In this week’s episode of The Future of Security Operations podcast, I'm joined by Matt Johansen. Matt is a security veteran who has helped defend startups, the biggest financial companies in the world, and everything in between. Alongside his day job as Head of Software Security at Reddit, he teaches companies how to protect against cyber attacks, and coaches entrepreneurs and CISOs that need help with infrastructure, application, cloud, and security policies. He also writes Vulnerable U, a weekly newsletter that talks about embracing the power of vulnerability for growth.
Matt and I discuss:
Moving from a large security team at Bank of America to a small one at Reddit
Embracing scrappiness and doing more with less
Overcoming sunk-cost fallacy
Why the 2014 Sony hack was a pivotal time for AppSec
Running the threat research centre at White Hat
What he looks for when hiring in AppSec, the SOC and beyond
His decision to start creating content about mental health in security
Moving past imposter syndrome
Renouncing superhero culture
Paved paths and guardrails, and what comes next after "shift left"
Lessons learned from Reddit's 2023 security incident
The power of automating incident response
The Future of Security Operations is brought to you by Tines, the smart, secure workflow builder that powers some of the world’s most important workflows.
Where to find Matt Johansen:
Where to find Thomas Kinsella:
Resources mentioned:
The Tech Professional's Guide to Mindfulness by Matt Johansen
Matt's piece on developer experience in the Vulnerable U newsletter
Reddit's post on a February 2023 incident
Collaborative Incident Response Best Practices: Don't Rely on Superheroes by Matt Johansen
Threat modeling depression by Matt Johansen

In this episode:
[02:14] Going from long-time Reddit user to employee
[04:50] Running AppSec at Reddit
[07:30] Being the internet's punching bag and boxing gloves
[10:30] Building a team from scratch at White Hat and lessons learned from the 2014 Sony hack
[15:10] Matt's approach to hiring
[21:15] His decision to create content about mental health in security
[23:20] Turning his Twitter network into his IRL network
[27:55] Moving past imposter syndrome
[30:00] Tools for safeguarding your mental health in incident response
[36:20] Preserving work-life balance for his teams at Reddit
[39:15] Moving past "shift left", and paved path to production and guardrails
[47:40] Lessons learned from a February 2023 incident at Reddit
[51:20] Renouncing superhero culture
[52:20] Automating incident response
[54:12] Connect with