About Matt Mason
Twenty years is a long time to spend doing anything. Long enough to see trends come and go, technologies rise and fall, and organisations make the same avoidable mistakes over and over again, sometimes spectacularly.
I have spent the last two decades working in Information Security and IT leadership, the majority of that in higher education, an environment that is uniquely demanding. Open by nature, complex by design, under-resourced by default, and an attractive target precisely because of the data it holds and the people it serves. It is not an easy place to do security well, and that is exactly why I found it worth doing.
My background covers Information Security Management, Cyber Security, Risk Management, Governance, Risk and Compliance, Data Protection, Cloud Security, Security Architecture, Solution Architecture, and IT operational leadership. Those are not just words on a page. Each one represents years of real decisions, real incidents, real budget arguments, and real consequences.
I hold the CISSP, CCSP and CGRC certifications from ISC2, and I am a Chartered IT Professional and Fellow of the British Computer Society. I have volunteered in ISC2 Exam Item Development on many occasions, sit on the BCS Information Security Specialist Group (ISSG), and serve on the Committee of the BCS Nottingham and Derby Group. I also co-authored a paper for the Cloud Security Alliance on ERP Security.
None of that is why I write here though.
I write here because the gap between what organisations know they should do and what they actually do is still enormous. Because security and governance are still treated as problems to be solved once rather than disciplines to be maintained continuously. Because too many leaders inherit broken IT estates and are expected to fix them without the visibility, the budget, or the mandate to do it properly.
This site exists to share thinking that is grounded in practice rather than theory. You will not find vendor marketing here, or frameworks presented as if understanding them is the same as implementing them. What you will find is honest analysis of real problems, written by someone who has sat in the chair and had to make the calls.
If something here is useful to you, that is enough. If you want to continue the conversation, you can find me on LinkedIn.