it’s a code base? I mean, you should be able to talk to someone who knows these numbers and can get you these figures. Because then you could say, well, it makes sense that we’re spending $300,000 a year on cyber to protect what is worth $2 billion.

To communicate with the board, translate security into dollars. Share on X

Mariano Mattei: hat tells a story. Look how little we’re spending to protect something that’s worth a lot. And, sooner or later, there’s a lot of stories you could tell to different people with cybersecurity metrics, but if you’re going for that C-level board level, you have to somehow end up translating that into dollars.

Chris Glanden: I agree, I think the way that security teams build metrics that resonate with C-level, whether it’s CEO, CFO, have to tell a narrative that resonates with them. we all know how fast the threat landscape is evolving now, especially with you being involved with AI and seeing how the AI fueled threats are becoming even more aggressive. sometimes a metric that was relevant a year ago, may long may.

Chris Glanden: sometimes a metric that was relevant a year ago may no longer be meaningful. In this circumstance, how should organizations adapt their security metrics to keep up with those emerging threats and those constant changes in technology?

Mariano Mattei: that’s the difficult part in this in general, even prior to generative AI hitting the market, And this having been in the field for quite some time, it is constantly changing. it’s always this cat and mouse game of, how can we better defend what new

Mariano Mattei: technologies are out that can be used for both good and bad purposes. I think that Gen.ai and agentic.ai is really going to create some new metrics. which is great for me because I’ll have a second book coming out, in a year or two. But, it’s changing fast now.

Chris Glanden: There you go.

Mariano Mattei: I do a lot in AI, do a lot of coding with AI. I’ve created a pen test assistance using AI. Phenomenal. Scary, scary good. how are we going to start being able to measure that? I mean, that’s the greenfield opportunity there, Is trying to figure out how it’s changing and what should we be looking at? What should we be measuring?

Chris Glanden: . And how those how those attacks are coming in to because a lot of times you’re just going to get hit with an attack. But that’s what you see. And that’s what you’re putting metrics against. I agree with you. I think you always have to evaluate, those different attack vectors.

Mariano Mattei: The types of attacks are changing, You have your voice now, which is easily duplicated via AI. Video is getting there as well. there’s a lot of social engineering type of attacks that have increased over just the last few months. We’re seeing more and more of it. how do you measure that? That’s a great question. I always tell companies to track the incidents. you have to track what’s coming in, make a report on it, do your forensics, document everything. It’s kind of a pain, but at the end of the day, it’ll start telling you a story. It’ll start painting a picture for you. Where are these attacks coming in? And then now where can we focus our defenses?

Chris Glanden: and we talked about this storytelling? And security leaders applying storytelling techniques. And I think you do that very well. And part of that because you’re also a filmmaker as well. Did you get into security while you were filmmaking, or how did that happen?

Mariano Mattei: it took me a really long time to find out that I guess I’m a creative type. programming was another form of creation. I was a musician for many many years before becoming a filmmaker. And all of it really ties back into this. have a creative side to my personality, whether it’s a good problem to solve encoding or in a company or in cyber or an AI or music or film, that if I don’t do something creative, if my mind doesn’t work that way, you, if you’re a creative, know, this, can’t just give it up, You start getting depressed, you start feeling something’s missing in your life. I need to drive. I need to constantly create something. And it ties back into what I do for a living. you would I love to be able to be a musician or a filmmaker full time? I would love it, but it doesn’t pay the bills, you make the money to feed your family and yourself, but also to fund, your creative side too

Chris Glanden: you and I are in the same situation I think creativity in this industry is important from many different, aspects. And I think, I don’t to discourage people that don’t feel they’re creative because I think everybody has some level of creativity what they do.

Mariano Mattei: I hear that a lot and I see it as well and I’m, well, you do this and that’s creative. there is usually something, most people that don’t think that they’re creative because they don’t paint, they’re not doing the typical, artistic endeavors. There are other forms of creativity.

Chris Glanden: absolutely. Yes, I encourage everybody just to exercise that creativity. think that’s how we evolve as an industry. That’s how you evolve as a person. Not everyone’s going to have that same level of maybe a musical ability or storytelling ability. the goal is to start thinking differently.

Chris Glanden: That’s the end game for what I would to see. Because again, that’s how we’re going to push limits of what we do.

Mariano Mattei: I think one of the great things that came about from everybody working from home is you get to see their surroundings, whenever I’m on a meeting, I’ll see, hey, what kind of guitar is that in the background? it’s surprising to see how many people actually do have that musician or painting or some kind of creative, and they’re in the IT field. Because I think it goes hand in hand.

Chris Glanden: I do too. I do too. Since I got into this industry, I’ve ran into many musicians, and you would never know, you said in COVID, they, you would find out then, but, . But I mean, I think it’s important to talk about those things. A lot of people will sort of mentally isolate themselves and their creativity from work.

Mariano Mattei: In the office you don’t see it.

Chris Glanden: And I think there’s a fine line there where you can bring that in, and it will help your career.

Mariano Mattei: I could tell you I’ve run a lot of workshops for AI innovation or innovation in and of itself. And one of the methodologies I use is the Disney creative method. if you’re not familiar with it, look it up. But it’s phenomenal at really pulling out from teams. How can you innovate using AI? How can you make something you have better? How can you create something new? How can you differentiate yourself from your competitors? I love doing those workshops and using that creative method to do it because it really gets everybody’s mind thinking in a different way. And they start tapping into that creative side. it’s fascinating. But think it’s creativity and this line of work go hand in hand.

Chris Glanden: that’s interesting. I’ll have to look that up. Mariano, where can our audience members that are listening to this find you online? And then also, is there a website that you can point people to to watch your films or to order your book?

Mariano Mattei: I mean, I could provide you with links, but basically to connect with me, I would just go to LinkedIn.  You just find me Mariano-A-Mattei on LinkedIn. have got, let’s see, I do many things. Where is, let’s go to, for the book. Security metrics. many we are in the midst of a possible title change, which I am happy about. My original title for the book was see by the numbers, because I felt that that really told the story. But they didn’t it. we went with Security Metrics, which quite frankly is very boring and sounds why would you want to read a book called Security Metrics, But we, know, some of the feedback from from all of the all of the rounds that we’ve done and releasing the book early, if you go to that link, it’ll take you to the early access program. was that the title really does not sell what what’s in the book. And we’re going through a title change process now. hopefully we’ll come up with something a little bit better. Maybe not see by the numbers, but something that, has a better, more, more intriguing title. And then lastly, I mean, For All Is Productions

Mariano Mattei: is the main website, but our latest. Our latest sacrum dindicte is the latest release that’s out on Amazon Prime. It’s on, the original one is on Tubi. we released one about a year ago. Two was just released around the holiday season on Amazon Prime. And then after a little while, it’ll be released on Tubi and all the other streaming platforms. And we’re starting to shoot in two weeks, the third and final chapter of this action revenge thriller seeking type film.

Chris Glanden: Nice.

Mariano Mattei: to start shooting that in a couple weeks. let me, sacrum dentit de

Chris Glanden: If you need an extra hit me up.

Mariano Mattei: Haha, we do. here’s Sokrum. You can find links to Amazon for one and two on there and two, but you can watch it for free. All is Productions is the production company. that’s how you can find me. With just a little bit of what I do. There’s more. There’s more to it.

Chris Glanden: what’s next for you? I mean, you’re in the Philly area I am. What do you have on tap?

Mariano Mattei: mean hopefully the book is finalized and out in print in about a know, if people purchase it early that really helps me out to get them to release it sooner rather than later. continue doing film, continue working, making money for my family and, trying to have a great time while I’m doing all of this. Trying to get the, I’ve gotten some, I’ll be speaking on a panel for Secure World coming up in April.

Chris Glanden: Love it.

Mariano Mattei: I love getting up on stage, getting me back to my band days. we’ll see what happens. But it’s a good time to be in this industry, as.

Chris Glanden: I’ll be a secure world as well. And you mentioned before, we’ve run into each other at AI conferences, at security conferences, happy hours. I’m curious from being in Philly, what’s your favorite bar there?

Mariano Mattei: great. good question. I usually the little neighborhood bars. when I lived in South Philly, I moved out to Swarthmore not too long ago. They have some good places here, some Tino’s and Stinger’s. But I those little dive bars that have really good food because I’m a foodie. I’m a cook. don’t know if I told you this, but I was on Cooks versus Cons season one, episode 11. I’m a big time cook as well.

Mariano Mattei: but there’s a little bar called Tap Room on 19th that I used to go to. I used to walk around the corner. But the chef there really, every time you go to the bar, every week, the menu changed. And that’s what I love because then you could really try different things and the food was phenomenal and the drinks were phenomenal. it’s still there. The owner left. I think he might’ve moved to Costa Rica.

Chris Glanden: Is that place still there?

Mariano Mattei: but he opened up a Mike’s barbecue shop near passion Avenue, phenomenal barbecue. and then I think he ended up moving. 

Chris Glanden: Nice. Nice. I’ll have to go check that out. I’m a foodie too, I’ll drive to get some good food.

Chris Glanden: Mariano, I just heard last call. You got time for one more?

Chris Glanden: If you opened a cybersecurity theme bar what would the name be and what would your signature drink be called?

Mariano Mattei: I would have a drink called zero day and Every time you order it. It’s a different drink a theme that changes weekly because that would coincide with what a zero day exploit is.

Chris Glanden: well, thanks for stopping by. It was great seeing you. I’ll see you again soon and, you take care.