Interview with Matt Heff - CISO at SecurityMetrics, Inc

Shauli Zacks Shauli Zacks

SafetyDetectives spoke with Matt Heff – who is not only the CISO at SecurityMetrics, Inc. but also a paleontologist. During the interview, they discussed topics such as AI, cybersecurity, compliance, stopping threats against small businesses, and the similarities between hunting hackers vs. hunting dinosaurs.

Can you give me a brief background about yourself and your role as the deputy CISO at SecurityMetrics, Inc.?

Who doesn’t love a good origin story, right? For many of us cybersecurity folks, we always have good origin stories. Currently, I am the CISO here for SecurityMetrics, Inc., based in the Silicon Slopes of Utah. My main role is leading a team of threat hunters, chasing bad guys on behalf of many small and medium sized businesses, including a couple of larger enterprises in there too. But the coolest part of my origin story is that I do a lot of paleontology work to AVOID industry burnout. So, I’m both a CISO and a paleontologist! I am lucky to have two (2) dual careers: hunting dinosaurs and hunting hackers. And I’ll tell you, it makes for a really cool, interesting conversation. When I come home from work, my kids are like, “Daddy, did you hunt hackers today or dinosaurs?”

Long story short, to give you a quick background, I started my career a very long time ago before the internet ever really took off. I think a lot of us fall backward into cybersecurity, and it’s always because of some story like, “I need a vulnerability scan guy,” or “I need you to patch something.

Sometimes it’s that we’ve been breached, can you respond? This actually happened to me. It was 2007, and I was working at TJ Maxx, Marshalls, and Home Goods. They had a huge breach, around 45.6 million credit cards were leaked at the time. This was (at the time) one of the largest credit card breaches. So, that’s where I got my start! Between then and now, I’ve had career stops at NBC Television, General Electric, and most recently, I worked for a very large international casino firm helping to secure their casinos in far-off places like China and Singapore. Now, I’m the CISO at SecurityMetrics, Inc. My education and certs are pretty deep, including Cornell, Pepperdine, Villanova, and Devry.

What is SecurityMetrics, Inc., How do they help businesses identify, assess, and mitigate their cybersecurity risks?

I wouldn’t would NOT have come to SecurityMetrics, Inc. if it was NOT an amazing place. We have this full catalog of cybersecurity services for SMBs (small to medium sized) and enterprises. So while we are well known for the compliance and risk stuff, we have this stunning catalog of cyber tools for SMBs.

Stunningly, we just celebrated 23 years in the cyber business with the SAME CEO since our founding.

We were recently at RSAC Cybersecurity conference (May 2023), and received an award for the “Most Comprehensive Cyber Team.” SecurityMetrics, Inc covers nearly EVERY flavor of compliance from PCI, HIPAA, GDPR, HITRUST, NIST and others. Then we stack in the cybersecurity services and programs such as all the flavors of penetration testing, SOC as a Service designed for SMBs, eCommerce tools to protect online shopping carts, security awareness training – plus so much more.

We try to provide a really unique, customized, white glove boutique experience without the boutique prices of the larger competitors. We focus on providing a very high level of customer service. Examples include drilling down the scope for your engagement, customized quotes based on the size of your business, and picking up the phone in 30 seconds without a very long phone tree. We proudly have a low turnover with over 72+ employees who have been with us for 10+ years. Which is unbelievable when you consider the high turnover world of cybersecurity. So, SecurityMetrics, Inc. is a VERY special place.

What are the most significant cybersecurity challenges and trends that organizations are facing today?

Everybody’s talking about AI. So many cybersecurity firms are putting AI into their products and services. Beyond the ethical considerations with AI, there are so many different flavors of AI which adds to the confusion. It is important to remember that we’re at a major inflection point in time, and our industry has these threat actors that are collaborating faster than ever on the dark web, and now they even have a corporate structure to their operations. These dark web businesses are giving salaries and benefits! We have all these businesses trying to minimize and downplay their breach notification announcements. These breach notifications tell you the bare minimum and are not very helpful.

There’s a huge gap between the security “haves versus the have-nots.” We are seeing a huge trend where many small to medium sized businesses (SMBs) think they can’t afford cybersecurity, but the reality is they can, thanks to companies like SecurityMetrics, Inc. Beyond all that, the speed and advancements of phishing are incredible, and these tactics are evolving so fast that your cybersecurity awareness training really should be ongoing, monthly or even weekly with these fast-evolving phishing campaigns.

The first thing that I see is all these cyber firms that are layering in AI. The challenge with that is it’s the wild west with AI right now, and there are different flavors of AI – generative AI, responsible AI, human-centered AI – you name it, there are all these flavors, and as industry practitioners, we are overwhelmed. Complicating matters, any business with any sort of threat hunting or SOC is overwhelmed with alerts, warnings, and false positives. So, hyper-automation can help with the constant onslaught of alerts and cyber incidents, which can be difficult to manage.

I’m really excited about decentralized identity. I’m tired of passwords, which I am sure many others are too. This also includes helping businesses evolve beyond zero trust and role-based access.

How does a company ensure that the payment processing environment is secure and up-to-date with the latest trends since it’s constantly evolving?

This is a very tough space to be in. It is also evolving at a fast pace with the introduction of the new PCI 4.0 standards. SecurityMetrics, Inc is really fortunate since we are helping to lead the PCI 4.0 changes industry wide. We actually serve on the PCI Council and help provide guidance and recommendations based on what our PCI clients experience day to day. I think one of the things you have to look for is choosing the right partner when you do anything in the PCI compliance space.

This means narrowing down the scope to focus on what you really need to become PCI compliant. Many competitors try to oversell compliance going way outside of the PCI scope. If it were me, I would engage a PCI partner who will be assigned the same QSA person throughout the entire process. In other words, the same person to help with:

  • Ideally, you want a 2 step validation process – collecting the correct PCI evidence within scope.
  • You want a prep work partner to ultimately ensure the process goes as smoothly as possible.
  • You want the same person to perform the assessment, staying within scope, BUT offering helpful recommendations to the business to lower their risk posture.
  • You want the formal assessment presented by the same person BUT include actionable steps.
  • You want a partner who will NOT stop working with you after the engagement ends.

It’s really a magical process when you get that person who really understands your business and has helped you tighten the scope. You want the best quality, thorough audit without cutting corners, all wrapped into a smooth process that you feel good about.

If I had a FINAL recommendation for your audience when it comes to securing their payment environments, that two-step validation process is critical. You want a partner who has touched the evidence, seen the evidence, read the evidence, experienced the evidence, and with absolute certainty, can say you can meet the Simultaneously, there has to be a balance – knowing that no one is cutting corners or wishing away requirements just because you don’t pass a certain requirement.

I know we touched on AI already, but can you talk about how companies can adopt to the technology while still protecting their user data?

It’s such a Wild West world right now. And because it’s a Wild West environment. We don’t know what is considered good quality AI versus junk and garbage. No one in the industry seems to have figured out what variety or flavor of AI is best for their products or services. Now imagine that at some point, AI matures enough that our industry can layer in all these different flavors and types of AI. We are also working to define the ethical, governance, risk, and compliance concerns with no frameworks, best practices, or industry standards.

My challenge to anyone considering adding AI into their business is always to do what’s best for the business – with one caveat. Remember, this is fringe technology that is not matured yet. Any time you bring anything new into your environment, if it goes wrong, you and the company can be held liable.

Please share some of the most common mistakes that businesses make when it comes to cybersecurity and how they can be avoided?

The #1 number one thing that I see time and time again (especially for small to medium-sized businesses SMBs) is they do NOT know what’s in their environment. Many businesses struggle to know what assets are in their environment. And you can’t protect what you don’t know.

Once you have an idea of what assets are in your environment, then you can develop a plan to protect the assets, lower your risk posture, and prioritize what crown jewels are important enough to keep the lights on and cash registers running.

Tell me about the dinosaurs. How did you get involved in that? What’s the coolest thing that you’ve found?

This is the interpretive dance part of the interview (laughing).

I think part of the problem with the cybersecurity industry is that we have many peers and colleagues facing a stop at “Burnout Central” at some point in their careers. What I found was really important to my mental well-being, was finding a passion that helps me take a break from technology.

What’s cool about cybersecurity is we are always exploring new things – that process of discovery is very similar to dinosaurs and fossils. Whether it is dinosaurs or hackers, we are trying to figure out new things, discover something exciting, develop a hypothesis, and provide context for what exactly happened. I am so lucky that I get two dual careers – CISO and Paleontology. Very soon, I will be out at Staircase National Monument working with the University of Utah and the Natural History Museum of Utah, airlifting Tyrannosaurus fossils out of the ground using gigantic helicopters!

Most recently, I was assigned a baby Gryposaurus! This is a duck-billed dinosaur. It’s really an interesting dinosaur. It’s a little baby. What I am trying to do is get all the fossils out of the rock and figure out how the pieces of the baby gryp go together.

If anyone wants to follow the cybersecurity adventures, check out the weekly cybersecurity awareness short videos on Youtube – SecurityMetrics, Inc channel. If you want to follow Heff’s global dinosaur adventures, check out his Instagram Channel @heff.heff.cyber.

About the Author

About the Author

Shauli Zacks is a tech enthusiast who has reviewed and compared hundreds of programs in multiple niches, including cybersecurity, office and productivity tools, and parental control apps. He enjoys researching and understanding what features are important to the people using these tools.

Leave a Comment