In this week’s episode of The Future of Security Operations podcast, I'm joined by Matt Muller, Field CISO here at Tines. With over a decade of experience at companies like Material Security, Coinbase, and Inflection, Matt’s got a strong track record of scaling SecOps teams, building threat detection and mitigation programs, and driving trust and safety initiatives. His knowledge impressed the Tines team so much that we invited him to join the team as our first Field CISO.
Matt and I discuss:
Scaling Coinbase’s security team from 3 to 50 - and what it taught him about leading under pressure
Why security still struggles to communicate its value, and how to fix it
Matt's evolution from security leader to Field CISO, and how he keeps himself accountable
How CISOs are becoming the business’s chief risk advisors, and what that shift means for the future of security
Where to find Matt:
Where to find Thomas Kinsella:
Resources mentioned:
In this episode:
[02:41] The origins of Matt’s insatiable appetite for all things security
[04:05] Matt's path from business degree to Director of Trust at Inflection
[07:07] Scaling Coinbase’s security team from 3 to 50
[08:41] Addressing security’s long-standing communication problem
[10:55] Why “failure wasn’t an option” when managing risk at Coinbase
[14:14] What led Matt to a product role on Material Security’s phishing protection team
[17:31] Building what customers ask for vs. actually solving their problems
[21:14] How Matt stays up to date with industry developments
[22:35] Matt’s favorite use cases for security automation
[25:25] Matt’s go-to automation best practices
[27:33] Cutting through AI hype to drive meaningful adoption
[30:32] How Matt keeps himself honest as a Field CISO
[32:21] Why the traditional SOC is broken - and what needs to change
[35:30] The role of diverse hiring in building a resilient security strategy
[39:00] What security teams will look like in 2030
[41:35] How CISOs are evolving to become chief risk advisors to the business
[43:30] Connect with Matt
TL;DL? Read Matt’s take on:
How his college consulting career led him to cybersecurity
“I did an undergraduate degree in business. Like any good, enterprising student, I wanted to make a little beer money on the side. I started a web design consultancy helping local businesses set up a web presence. One day, I realized one of these beautiful PHP websites I'd built was being used to send out spam. That was pretty outrageous. I wanted to figure out, ‘How did this happen, and how do I stop it from from happening again?’ That’s the core of why I’ve done a bunch of blue team stuff over the course of my career - because it happened to me. My website was responsible for someone else having a bad day.”
After graduation, I ended up at a small background screening company called Inflection (acquired by Checker). Because it was a startup, there was a bunch of work that, if nobody picked it up, it just wasn’t getting done. So I started gravitating towards the privacy, security, trust, and safety aspects of the business. I spent about 5 years there, and by the end, I’d built out their whole security program with an eye towards customer trust.
Setting risk management strategy at Coinbase
“We weren’t just protecting cryptocurrency or cold storage - there's so many other systems and endpoints. Once you start distributing an app, suddenly, every customer has some kind of access, through APIs, into your systems. We shifted the conversation towards risk very early on as the business was starting to go from startup into mature public company, and it really paid off. Since I've left Coinbase, there’s been no company-ending security catastrophe, which feels good. But there's so many tiny decisions and events that go into that outcome.”
Having zero incidents is never the goal. You want to have whatever the ‘correct’ number of incidents is - and I say correct number because incidents are a feedback loop into the business's risk appetite. They'll tell you if you're making the right risk bets, essentially.
Scaling Coinbase’s security team from 3 to 50
“I originally started more with a focus on customer security, trust, and safety. But it was an insanely fast-growing startup, so new responsibilities came along. My role evolved over time, adding detection response function, a threat intelligence function, and an insider threat SecOps platform.”
Those functions started to scale out, but it started with me and two other people. A lot of PagerDuty was where we began. This was where I got introduced to Tines - because three people trying to protect a company growing that fast just does not scale.
Best practices for automating security workflows
“Starting small and iterating is one of the [tips] I tend to come back to. It's almost like going to the gym - if you start trying to lift 400 kilos right off the bat, you're gonna have a pretty bad day. I think automation is a lot like that. You have to start with the small reps, and you have to make sure that whatever you're automating isn't just blindly translating whatever process you had before.”
Automation doesn't fix bad process - it just means the bad process will have more outcomes, faster. It's important to take a step back and say, ‘Is this actually a good process for us to automate exactly the way we have it today? Or do we need to reframe how this works? Do we need to do this at all?’
All things AI, from hype to use cases to security risks
“AI is a tool, one of many in your toolbox, and knowing when and where to use it is super important. The hallucinations, by the way, can be bad once you get off the happy path of your demo. I do think there's absolutely a time and a place that AI is incredibly helpful - but it's certainly not every scenario. I think the companies pushing to integrate AI into everything need to be asking, ‘Where is it useful? How often is it going to be useful here? And what's the worst-case scenario if it doesn’t work here?’
I think it's important to push your vendors on their AI philosophy, especially AI for security operations. Ask, ‘What is the story around falling back to a human and sanity-checking the output of an AI?’ If they don’t have a good answer to that, it’s a bit of a red flag.
Why the SOC must collapse to evolve
“In SecOps, we all bemoan the lack of senior cybersecurity talent. But how are we bringing up people in a SOC? You start in a tier one job, you get a runbook that says, ‘Here's what to do on this ticket. Once you're done, throw it to tier two.’ You'll get no feedback as to what actually happened after that, right? So you don't actually get better at cybersecurity. You just keep doing the same thing over and over again.”
I think we need to enable our junior folks to work more things end to end, or as far as they can. Building better feedback loops is going to have to be the future of the SOC. Otherwise, we'll just continue seeing these talent gaps.
Listen to more episodes of the Future of Security Operations podcast.