Greg Schaffer:
Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Brad Mathis joins us today. He is Senior Information Security Consultant. Brad, thank you so much for joining us today.
Brad Mathis:
Of course. Thanks for having me.
Greg Schaffer:
So I’d like to start. I already know some of your history. We’ve been acquainted for several years. We’ve worked on a few things together, but we’d like to hear, though, about your beginning—how and why you got started in information security and technology and cybersecurity—and then take us all the way up to where you are.
Brad Mathis:
That works. Well, I hope we have a few hours because as you can tell by the gray hair, I’ve been at it for a while. So this is an interesting year for me because it’s forty years in the industry, forty years being married, and I’m still alive.
So taking me back, let’s see—I was seventeen years old living in a small town in southern Illinois and graduated high school. I was a young graduate. Two weeks later, I had no idea what I wanted to do, so I ended up in Evansville, Indiana, at a tech school—a two-year tech school—to study electronics engineering technology.
Have I used that in my career? Barely. But I, like I say, didn’t really know what to do. My plan was to come to Indiana, live here for a couple of years, and then go back, you know, and find my life. And then of course, I found my wife up here in Indiana, and I’ve been here ever since.
So I started like a lot of people got to start way back then—because there was no such thing back then as a cybersecurity degree or even an IT degree really. It was all in programming and things like that. So I got involved in basically computer repair, networking—eventually, once networking became a thing (I am that old)—and then I really enjoyed it.
I remember my second job, seeing my first virus, and that was exciting. There was an older guy I worked with—he was pretty much full time out at an aluminum factory on like a staff-type situation—and he had this computer that kept doing weird things. And of course I had read things. I was young. I was cocky. And I said, “Oh, I bet it’s got one of those viruses I keep hearing about.”
And he’s like, “Oh, that’s just hokum. That’s hokum. That’s not real.”
And so anyway, he had replaced everything. So I said, “Well, bring it into me.” And it was one of those where I found out he had replaced the power supply, the motherboard—everything—the hard drive. I said, “Well, when you replaced the hard drive, did you just wipe it out fresh?”
He goes, “No, I backed everything up and I put it on the new one.”
I was like, “Okay… let me see it.” So sure enough—McAfee was open source at the time—and I downloaded their scanner, and I came up with the Jerusalem B virus. And it was just so cool because it would cause the letters to drop off the screen. And so one thing led to another. That kind of got me excited in security in general, because I thought, wow, it was kind of like a prank program, but it was still cool to watch.
So kind of neat. And then, you know, along comes networking. And then eventually this thing called Windows, which I didn’t think was going to last—but it did.
I started networking computers together. I always liked the interconnectivity. I liked seeing how things work.
Greg Schaffer:
Just talking about Windows and networking—I think most youngins today don’t understand that when Windows first came out, networking was not native, at least not TCP. You had to load a stack on top of that. They had their proprietary NetBEUI networking, which I don’t think is in use anywhere anymore—maybe in some obscure instances.
This almost sounds a little bit like, “Well, I walked to school both ways uphill through snow, five miles,” type of story. But it’s true. It actually took a lot to get a computer networked back then. Like, well, when Windows came out thirty years ago—Windows 95, right? Or before Windows 95, with only this 3.11 for workgroups and that sort of thing.
Brad Mathis:
That’s for sure. It’s been quite a story, but I had to—oh no, no, totally fine. Interrupt, man.
But yeah, it was so fun. When I first started working, I was working on dedicated word processing systems. I was born in 1965, and one of them that I worked on—I think it came out in the early seventies—and law firms would keep it forever because it was like thousands upon thousands of dollars. But it was a brand name called Vydec (V-Y-D-E-C), and I think Exxon Office Systems—they had an office systems company that had acquired them.
If it was fully loaded, I remember there were—I don’t even remember. For some reason, I’m thinking close to a hundred circuit boards. And it had several power supplies because it had a separate power supply for the +5, -5, +12, all of that.
And I was doing component-level repair on these things because there were no parts anymore. So you would have to go to the electronics shop, find a transistor, find a capacitor. So it was a lot of fun.
At some point, I was working for a company, and I was spending a lot of time with a healthcare organization doing some work for them. And they kept asking me, “When are you going to come work for us?” And I was like, “Nah, I’m good.”
Well, eventually they talked me into going and interviewing. And that was my first foray into the enterprise world—getting out of the VAR, whatever you want to call it. Went there, and that’s where I learned a lot about networking. I went there, and of course it was token ring at the time.
Greg Schaffer:
Absolutely. It’s the only thing that was never going to catch on.
Brad Mathis:
But very big plugs—I remember that. Oh yeah. They called them hermaphroditic plugs because it didn’t matter which way you plugged them in. And I would build those connectors.
Anyway—networking, token ring, all of that was pretty exciting. Somewhere along my career—I do not remember when—I read the book by Clifford Stoll, The Cuckoo’s Egg. Cliff Stoll is a unique fellow. He was at Berkeley University and basically found somebody in their system because he found a math error that was very small.
Greg Schaffer:
I have heard of that story.
Brad Mathis:
Yeah—and he obsessed trying to find it, right? He was like me. I’m old school. I still balance a checkbook once a month. Some people are like, “What’s a checkbook?” But I do that, and it’s got to be to the penny. That’s how Cliff was. There was something about Cliff Stoll’s tenacity and following up on it—he didn’t even have an IT background. He was just a student working at the university, and he ended up finding this international espionage type thing. The story reads like a spy novel.
If you ever get a chance, read the book—or even go look on YouTube for one of his interview videos. That is what I think really triggered and excited me to focus more on security.
[Transcript continues — please see next message due to length limit.]
[Transcript Continued]
Brad Mathis:
So over the years, I had a lot of firsts. I transferred to the parent company, Ascension Health—worked there for many years. I was the one that set up the first internet connection. We had an FTP server, NNTP server—services I had no idea how to run. But I spun up IBM AIX, got the services running, set up the original firewalls—Checkpoint was on top of the world then. The original firewalls ran on a Sun SPARCstation. Learned by the seat of my pants.
I learned a lot. At one time in my career, I got to go to a bootcamp—some bootcamps are overrated. This one was from IBM in Raleigh, North Carolina. It was their router bootcamp, back when IBM made routers before Cisco bought their patents. It was intense. We learned the OSI model, TCP/IP stack, subnetting, variable masking—tons of knowledge that stuck with me.
I worked for Ascension and the hospital for maybe eleven years. Then they decided to outsource. I stayed for a few months after that, but I could tell the culture changed. We went from people staying late because they cared to an empty parking lot at 5:01. I decided to go out on my own.
I started an LLC: Integrity Driven Business Solutions. Started slow—learned what it was like to starve a bit—but then it picked up. I landed a great contract in Manhattan through IBM, subcontracting for a large financial institution. Then people started calling me about a job at a large bank in the Midwest.
At first, I didn’t want it. I wasn’t planning to go back into enterprise, but multiple people reached out. It was before the term CISO was really in use—they called it Network Information Security Officer. I applied, got it, and ended up having a blast. I had a dream team. Great people. Thought I’d retire there.
Then came a system-wide reduction in force. I didn’t take it personally. I saw it as a spreadsheet exercise. When I walked into the HR meeting, I thought they were going to ask me to pick someone from my team to let go. That would have devastated me. But instead, it was me.
I had a wave of relief knowing my team was safe. It was tough—my daughter was getting married that September. Fancy country club wedding. I wondered how I’d pull it off.
The organization treated me with respect. They didn’t walk me out. Gave me 30 days to transition, job search, take interviews—just asked that I document tribal knowledge.
Greg Schaffer:
That’s rare. They obviously understood the value you still held in tribal knowledge. Any advice for organizations considering a RIF?
Brad Mathis:
Treat your people like humans. And if you’re the one being RIF’d—don’t burn bridges. That’s how I ended up at Keller Schroeder.
Greg Schaffer:
Ah, yes. And you said it right: Keller Schroeder. I might have said it wrong earlier.
Brad Mathis:
You got it right! I was a client of theirs for a long time. I respected their integrity, communication, honesty. The person who is now our president reached out after hearing I lost my role. He said, “We’ve wanted to start a security practice.”
At the time, they did security services, but more as a hat worn by network engineers. I said, “Give me some time.” I had 30 days. I was interested, but wanted to explore.
I had other offers. One was from a well-known security person who offered me a job in the UAE—three to six months of work per year, lots of money. I passed. I’ve done six months in the UAE. That’s enough.
Greg Schaffer:
Not military?
Brad Mathis:
Not exactly.
Greg Schaffer:
So you’re with Keller Schroeder now. And I know one of the things you do there is virtual CISO work, which of course I do as well. What are some of the biggest misconceptions you’ve seen about what a vCISO does?
Brad Mathis:
So we’ve done security services for a while—consulting, project work, gap analysis. We finally put a name to it and jumped on the vCISO bandwagon.
Yours is more pure-play vCISO. I wear several hats—project work, assessments, consulting.
Biggest misconception? I’m thinking of a case where a client bought a basic onboarding service—entry-level, low cost. But he thought that meant we were his full-time CISO. That’s not how it works.
You still own the risk. Even if you have a CISO. A vCISO is no different—we identify risk, guide mitigation plans, make recommendations, develop roadmaps. But it’s the organization’s job to accept or mitigate risk. We’re advisors.
Greg Schaffer:
I love that line: “You still own the risk.” So many organizations think that when they outsource security or bring in a CISO, the risk goes away. It doesn’t.
Brad Mathis:
Exactly. This gets into risk appetite. It’s hard for many orgs to define, but the best ones have tone at the top. They understand the cost-benefit. They won’t spend $500K to fix a $100K risk, but they’re intentional.
Others are like, “We don’t have anything hackers want.” That’s dangerous thinking.
There was one org—we recommended a baseline vulnerability assessment. They had never done one. The new person said, “I realize now I own this risk. I need to do something.” We did a wide engagement. Presented findings.
The CFO stayed for the whole presentation—even the technical stuff. Afterward, he said, “I was hesitant about the cost, but after sitting through that—it was worth every penny.” That meant a lot.
We’ve continued working with them. Their risk posture has drastically improved. Boring pen tests are good pen tests.
Greg Schaffer:
And when people see their names next to risk, suddenly things get real. Even CISOs don’t own the risk—at least in large orgs. Their job is to communicate it so others can make informed decisions.
And this field is stressful. You said earlier “banging your head against the wall.” That stress builds up. I’m a big believer that we need positive outlets. So Brad—how do you decompress?
Brad Mathis:
A lot of folks in our field never stop. They’re always learning, always reading security content. That’s great—but I needed better work-life balance.
So I unplug. I listen to crime novels—Jack Reacher, Tanner series—on audiobook while driving. I still follow industry news feeds and this podcast, of course.
Greg Schaffer:
Appreciate the plug.
Brad Mathis:
But family is my unwind. I’ve got seven grandkids—three live next door. Two are in northern Indiana. I spend time with them. I also love barbecue. I have three Big Green Eggs. I don’t cook on them as much as I’d like, but I love smoking pork butts and ribs.
Greg Schaffer:
I’ll have to look into those. So what’s ahead for you? More barbecue?
Brad Mathis:
Definitely. I’m also a Rotarian—community service, scholarships, volunteering. We just finished a soup kitchen project.
At Keller Schroeder, we have about 105 employee-owners. We’ve been around since 1978. Average tenure is high—we have folks older than me and many younger ones.
My goal is to pass on tribal knowledge, not hoard it. I want to be replaceable—not missed for what I know, but missed for who I am.
We have a “Boomerang Program”—when people retire, clients sometimes request them back part-time. You can come back on your terms—2 days a week, 6 hours a day. I might do that in 5–6 years.
Greg Schaffer:
That’s awesome. Brad, it’s been great catching up. Next time I’m in the Evansville area, let’s get coffee. They need to finish that I-69 project—it’ll save 15 minutes off my drive!
Brad Mathis:
Absolutely. I’ve been following the construction. Let’s catch up next time you’re in town.
Greg Schaffer:
Looking forward to it. And everybody, stay secure.