Investing in Founders, Not Decks

Karl Mattson's career arc — bank CISO, field CISO at Noname Security and others, angel investor, and now the founder of his own venture fund — is one of the more interesting transitions on the show. This conversation is a candid walkthrough of why he made the move, what he's actually looking for in early-stage cybersecurity founders, what the current state of the CISO market looks like from his vantage point, and the harder truths of being a field CISO that most people considering the move don't fully appreciate.

The opening segment on his investment thesis is the substantive material every founder pitching cybersecurity should read. Karl evaluates teams before they've written a line of code, and his filter is whether the founders have demonstrated lifetime exceptional performance — exceptional military officer, exceptional athlete, exceptional student. The product will pivot. The market will move. The founder's ability to read the room and adapt is what carries the company through that. The conversation also goes after the right competitive frame for early-stage cybersecurity startups — your competitors aren't the other founders sitting next to you on Sand Hill Road, they're CrowdStrike, Cloudflare, Palo Alto, and Microsoft. Founders who get this wrong waste time fighting the wrong fight.

The middle of the episode pivots to the CISO market itself. Karl's read — consistent with what executive search professionals are also seeing — is that more than half of current security leaders are looking for their next move. Some will become founders. Some will become field CISOs at vendors. Some will move into VC. And a meaningful number, he argues, should consider returning to IT or infrastructure leadership roles where they bring a security lens to the operating function. The closing segment on the harder realities of the field CISO role — the constant travel, the union-card trade-off, the founder workload nobody warns you about — is the honest counterweight to the LinkedIn glamor of the role.

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

The thesis Karl's built his fund around is the cleanest articulation of an early-stage cybersecurity investing approach the show has aired. The vast majority of the decision to back a company comes down to the people. Karl meets with founders before the company has a product, before there's a meaningful technology demo, sometimes before the team has fully assembled. The filter is whether the founder has been exceptional at everything they've touched in their lifetime so far. Exceptional military officer. Exceptional athlete. Exceptional student at the top of their class at Harvard or MIT. Doesn't matter what the domain is — the pattern is what matters. The founder who has demonstrated repeated exceptional performance is the founder who can read the room, adapt to what the market is telling them, and pivot the company through the inevitable rough patches.

The pattern across cybersecurity exits supports the bet. Most of the major cybersecurity companies today are not doing what they originally set out to do. They evolved, they shifted, they pivoted — and the founder's ability to listen to the market and respond is what made those pivots possible. The pitch deck at month one is not the company at year five. The founder is. 

The most consistently underappreciated framing Karl shared is the competitive map for early-stage cyber. Almost every founding team he meets, when asked who their competitors are, lists other small companies that were founded around the same time. That's the wrong answer.

Cloudflare, F5, Akamai, Palo Alto, CrowdStrike, Microsoft. These platforms hold the absolute majority of cybersecurity spend. The early-stage founder who spends time worrying about the other Series A startup down the street is fighting a battle that doesn't matter. The right move is to go talk to those NASDAQ-listed platforms' customers, find out what they're unsatisfied with, and build the product that closes the gap. The platforms are not going to solve every problem. The founders who identify a real, defensible gap in what the platforms can credibly deliver are the founders who get to be the next acquisition. 

Karl's framing on AI competency in the security profession is the operating principle every CISO should internalize for 2026. The historical pattern — slow movers and early movers in cloud adoption circa 2010 — is repeating at a much faster cadence with AI. The CISOs who developed cloud engineering proficiency early stayed relevant; the ones who didn't became antiquated and got replaced. The same pattern is unfolding now with AI, and the time horizon to develop the proficiency is much shorter than it was for cloud.

The implication is that AI competency is no longer a specialty — it's a foundational requirement for credible security leadership. The CISOs who don't develop deep, hands-on AI fluency are going to atrophy quickly, regardless of how strong the rest of their resume is. The challenge is that there's no certification path for this — by the time a credential exists, the underlying capability set will have moved. The only viable answer is the one several Zero Signal guests have converged on: hands-on time with the agentic stack, build agents in your spare hours, get fluent at the model and infrastructure level rather than waiting for a vendor to package the proficiency for you. 

Karl's read on the current CISO market is that more than half of leaders are actively looking for what's next. That's an extraordinary level of professional churn, and it's playing out across multiple paths. Some are becoming founders. Some are becoming field CISOs at vendors. A growing cohort is moving into VC, including Karl himself. And a meaningful number, he argues, should be considering a path that's structurally underused — going back to IT, infrastructure, or CTO-level operating roles, bringing a security lens to functions that security has historically tried to influence rather than own.

The pattern Karl flagged is that security professionals almost never return to IT, even though IT remains a thriving capital-investment function and even though most CISOs originally came up through IT or development. The reason isn't capability — it's identity. The CISO title becomes the identity, and stepping back into IT feels like a step backward. Karl's argument is that it's not — it's potentially the most leveraged move a security leader can make, especially in mid-market organizations where security and IT are converging into one role anyway. The DevOps lead at most companies has more practical influence on the security posture than the CISO does. Putting a former CISO into that DevOps lead role is a structural win for the company and a high-leverage career move for the individual. 

The closing segment on the field CISO role is the honest counterweight to the LinkedIn version of it. Karl's "union card" framing is the one to internalize before any CISO accepts a vendor field role. When you join a vendor as a CISO, the vendor has a fork-in-the-road decision to make. Are you hiring this person to remain a card-carrying member of the CISO community — preserving the trust and access that gave them the job in the first place? Or are you hiring them to sell software? You cannot do both. The CISO who tries to do both ends up neither — not credible to the security community anymore because they're carrying a quota, and not effective in sales because they're not wired for it. The vendors that get this right protect their field CISOs from quota pressure and let them serve the community. The ones that don't burn through their field CISOs in 18 months and damage their brand in the process.

The other harder truths Karl walked through are the ones that don't fit on the Vegas-conference photo. Always-on travel with six-hour notice on flights. Constant performance under display, including evenings at hotel bars. The emotional reality that being in sales — even soft sales — is hard, and that excellent salespeople have a thick skin most CISOs were never selected for. The compensation makes it worth it, but the lifestyle and the wiring requirements are real, and the CISOs who think they can do this without a hard look at whether they're built for it tend to bounce out fast.

The closing operational advice Karl gives the CISOs he mentors is the contrarian one. Show up in person. Go back to ISACA chapter events. Go back to InfraGuard meetings. Go back to RSA, Black Hat, BSides. The work-from-home era spoiled the profession into thinking that the relationship-and-knowledge work could happen over Zoom. It can't, fully. The CISOs who haven't been to a professional conference in six months are falling behind on both the technical surface area and the relationship surface area, and both compound.

The other piece of advice — and the throughline of the whole episode — is to lean into your strengths. The story of how Karl finally started his fund is the perfect illustration. Kunal Anand, the CEO of Dope Security, cornered him at a bar at RSA two years ago, the day Noname Security's acquisition was announced, and got in his face about starting a fund. "This is the job you need to do. These are your skills. Quit your job. Go do it today. I'll invest." The conversation took 90 days to fully land, but it was the catalyst that turned the trend into a decision. The lesson for every security leader is that the people in your life who are willing to be honest with you about where your real strengths are — and to push you when you're not living into them — are the ones to listen to. Most of us have those people. Most of us also ignore them.

Guests — Karl Mattson, founder of his own venture fund (recently launched); previously field CISO at Noname Security and other vendors; before that, CISO at City National Bank; finance degree and MBA; US Army veteran

Books mentioned — none

Frameworks / models / tools named — the lifetime-exceptional-performance filter for early-stage cybersecurity investing; Zapier / Make / N8N (referenced as the no-code/low-code automation layer Karl uses to run his firm with leverage); the AI infrastructure investment thesis (vs. application-layer plays); "your competitors are listed on NASDAQ" framing; "the union card" framing for the CISO/vendor decision; AI competency as a primitive skillset; the head-of-DevOps as the most consequential security relationship inside any organization

Other people / shows / resources referenced — Pentera (Karl's early adopter relationship that opened his investing journey); Bogumil Balkanski (Sequoia partner referenced for the founder-quality investing philosophy); Gilly Ronen (referenced); Doug Leone (referenced); Brinke Sethi, John Brennan, Amanda Robson, Efraim Yarmak (referenced as the new generation of individual security investors); Andreessen Horowitz (referenced for the "mega firm" Sand Hill model); Oz Golan, founder of Noname Security (referenced as Karl's example of the world-class engineer/effective-but-cerebral founder); Mike Morato (now CISO at Noname, the AppSec right-hand Karl needed to bring with him to the field role); Kunal Anand, CEO of Dope Security (the friend who cornered Karl at an RSA bar and pushed him to start the fund); ISACA, InfraGuard, RSA, Black Hat, BSides (the in-person events Karl recommends as the contrarian career move); CrowdStrike, Cloudflare, F5, Akamai, Palo Alto, Microsoft (the NASDAQ-listed competitive map for cybersecurity startups)