Governing Body Spotlight

Matt Morton serves as the Assistant Vice President and Chief Information Security Officer at the University of Chicago, where he leads the University's Information Security program, including Security Engineering, Identity and Access Management, and Information Administration. With over 30 years in technology and 18+ years in information security leadership, he is known for his strategic expertise, collaborative leadership, and ability to align security with institutional goals. 

Prior to joining the University in 2021, Matt held CISO roles at the University of Nebraska System and University of Nebraska Omaha and worked as a cybersecurity consultant. He holds a Master’s in Higher Education Administration and multiple certifications, including HCISPP, CISM, CGEIT, and CISSP.

A fun fact about Matt, he is an avid fly fisherman, and he also enjoys hiking.

Learn more about the Chicago CISO community here.
 

Give us a brief overview of the path that led to your current role.

My career began in hardware, focusing on electronics and printed circuit board design, before transitioning into software development. I spent several years as a Java architect and later moved into managing development teams in both corporate and higher education settings. During this time, I became increasingly involved in overseeing the security aspects of various projects, which sparked my interest in information security.

I eventually led IT operations for a small private university, where I gained a holistic perspective on technology management. Following that, I built the security program at the University of Nebraska from the ground up, establishing a comprehensive function that paved the way for my transition into security leadership. Over the past 15 years, I have served as a security leader and CISO, with the last three years dedicated to leading the University of Chicago’s Information Security program.
 

What is one of your guiding leadership principles?

My guiding leadership principle is being a bridge between security and the business, ensuring that our work not only protects but also empowers the organization. By aligning security initiatives with business goals and demonstrating measurable value, I build trust and foster collaboration. For me, success lies in showing that security is a strategic enabler, not just a cost center.
 

What is the greatest challenge CISOs face today, and how are you addressing it?

One of the greatest challenges I face as a CISO is balancing the increasing pressures of burnout, staffing shortages, and rising expectations from senior management. These interconnected issues create a complex environment where maintaining morale, meeting organizational needs, and addressing security risks effectively can be daunting.

• Burnout: The demands of cybersecurity roles, particularly leadership positions, are relentless. The constant pressure to stay ahead of evolving threats, respond to incidents, and address compliance requirements can lead to fatigue—not just for myself, but for my team as well. To address burnout, I focus on fostering a culture of support and well-being. This includes implementing manageable workloads, encouraging the use of paid time off, and promoting mental health resources. I also strive to lead by example, setting boundaries for work-life balance and creating an environment where prioritizing personal well-being is seen as integral to professional success.
• Staffing Shortages: The cybersecurity talent gap remains a significant issue across industries, and it’s no different in higher education. Finding skilled professionals who can meet the unique needs of an academic institution is challenging. To address this, I’ve developed a multifaceted strategy that includes cultivating talent from within through upskilling and professional development opportunities, partnering with academic programs to build pipelines for future talent, and leveraging managed security service providers to supplement internal resources. By focusing on both immediate needs and long-term workforce development, I aim to create a sustainable approach to staffing.
• Expectations of Management: Senior leadership and boards are increasingly engaged with cybersecurity, which is both a blessing and a challenge. While their attention highlights the importance of security, it also raises expectations for outcomes that can sometimes be misaligned with available resources or the inherent complexity of risk management. I address this by focusing on clear and transparent communication. I ensure leadership understands the trade-offs between risk, resources, and outcomes by presenting information in a way that resonates with a non-technical audience. By translating security risks into business impacts, I can set realistic expectations and align security goals with institutional priorities. Additionally, I’m working to integrate cybersecurity into broader institutional strategies, treating it not just as a standalone function but as an enabler of organizational success.
• Holistic Approach: To navigate these challenges, I prioritize building a resilient security program with a strong emphasis on teamwork, innovation, and strategic alignment. I work closely with my team to foster collaboration and a shared sense of purpose, while continually refining processes to improve efficiency and reduce unnecessary stress. By taking a proactive and empathetic approach to these issues, I aim to create a workplace where both security and people can thrive.
   

What is the key to success for someone just starting out as a CISO?

Success in a CISO role, particularly for someone just starting, requires a strong foundation built on a combination of technical knowledge, strategic thinking, and leadership skills. Here are the key principles I recommend:

1. Focus on the Basics: Mastering the fundamentals of cybersecurity is essential. A deep understanding of the basic principles—such as risk management, incident response, and compliance—is the cornerstone of a successful CISO. This means knowing how to identify and prioritize risks, build foundational security controls, and establish a clear security roadmap. By starting with the basics, you’ll create a stable platform to address more complex challenges as they arise.
2. Take Measured Steps: Stepping into a CISO role can feel overwhelming, given the vast responsibilities and high expectations. It’s important to approach the role with a mindset of incremental progress. Take the time to assess the current state of your organization’s security posture, identify gaps, and prioritize improvements. Quick wins are valuable, but a long-term vision with deliberate, measured steps will yield more sustainable success.
3. Develop Strong Communication Skills Early: Effective communication is a critical skill for any CISO. Your ability to translate technical risks into business language that resonates with senior leaders and stakeholders will determine your influence and effectiveness. Build strong relationships with key players across the organization, including executives, IT leaders, and business units. Regularly communicate security priorities and progress in a way that aligns with the organization’s goals.
4. Don’t Overfocus on Technology: While technology is a key component of security, it’s not the sole focus of a CISO. The real challenge lies in understanding how technology intersects with people and processes. Don’t get caught up in chasing the latest tools or trends; instead, focus on aligning technology decisions with the organization’s strategy, culture, and risk tolerance. Remember, security is about enabling the business, not creating roadblocks.
5. Support the Business: The ultimate role of a CISO is to support the business by enabling its goals while protecting its assets. This means positioning yourself as a partner rather than a gatekeeper. Understand the organization’s mission, objectives, and challenges, and find ways to integrate security into its operations seamlessly. By demonstrating that security adds value, you’ll build trust and gain buy-in from leadership and staff.

Stepping into a CISO role requires balancing technical expertise with strategic leadership. Focus on building relationships, setting realistic goals, and creating a culture of collaboration. By prioritizing these principles, you’ll set yourself up for long-term success in this challenging but rewarding role.
 

How do you measure success as a leader?

Success as a leader is ultimately reflected in the success of my team and the value we bring to the organization. I measure this by how well my staff grows and thrives—both professionally and personally. When team members feel supported, develop new skills, and confidently take ownership of their roles, it’s a clear sign that I’ve created an environment where they can succeed. Equally important is how effectively we support the business. Success means aligning security initiatives with organizational goals, enabling the business to operate securely without unnecessary friction, and building trust with stakeholders. If my team is empowered and the business views security as a partner rather than a roadblock, I know I’m fulfilling my role as a leader.
 

What is the value of being a member of the Evanta community?

Being a member of the Evanta community is invaluable for fostering collaboration, engaging in meaningful discussions, and learning from peers who face similar challenges. It provides a unique platform to connect with other leaders, exchange ideas, and gain diverse perspectives on complex issues. The opportunity to discuss strategies, best practices, and lessons learned with peers not only helps solve immediate challenges but also inspires innovative approaches to long-term goals. Learning from the experiences of others in the community allows me to refine my own leadership strategies and stay ahead in an ever-evolving landscape. Evanta serves as a catalyst for professional growth, offering both support and inspiration in navigating the complexities of leadership.
 

Evanta Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.