Episode 29 with Matej Zachar

Narrator:

Welcome to Cyber 909, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and cyber aficionado, Den Jones taps his vast network to bring you guests, stories, opinions, predictions and analysis you won't get anywhere else. Join us for Cyber 909, soon to become 909 exec. New name, same podcast.

Den:

Well everybody, welcome to another episode of Cyber 909, your podcast for all sorts of mad random stuff related to cyber, but mainly leadership, surviving and thriving, and making sure we don't try and shoot ourselves along the journey. So this episode we've got Matej Zachar, is that how I pronounce her last name? Just before? It's funny, I'm struggling on the first name and then I'm like, oh man. Now the interesting thing is you guys are going to detect a little bit of an accent here, not my accent Matej's accent. So Matej, why don't you introduce yourself, where do you work, where do you live? And I want to get into this whole journey as you've been traveling around Europe.

Matej:

Sure, absolutely. And great to be here then. So yeah, so I'm originally from Slovakia, which used to be Czechoslovakia is how most people figure out where that is and which part of the world. I was born in Czechoslovakia, but they didn't last for very long. So I work as a CIO and a CSO for a company called Content ai, which is a headless CMS provider, kind of a backbone for websites and things aimed at content management. And I'm based out of Ireland, so I'm currently living in Dublin. But yeah, I traveled a bit. So I lived in Slovakia, obviously down Czech Republic, then Switzerland and now. So this is my fourth country. Yeah, it

Den:

Is funny. I think I've done some traveling and it just reminds me that back in Europe you can bounce between country and country and country and stuff, but for me it seems like the Cecil version of Van Life. So when you've been traveling, before we get to that, what got you into this IT security journey? So when you're leaving school or whatever you were doing, what was the trigger that pulled you into this career?

Matej:

So it was back in the time when I was actually picking my subjects in university and I was one of the first cohorts that went through formal cybersecurity education. So it has been a while, so probably like 12 years ago or something. But it was one of the first things, one of the first cohorts that went through that cybersecurity masters. And it was really out of curiosity. I mean, I saw cryptography there, it sounded cool. I mean who doesn't want to do cool stuff? And I found that it was mostly math. I got a little bit discouraged, but I found something in it. I found something that got me engaged for about those 15 years or I don't know how long I've been around.

Den:

And then when you've done your first country move, what was it that made you move,

Matej:

Suppose? So the first move was for the university and was the quality of education that really made the difference. And so you know that here, well you said it right? So here in Europe it's more condensed, but many different countries. And when I was picking my school, it was already European Union was around and it was expanding and so it really opened up opportunities for people to travel around to study around and also work wherever they want to be. So that's how I did it. And then I stayed in Sugar Republic for a while. I studied there and I got my first job and I worked a little bit in Czech Republic. I was traveling a lot back then. I was working for a cybersecurity vendor. And then, yeah, I suppose it's also the love of love for travel and exploring new places, meeting new people. It's what eventually got me into multiple moves in my life. Yeah,

Den:

Yeah, no, I can tell that you can speak good Irish, but when you've went to the other countries, they don't all speak English as their primary language. So how did you handle the language barrier?

Matej:

So checkbook is easy, right? Because the languages are very similar. And now I speak fluently. I mean it's not a huge achievement for somebody from my part of the world, but I can. And then in Switzerland it's a little bit different. They have four languages. None of them is English, but they do have a huge expat community. So when I was there, it was very easy to get by on a work setting I would say. And I was working for an international company back then, so English was also how they communicated internally. But I know, so I have some basics of German, I was communicating some German with them. But you need to be, I suppose, yeah, English will will help you long way in any setting, let's say in Europe. But it's where if you want to engage with people more, you probably need to start getting bits and pieces of language here and there just so that you show that you are really interested in the culture and the country and the language as well. Yeah. And then obviously there are places where you can't speak English, so you need to manage those.

Den:

I was in the south of France once for the project back in 1996 I think it was. And I remembered the hotel I was that in South France, they didn't speak any English at all

And I didn't speak any French. Now because of that lack of communication, I didn't have any lunch or dinner. I pretty much waited until my friend picked me up probably about eight o'clock at night to do dinner and drinks and stuff. But I went 12 hours without eating and I was asking them for food and I just didn't get any. And the thing about our role is communication's a huge thing. So when you're trying to excel vision, when you're building teams, when you're trying to do what we do, then what was the biggest struggle from a communication perspective?

Matej:

Yeah, that's an interesting one. So I would say that it's more cultural than language related, even though you need to pick your words carefully in English as well, and you would have some nuances of English even from foreigners, obviously English is not my first language, so I would have my nuances and the way I talk about things. So for example, in German speaking worlds, people tend to be a little bit more negativistic. So you need to choose language that kind of reflects that. I mean, I just remember back then one of my colleagues were saying they had this saying it gets, which is like, ah, it's all right, it's okay. And that means the best, it is, the best it could be, it's excellent, it's brilliant, it cannot be any better and they can go to really deep connotation of how bad some things are. So that scale is I suppose, a little bit moved. You need to be aware of those things. And then obviously if you do chitchat, if you don't do chitchat, if you go straight to the point, if you don't speak out of your mind and tell people what you really think or whether you use some fancy language to describe your thoughts. So need to be aware of those. But they're more cultural, I would say, than language related.

Den:

Yeah, that's interesting. I thought for a minute there you were describing Scottish people, but then I realized you weren't pessimist, grumpy. And then one of the things that I was interested in when we were setting up the show was you're traveling around Europe, you've got a great connection in that whole European community. When we talk about things like ai, how are you seeing European governments, European businesses, or even just people in the teams, how are you seeing them approach AI and how do you think that's different from how people in the US are talking about it?

Matej:

Yeah, I suppose I can feel a little bit more cautiousness and a little bit more risk aversion or let's call it a risk management. I would say that people are generally open to try new things and to engage with ai, but they feel in general that there needs to be some governance over it so they don't just jump over the next fancy tool immediately without thinking. But I might be a little bit biased because I deal mostly with our enterprise customers, which are very risk averse or they like to think things through before they allow them in their environment. And also with the community here, which is also kind of very enterprise heavy, there's lots of US companies here and usually those that there are internationals and operate here in Ireland. So that's my experience so far. But I can see that there are many startups also being created in Europe. And one general feeling is that there is a little bit of the support for innovation and the overall how the innovation is treated is a little bit different in Europe. And we feel like the regulatory environment here puts a little bit more barriers towards that.

Den:

Yeah, I was just going to say because heavy into the privacy side of the world. So if I look at your career, you've featured a lot as you go through risk and governance and all that kind of stuff, and you're in an environment where data governance or PI and all this stuff, especially privacy laws around the world, they're pretty heavy. I'd say they're heavier in Europe than they are in the US and I'll keep talking while you're trying not to die over there. So yeah. So if you're back alive, so when you think of privacy and the difference between Europe markets and the US and with ai, what are you seeing from the biggest privacy concerns,

Matej:

Concern? Sorry about that. Geez, that was very unfortunate drink of what? Jesus, I don't know what's happening.

Den:

And everyone just realized McKay's really drinking, he's really drinking vodka and he's just saying it's water.

Matej:

Yeah, it looks like vodka, right? Sorry about that. So in terms of privacy, I would say that there is definitely the cautiousness about out. What kind of data do we feed our AI systems, what happens with personal information? How do we treat

Matej:

That? And I would say in the very initial scenarios, everybody was like, okay, we'll never ever feed our customer databases. We'll, never ever let AI model work on our personal information. But it is slowly changing, I would say over time as some of the myths surrounding AI and the way it's laid out, how they disappear over time and how they are mitigated with the new kind of safeguards and controls that companies in general AI providers are able to demonstrate. So I would say that this perspective is changing, but obviously there is that ever present question of where the data is, what happens with it, is that a new data processing? And if it is, what kind of risk does it bring? So there's that risk-based kind of perception of personal data processing here in Europe and we like to use that terminology to also refer to data processing. So that's my perspective.

Den:

I mean I look at it, we're still dealing with a lot of the same security questions or privacy questions that we had before. And all we've maybe done is we've added a few more. So if you think of where we stored the data before, it was just how do we store the data and protect the data while it's being stored? And then you talk about encryption and all that stuff, but we're now also talking about data poisoning. We're looking at that extra element of maybe the data that we've been using as poisoned or something of that nature. Then when you run models against the data is how trusted are those models and then at the end of it, you've got the users that interact with it or other APIs and things of that nature and how do we protect those? So some of the things, I think some of the risks remain the same, and then in each of those areas we've maybe added incremental risk on top. Now you guys, so content ai, I think I was reading up that you guys are doing some AI within there mean your name suggested, right? So what would you say is the AI magic that you guys are doing that differentiates you from the competition?

Matej:

And by the way, I just wanted to comment that you're exactly right. I feel that many of the risks and safeguards that we've put in place in terms of AI are the same kind of risks that we've identified before and the safeguards that we identified before, whether it's risk management, risk analysis, whether it's just really having a security by default approach to software development, and that's what I would really vouch for. But yeah, anyway, so what our implementation is, so we use AI for various things. So as a content management system, we manage large quantities of content, whether that is articles, blog posts, pictures, videos, whatever our customers use to present on their websites and their applications, but also for their internal use as well. And so we deal with a large scale content data sets, and so we use AI in order to manage that the best you can on scale.

So to give you an example, search translation, categorization, flagging, tagging, all sorts of things that it would be terrible to do that manually because you would spend a really lot of time categorizing or classifying your content. So we can just basically flag similar pieces of content, we can give you suggestions based on the content that you've already created. We can generate content that will follow the tone of voice that you used before. So things like that or reviews. But translations is a big thing. So you would have nowadays, and that comes back to the cultural perspective, you would have companies communicating to their audience in various languages and you really need to be mindful about how that happens and you need to have the same kind of structure and the tone in all those languages while you need to also be able to do quick translations to target different audiences. So that's where we are at and that's where I see also where we can help our customers the most.

Den:

Yeah, no, that's excellent. And you guys said the backend of people's environments, so they're using APIs to get to your platform.

Matej:

Yeah, yeah. So that's the headless definition that we are API based really cloud-based and we operate on the backend. We just manage all your content and doesn't really matter where you display it, whether it's an app or website or whatever that is. Yeah,

Den:

That's excellent. So one of the things, so you get involved in a lot of mentoring, a lot of, I do know one thing is you guys have got awards, you've been winning over the years, you've got another award I think just now about the security team. So it seems to me from a community perspective and to give back to the industry, you're fairly active. What do you think from a responsibility of the next generation of leaders, how do you think we can do better to bring in new talent, bring in diversity? I mean from any of that perspective, what do you want to share with everybody there?

Matej:

Yeah, and it's hard. I mean these are difficult things, especially considering we are all busy professionals. We have a lot on our plates and I would say just making this part of your priorities is something that is great place to start, but also appreciating that there's a lot of value to be taken. For example, from the mentor mentee relationship. Also on the side of mentor, I learned great things from my mentees. So I do mentoring, just a full disclosure, I do mentoring for a nonprofit called Women for Cyber. So I have one permanent mentee and then I'll be onboarding another one this year. And I was involved in those activities in the past. So I would say that I often learn a great deal of things from my mentees just because they work in some particular niche that I haven't touched before. So for example, I had one mentee that was very deep into privacy and she was expanding her career in privacy management, but in public services. And so it was really interesting for me to kind of explore that area, which I was untouched with before.

Then of course you meet all sorts of different personalities and people. So I would definitely encourage everyone that has that opportunity, those, I don't know, that one hour per week or month or whatever you can dedicate to really explore those mentor-mentee relationships. It's great also to bring in diversity and the talent to the industry because there is lots of, I learned through the process that there is lots of, especially females through this nonprofit that want to get into cybersecurity and don't know how or they want to advance their career. And again, they're struggling to understand how or where they should go. So I think giving that helping hand would be great. Dedicating, just making it a priority, dedicating some time.

Den:

And when you're thinking of onboarding a mentor, when you're onboarding a new mentee, what do you look for in them that makes you believe that that's a valuable spend of your time?

Matej:

Right. Well, definitely willingness to learn and willingness to make some change happen in their lives. So that's the basis because if you don't have that established, then there is probably not much you can do because that mentoring, it brings change to your life. You will be thinking about things that you haven't before. So I'll be looking at that and then really, I'm not really particular about these things. The more effort both parties put into it, the more I can come out of it. So I ask for that willingness to put effort in it and for that time. And if that is established, I'm pretty open about everything, everything else.

Den:

And do you have a set agreed time limit, like you're going to work together for a year or do you not care about that?

Matej:

I would say it depends on the ee. So through this program, so it would be six months engagements, which I find quite okay, it's enough time to make something happen. And then if it's not really work out or if it doesn't have a strong future, you can just cut after those six months or if you feel that there has not been a great fit, but you can obviously identify at the beginning and just cut it off. But I find a six months time as a reasonable timeframe to get to know someone. And as I said, I have another mentee that I am working with on more permanent basis for a longer time now.

Den:

And at any one point, is it one or two I guess? I mean I guess that's all time-based, right? If you can take on more, you'll take on more, but ultimately you've got a day job as well and a life and the family and all the shit outside of work.

Matej:

Yeah, I think it's also, so what I've been describing is mostly this formal mentor relationship, but I think one of the great things that I've heard, and I'm trying to use it and apply it in my life as well, is that anybody can be your mentor, really, your mentor is your wife, your mentor is your family, your mentor is your friends. So whatever you need an advice and you're not sure what to do, just ask people around you. And it doesn't have to be somebody with, I dunno, long years of experience in cybersecurity to give you a reasonable advice. I have a friend that is a doctor and he has the best, we find the best analogies between our jobs and trades because it's both meeting and working with people essentially. So if you have a people issue, you can definitely talk with whoever that is to try to get

Den:

Well, I think that's it, right? When you get to leadership, then probably 80% of the issues we deal with, they're not about the technologies, it's about people. It's all about relationships, it's about selling a vision, it's about rallying a team, coming up with a strategy. I mean there's all these other things and I don't care. Like you say, it could be a doctor, it could be anybody. I mean, you could have anybody that's done some form of leadership role still provide you some gems and wisdom and guidance. Absolutely. And so you're, when you think of a mentor for you, do you actively work with people in your circle to get mentorship?

Matej:

I would say that I'm trying to really work in my circle actively. So when I'm struggling with something, I ask for advice, I ask for an opinion, and that can be on the workplace, it can be at home, it can be wherever I am. So I'm trying to really activate those relationships that I already have. But it happened in the past also that I did those random reaching out to some people that I found their profiles interesting. And I'm like, also I do that for my mentee. So I'm like, okay, you are whatever chief privacy officer of a b, C. Can you let me know and help me understand how your team is structured so I can give better advice to my mentee about the company like yours and the structure of a previous team in an industry like yours. So I raised those questions and I find we are all busy professionals, but there's always that willingness to help in security. What I found is it's really nice about more security people. We are as busy as we are, we are usually open to help unless it's some sort of unsolicited messaging or somebody trying to sell you something.

Den:

Oh yeah. And it is funny, I've done a sales kickoff with a company called Omnia, and they're one of the spinouts of VMware, and one of the questions was along the lines of what turns you off when you get an unsolicited communication? And because we're both in our CSO society group, I threw that out to the group and I got a whole bunch of replies and one of them was a reply that I actually hadn't prepared, but we ended up talking about the fact that I shared this within the community. So there was what does den think about this question and answers, and then what did the community say? And I had the usual, if it looks like a mass mailing, not personal, you've not done your homework, but one of the ones that people said was not respecting your boundaries. So pushy salespeople that don't respect your boundaries. I got a text message on a weekend from somebody I didn't even know, but they got my number somehow and they just thought they would text me on a Saturday and try and sell 'em with their shit. Obviously that meant that I blocked the number and deleted the text without even replying. So when you're getting, what's your definition of a shitty salesperson just annoying you, what do you think the difference between a good salesperson is and a shitty one?

Matej:

Yeah,

Matej:

So look, yeah, I mean everything you said is completely valid and also not respecting boundaries on that side. If we never have ever had any contact before, if you call me first, I'm reluctant to be open to talk. It's kind of pushy, definitely somebody that is pushy in general, they would try to oversell you from the moment. One, what I appreciate on the other hand is someone that takes time to understand the challenges but also has enough how to call it duct maybe to realize that where there is no opportunity for them, so to understand, okay, this is not the place, I'll just cut it off, save everybody's time and not just follow up after follow up and trying to make up different crazy scenarios of things we could do together where actually none of them resonates.

Den:

I just said to this audience, we sniff out disingenuous people pretty quickly. I read people pretty quickly. I think any executive, there's ideally a good level of EQ and being able to have street smarts and read people. So I don't have a lot of salespeople who are friends and I'm pretty open about that. I've been doing this shit for 30 years and in 30 years I've probably got like 12 phone numbers in my contact list of salespeople. And that means they can contact me anytime they want and I'll contact them and you're not pissing me off if you text me on a Saturday. But in order to get there, you've got to have built trust, you've got to have really got to really have impressed and stuff to be the point where I'm like, okay, I can hang out with you, you're decent and you don't piss me off. Just pretty.

Matej:

Yeah, I'll say one thing is that also what I'm a little bit allergic to is when it's an obvious, obvious sales tactic that are applied. So what I dislike definitely is being asked questions for half an hour or 45 minutes straight before I know anything about your company. And some of the sales calls really start like that. What's your challenges? How do you, okay, okay, and they're trying to sell you. It's fine that you want to know about me, that's great. That's actually a positive thing, but don't overdo it, especially without NDA on the first meeting. I need to learn something about you as much as you need to learn something about me. And sometimes I feel that it's really forced.

Den:

Yeah, it is funny because one thing I said to this audience was, if you've only got 30 minutes that very first meeting, then you got to be curious to understand the problems. But you're right, there's a balance. And I think the balance is you got to understand the audience. If you know that the CISO you're talking to doesn't, they don't want to share all the challenges and struggles they got. Maybe they've already researched your product, maybe they're calling you in because they know your product does X, Y, and Z, and that's the problem they want solved. And I think it's just, again, it's communication. It's really, this all goes down to that as we get close on time, mate. So when you're not working, what do you do for fun? And is there anything in the non-work stuff that translates to helping you improve your professional life?

Matej:

Yeah, I think I'll mention one thing. So I do run on a regular basis and if I'm proud on one thing is that I'm able to keep that cadence even when I'm really, really, really busy with everything else. So

It's really something that I'm trying to do regularly and then how it applies and helps me. It's the moment that you clean your head are able to reflect on some of the things that you wouldn't normally reflect on and the ideas come to your mind. And very often it happens to me that I come home and then I write down a couple of those things or I go action some of those things. So I think really having that time to reflect and being on my own in the nature around just running and focusing on that, but also thinking is what helps me bring advance, I suppose to,

Den:

I'm guessing, so I don't run, but I do walk, so I walk trails and stuff. And I guess the clarity that you get while you're on your own isolated, even if you listen to music or not, you're still in your own head, you're still thinking through problems and stuff. And I say to people, if you can get out 10, 15 minutes, just walk around the block if you want to just go. And I'm not a gym rat, so for me it's like if you go to the gym, there's a lot of distractions at the gym.

You're not necessarily thinking you're clearing your head space. So for me, yeah, I love nature just getting out and I think we spend too much time cooped up inside our offices, our work, our computers, and our devices. So getting out I think is wonderful. So what's next? What's next for you? Do you do any of the conference circuit stuff? Do you come out to the US for any of the events or what kind of travel plans do you get to do?

Matej:

Yeah, I do try to go at least once per year to the us. So I was studying on Carnegie Mellon in this great certificate CSO certificate program that they have there, and they do yearly meetings in Pittsburgh. So I normally travel, I dunno this year because, so I'm also, sorry, I'm also studying executive MBA here in Trinity College. So it's really, really busy these days and weeks for me. So I'm not sure if this year I'll be able to travel, but anytime I can, I'm happy to do that. It's necessary to, again, open up your mind to new ideas, see what other peers in the industry do. And we have a fair bit of conferences here in Europe as well. London is just stone trails away and there's a lot going on there, but there's also things here in Dublin, so try to be engaged. Yeah, I know that you have for sure. Your conference calendar must be completely full if you want, you can have a conference probably every day, right?

Den:

Well, yeah, I mean it's interesting. You obviously have the big ones between RS, a black cat, devcon, and then there's all the BSides, and then there's all the isaka and the ISSA stuff. And then there's cybersecurity summit, future Con, and yeah, there's a million of them. It just doesn't, it's funny because I've lived in the US now 24, 25 years or something. It just doesn't feel as glamorous as going to Barcelona for a two day event and then doing some sightseeing and stuff because you going to Pittsburgh, right? When I was at Banyan security, I'd done 20 conferences a year from an evangelism perspective and that shit, man, that gets dry after a while. And I just went to LA for Future Con and my daughter got to hang out with us. She goes to college in la so she's hanging out with the team. And I was like, what's funny?

I said, every time I was traveling for work, you thought I'm doing something glamorous, I'm going to la. I went, now you know how glamorous this shit is. We're sitting there in a hotel at LA X Airport inside conference space. We're not seeing la, but people think of it like, oh God, you got to go to whatever, right? Chicago, it's like you'll get in the evening, you'll go out for dinner somewhere. So we went to Marina and yeah, that's cool. But again, you're in an Uber going to the place, you have dinner and then you pretty much back. Sometimes you can spend a little bit of time out there, but some of these events, they're not glamorous, but they are useful. If you can network, you can meet with peers. Usually for me, reconnect with some friends and stuff as well. So I love it. I mean, I love it for that purpose. Sometimes at these events, I always tell my team, try and learn at least one thing. You can come back learning one thing that you can implement. The minute you get back, then maybe we'll feel like it was this good spend of your time. But some of these things, it's more about the relationships that you meet with people outside of the sessions and stuff. So yeah,

Matej:

I would say that. Yeah.

Den:

Well mate, hey, look, thank you very much. I really appreciate you taking the time. I know our time zones are funky, so for you right now, it's way past your finishing work business, so I appreciate you, you working late for us. Thank you very much and I'd love to see you at some point. Yeah, if I'm in Europe, I'll maybe try and swing by Dublin, not far from Scotland and otherwise I'd love to catch you in the us We'll grab some drinks or something.

Matej:

Yeah, sounds great. Great to be here, Dan. Thank you very much. Thanks,

Den:

Man. Cheers. Thanks. Thank you. Bye-bye.

Narrator:

Cyber 909 will soon become 909 exec. New name, same podcast, and love. Look for the new name soon, wherever you get your podcasts.

‍