Christian Hyatt is a serial entrepreneur with 15 years of experience in security, privacy, and compliance. Based on his experience as an entrepreneur and from working with dozens of unicorn start-ups (start-ups with $1B+ valuation), Christian brings a unique and philosophical perspective to cybersecurity, privacy, and what it takes to build a successful business.
Risk3sixty is one of the fastest-growing security and privacy consulting firms in the nation. Risk3sixty has been recognized as an Atlanta Business Chronicle Fastest Growing Companies (2019, 2020, 2021) as well as one of Atlanta’s Best Places to Work (2020, 2021).
Christian received his M.B.A. with honors at the Georgia Institute of Technology and his B.B.A. with honors from the University of Georgia.
Connect with Christian on LinkedIn and Twitter.
What You’ll Learn In This Episode
- Cybersecurity
- Who are the bad guys (criminals, hacktivist, nation states, hackers)
- Compliance: SOC 2, ISO 27001, PCI DSS, HITRUST, etc.
- Ransomware, blockchain, election security, etc.
About Our Sponsor
OnPay’s payroll services and HR software give you more time to focus on what’s most important. Rated “Excellent” by PC Magazine, we make it easy to pay employees fast, we automate all payroll taxes, and we even keep all your HR and benefits organized and compliant.
Our award-winning customer service includes an accuracy guarantee, deep integrations with popular accounting software, and we’ll even enter all your employee information for you — whether you have five employees or 500. Take a closer look to see all the ways we can save you time and money in the back office.
Follow OnPay on LinkedIn, Facebook, and Twitter
This transcript is machine transcribed by Sonix
TRANSCRIPT
Intro: [00:00:04] Broadcasting live from the Business RadioX Studios in Atlanta, Georgia. It’s time for Atlanta Business Radio brought to you by onpay Atlanta’s new standard in payroll. Now here’s your host.
Lee Kantor: [00:00:24] Lee Kantor here, another episode of Atlanta Business Radio, and this is going to be a good one, but before we get started, it’s important to recognize our sponsor on pay without them. We couldn’t be sharing these important stories today on the land of Business RadioX. We have Christian Hyatt with risk3sixty. Welcome, Christian.
Christian Hyatt: [00:00:43] It’s great to be here.
Lee Kantor: [00:00:44] Well, I’m excited to learn what you’re up to. Tell us a little bit about risk. Three sixty. How are you serving, folks?
Christian Hyatt: [00:00:50] Yeah. So Risk 360 were a cybersecurity and compliance consulting firm here in the Atlanta area that we serve clients nationwide. We ensure we help companies build, assess and then certify their security compliance programs.
Lee Kantor: [00:01:04] So that seems like there’d be a lot of job security in that line of work.
Christian Hyatt: [00:01:08] Yeah, there’s definitely no shortage of headlines, this kind of funny. I think we’re entering the stage. I had a conversation with my mom the other day and you know, before when I would talk about what I did in the world of cybersecurity and consulting, she would think computers, you’re fixing computers. But with all the headlines now saying, like ransomware and the cyber attacks, she had some sense. It’s like, Oh, you were calling that kind of stuff. I was like, Yeah, mom, that’s some of the stuff we’re working on. So I think we’re hitting a stage in the world where the security and this privacy stuff is reaching the public consciousness, but a spell in the mind of business owners for a long time. So a lot of good stuff, a lot of job security, as you said.
Lee Kantor: [00:01:51] Now, for those who aren’t aware and who kind of follow the headlines, maybe that’s their only awareness of cybersecurity. It seems like it’s terrible out there that there’s risk everywhere. The largest of the large companies are getting hit. It seems like a regular person doesn’t stand a chance against some of these kind of risks that are out there. Is there anything you can share with us that is semi optimistic about some of these cybersecurity trends?
Christian Hyatt: [00:02:23] Yeah, I mean, I think some of the good news is that it’s not really a technology problem anymore, so what that means is there’s an abundance of things people can do to protect themselves, and it’s largely about awareness, which we’re we’re seeing. So, you know, if you’re not a business and you’re an individual out there, one of the biggest things that you need to worry about, for example, is a phishing email. Someone send you a fraudulent email, you click on a link and then that ends up compromising your computer and you get caught up in some type of fraudulent situation. But where we’re at in society is people are generally becoming more and more aware of that stuff. So when you see a weird email, you know not to click on a link. So I think while businesses continue to struggle with this and this is becoming a bigger and bigger problem at the individual level, we’re seeing a lot of consciousness. We’re seeing a lot of tools. It’s becoming easy for companies and people to use these tools. So I think people have a chance to be a lot safer and that’s good. That’s that’s great.
Lee Kantor: [00:03:16] Now I’m seeing a lot more of these situations where if something happens, then the company I’m dealing with says, I’m going to text you a code and then you implement that code, and that’ll kind of verify that you’re who you say you are. Is that a trend that’s happening that’s really protecting or is that some of this kind of theater security theater?
Christian Hyatt: [00:03:40] I think it’s good. I think companies are really trying to take consumer security seriously, so they’re trying to implement steps to make it more secure for you to use their platforms. So a common example is, you know, you look back even five years ago and you’re using a bank, you know, pretty much used a username and password to log in, and that’s it. And you didn’t have many other options. But what you’re seeing now is you have an option to get that secure text message or to use like what we call an authenticator app on your phone to add some additional steps to log into your account. And even if you call in to get support from these companies, you’ll notice that they’re asking questions that are helping verify your authenticity, your identity, or they’re sending you the text messages to ensure that it’s really you talking. And these are all good steps. So this isn’t just security theater. What happens functionally is if you’re a large organization, people call in and pretend to be you, and it’s a fraudulent situation. They’re trying to get your information, trying to get your password reset or trying to get your phone number changed so that they’re getting a fraudulent text. So the big banks, the big companies want to verify that it’s really you so that your account doesn’t get compromised. So this is a security theater. These are good steps. This is stuff that companies are taking seriously and really trying to help protect their users.
Lee Kantor: [00:04:58] And then from a company standpoint, they’re trying to help you get what you want as fast as possible and as kind of simply and elegantly as possible. But I think as individuals and maybe as customers, too, we’re we’re accepting of these extra couple of steps to verify because we are a little paranoid about all this kind of all the threats that are out there.
Christian Hyatt: [00:05:22] Yeah, this is the age old problem security. There’s always this balance between ease of use and security and generally in business. The more steps you add to be able to do business with the company, the fewer users that want to take those steps. But I think as people are becoming cognizant of the need to secure their identity and their financials, they’re accepting these steps, which in turn gives companies flexibility to implement those steps. So this is a careful balancing act between how hard do you really want to make it to use a product? Because if you get a new fun toy to play with an app, you want to use it immediately. You don’t want to have to go through 17 setup steps, but if you’re cognizant of the reasons why you need those steps, then you’re more willing to do it. So it’s really a balancing act between the consumer, and the company is helping educate each other and understand what’s the right balance of security and ease of use. And we’re seeing that balance, I think, go a little bit more towards the security side of the house, which is definitely a good thing.
Lee Kantor: [00:06:19] Now is there a future where there is no passwords that it’s all going to be based on some sort of biometric?
Christian Hyatt: [00:06:26] I think that that’s true. You’ll see you’ll hear buzzwords out there like the biometrics and you also hear something called blockchain, which you might know because you’ve heard of bitcoin. And there’s definitely some technologies today to do to do identity verification without the use of a username and password without even doing biometrics is where you can have like a secure key or a secure token to verify your your identity. Think of it like a really long Social Security number that only you know and the only you store. So those technologies exist today, where you can you can, with a high degree of certainty, verify somebody’s identity. What we’re seeing it is back to that ease of use and security use case, and we’re still working on the make this really easy to use because the technology exists. But if the the average user can’t use them cleanly, efficiently, effectively, then they’re not going to rule out. So we’re still working on that piece of it. But I would say if you look out a decade or even five years, you’re going to see more and more tools and technology where there’s no user. Then password involved, there’s some other type of identity verification mechanism.
Lee Kantor: [00:07:27] Now are the bad guys the same bad guys as they were, you know, five, 10 years ago? Or are these kind of new bad guys in terms of this? They’re finding it easier to get into this line of work and then it’s attracting a different type of person that’s that, you know, kind of thinking of things and trying to steal and harm folks.
Christian Hyatt: [00:07:48] Yeah, I think there’s the. The old guy in the basement with the hoodie on. A lot of people think of when they think of the bad guy or the hacker, but that’s truly not who it is. There’s kind of three different potential organizations that you need to be concerned with. There’s hacktivists, that’s folks that want to do. You know, they have problems with society or government, so they’re going to do it from an activist perspective. You have advanced persistent threats, which is like the nation state or Russia or China when you’re thinking of those kind of folks and then you have the criminal organizations, and sometimes there’s a lot of overlap between those different groups. But it’s largely the same figures, you know, the nation states out there. Everyone’s seen the headlines about Russia and China, which is largely true. Those are very important groups that are doing the hacking out there. And there’s the criminal organization, but the same actors. But the thing to realize is how organized these groups are. They’re like businesses, they have business models, recruiting mechanisms, they have air power, they have revenue generating activities, playbooks, formal training programs. And if one of those groups want to go after you, it’s really difficult to defend. So that’s why companies are having so much trouble because they’re so organized.
Lee Kantor: [00:08:59] And then those hacktivists and those Nation-States, they’re in their eyes. They’re the good guys, right? They’re the ones who see this evil that they’re trying to, you know, punish in whatever means they’re doing so. You know, it’s like they say that the terrorists are freedom fighters are kind of in the eye of the beholder. These people think that they’re doing work that’s helping their cause and their cause is obviously not our cause, and it’s not something that we’re fond of, but in their mind that they’re doing what they should be doing, right?
Christian Hyatt: [00:09:34] Well, I mean, it’s warfare. You know, the U.S. government is doing the same thing. We have probably the best in the world in terms of cybersecurity apparatus in Russia and China have a very similar apparatus and it’s not gun fighting anymore, but it’s a very real combat situation where you know, it’s one nation versus another. And if you talk to folks that work for U.S. Cyber Command, they feel like they’re serving their company and they’re acting in the interest of their country. And similarly, I would imagine if you ask a Russian or Chinese or Korean or whoever else you know, are they serving the interests of their country? They would it would feel justified in doing so, too. So this is just a new form of warfare at scale that happens to be borderless. You can easily cross a border and impact the U.S. company. So you’re tying up the average U.S. citizen and company instead of being in some distant battlefield.
Lee Kantor: [00:10:27] So now in your work, companies are coming to you because they feel threatened, obviously, and they have to be proactive. They can’t just wait for this. They can’t solve it internally. They need third party and specialists like yourself and your team to help them.
Christian Hyatt: [00:10:44] Yeah, that’s right. So, you know, a company approaches us and they need the playbook. They are aware that this is a problem there where their organization could be at risk, but they don’t know how to get from point A to point B. And we come in and we help understand the business and we have the playbook when it comes to cybersecurity. How do you build a security program that’s aligned to those business objectives that will ultimately balance what you’re trying to accomplish as a business, but also protect that business? And like you said this, that’s how we’re helping a lot of companies.
Lee Kantor: [00:11:17] So now is the is the point of entry for your firm around cybersecurity and protecting the your client from the bad guys getting in? Or is it about helping that company in terms of keeping their content and data safe in terms of privacy to help serve their own clientele? Or is is that a kind of a blurring of the lines of what you do? It’s the same activity, but maybe it has a different objective for the client.
Christian Hyatt: [00:11:48] Yeah, so I think clients typically approach us from two perspectives. One, they want the roadmap on how to build a security program to protect themselves. The other phenomena that you see is most of our clients are business to business clients. They’re a SAS company doing business with a very large company. And it’s actually a business preventative thing. So let’s take the example I want to do business with Bank of America. Well, Bank of America very well isn’t going to let just any business do business. They’re going to feel very good that before you connect systems and you start doing work with them, that you have a security program and you’re not presenting an additional risk. So we’ll help those organizations articulate their security story. So in preparation for doing business with Bank of America, what do you have to do? What kind of security program do you need? What kind of certifications do you need in place? And suddenly security becomes a lot more than just a risk management thing. It becomes, Hey, to get this revenue actually have to have a security program to speak to, which is a very interesting kind of economic thing that’s happening where a lot of the enforcement and the reason behind building a security program isn’t regulatory, it isn’t risk management, but it’s actually to get that revenue and that next sell. I have to have a security program built out and certified. And so a lot of the customers that call us are on that side of the house to this is a revenue generating activity for them.
Lee Kantor: [00:13:05] Now it’s also a regulatory issue because in health care, right, like I can’t just participate in the health care supply chain without having some level of security. That’s kind of blessed because I’m putting my if I’m vulnerable, then I’m putting every other vendor that’s dealing with this health care company at risk.
Christian Hyatt: [00:13:26] Yeah, that’s that’s a great point. One of the things that security is very focused on right now is the supply chain. So if you think what it takes, how does the hospital serve their customers where they’re probably using several dozen vendors to do that, to provide care, to issue payments, to collect records and communicate with the end user? And when you look at that supply chain, a lot of those are SaaS companies or B2B companies. So let’s just take the example of where your medical records stored. We’re not just anyone can store medical records, and to your point, there’s a lot of regulations like HIPAA and others that mandate organizations have certain security and privacy mechanisms in place to protect that data before they can do business. So another popular way, you know, a health care company, ABC, give us a call. They want to enter a certain market or serve a health care sector or financial services sector, and there’s a litany of different compliance requirements that they have to meet. So they have to interpret those compliance requirements, but also implement them without burning down the business in the process. And that’s something that we’re very good at navigating.
Lee Kantor: [00:14:30] So now say your clients are like you said, B2B, these SaaS companies, I would imagine finding fintech and health care I.T. organizations.
Christian Hyatt: [00:14:42] We’re very lucky in Atlanta right now because we kind of have a booming tech scene, as seen by some of the recent kind of companies that have been acquired or receive funding. But the way we describe our client base is high growth technology companies. So if they’re a business to business SaaS company, high growth tech, that is our target market and we serve those folks very well. They have very important security and compliance initiatives and we fit in really well.
Lee Kantor: [00:15:07] So now let’s talk a little bit about the Atlanta tech scene. You’ve been here for a minute. How have you seen it evolve over the last 10, 15 years?
Christian Hyatt: [00:15:16] You know, when I first started my career, I went to a big company and it wasn’t even on my radar. And we’re talking about 15 years ago to to join a startup or a tech company. I was going very traditional consulting route. And what I’m seeing today is when I’m talking to when recruiting off campus from Georgia Tech or UGA or any of these schools around Atlanta, it is very much on their mind to potentially go work with a tech startup or a technology company. Then you see the amount of funding that’s coming into the Atlanta area, some large institutional investors that are willing to bet on Atlanta companies. You’re seeing Atlanta companies go public or exit. We have MailChimp recently, just so we had a store here in Atlanta that became a unicorn, got a $1.1 billion valuation. So I think there’s something in the water, there’s great universities, there’s great business people. There’s actually a second generation of tech entrepreneurs that have sources of funding that have a playbook and have mentors. So I think that you’re just going to see the Atlanta tech scene continue to be an important one here in the U.S., all things considered, it’s just great and growing industry.
Lee Kantor: [00:16:25] Now are you seeing that the success of Atlanta and the Atlanta tech scene kind of bleed into other southern cities? Are you seeing the same thing? I’m seeing it in Nashville. You know, North Carolina obviously has been a tech hub for a while, but there’s other secondary cities are now kind of raising their hand and saying, Hey, I want a piece of that to.
Christian Hyatt: [00:16:47] I think so. Even some small cities that aren’t major cities like Huntsville and Atlanta has a handful of tech start ups. Greenville, South Carolina You’re seeing Charleston even in Savannah a little bit, so they’re popping up. And I think it is just that second and third generation of tech entrepreneur that has seen someone in their ecosystem do it. They have mentorship. They have funding. There’s a playbook. And that’s also just the environment as a whole, gaining more confidence in the southeast. You know, this used to be if you were in New York or Silicon Valley, you could pretty easily get funding. But seeing the South and the southeast win, I think, is giving some investors some confidence that, hey, these are safe bets. These folks really know how to do good work. They have mentors, they have a playbook. And I think all of that together is, you know, good for Atlanta, but also good for the southeast in general.
Lee Kantor: [00:17:38] Now are you seeing that the kind of remote workforce accelerating our growth because people can work from anywhere now? Maybe some folks are choosing the South because of the cost of living and access, and you’re still getting kind of the best of both worlds. And, you know, now you can live anywhere and work anywhere.
Christian Hyatt: [00:17:59] Yeah, I think remote works yet to be seen how it’s going to impact, so the South has traditionally had an advantage because of the cost of living from that perspective. You know, you could come here make an equivalent salary, but have a great life because the cost of living is so low. So there’s always been somewhat of an advantage to move to a big city in the southeast with the remote work. You know how it’s impacting us at risk. 360 is we’re accessing talent from all over the U.S. and we’re learning how to recruit that way. Learning how to be productive and engage remote employees in that way. But it’s helped us be competitive in terms with who we have access to in terms of talent and also our clients willingness to work remotely as well so we can have consultants all over the country best in class consultants, clients that are willing to work with them remotely. So I don’t think that it’s making just the Southeast or Atlanta more competitive. I think it’s making all companies, especially small businesses like ours, at risk 360 really competitive because we have access to such a large talent pool and we’re also agile. We can adopt this remote work situation really easily, really quickly. And that’s a little bit of a competitive advantage versus a really large company that we might be competing with.
Lee Kantor: [00:19:09] And then does this kind of trend towards remote workers just feed back into your core business that now you need to protect that, you know, the information going back and forth in a secure manner?
Christian Hyatt: [00:19:22] Absolutely. I get that question all the time. It’s like, what do we need to be thinking about because we have a remote workforce and you know, everybody has a laptop that they’re doing business on, it needs to be secured. Now you have employees accessing email from all over the place. There’s new apps like Zoom and others, video conferencing tools that are new attack vectors from an outsider. So there’s a bit of a strategy update, especially if you’re doing remote work for the first time. You know, I have a couple of clients that have thousands of employees that were largely on site, now going offsite and remote, and that’s a thousand new laptops that you have to provision a thousand new entry points for potential outsider. So a lot to think through there. But bottom line is, I think this is the new normal in some ways, like the flexibility being able to work remote. So it’s also the new normal for a cybersecurity strategy as well.
Lee Kantor: [00:20:14] So now before we wrap, can you share some maybe low hanging fruit, some easy things that folks can be doing to just be more secure in their work or their personal life when it comes to cybersecurity?
Christian Hyatt: [00:20:28] Yeah, absolutely. I think whether you’re a business or you’re an individual, there’s a few things you can do. Number one is just vigilance, so be mindful of any phone call that you receive any text message and email. Pretty much every new hire at risk 360 gets a fake text message, saying that they’re me asking them to send them gift cards. So if it looks suspicious, it probably is. So just be vigilant. The other thing is implementing multifactor authentication. So anything that you’re logging onto, whether it’s a bank, your email, don’t just use a username and password. Go ahead and set up a multifactor authentication. Whether you get a text or use an authenticator app in. The last thing I’ll say is just your endpoint device. Everybody has a laptop. You know, installing some basic antivirus on that laptop will go a long way for most organizations.
Lee Kantor: [00:21:16] So now, if somebody wants to learn more about your work, what is the website that they can get a hold of you or somebody on your team?
Christian Hyatt: [00:21:24] Yep. If you want to check out risk through 360, you can check out risk three six. That’s w-w-what risk the number three. The word six
Lee Kantor: [00:21:35] Risk the number three six. Wired.com Christian. Thank you so much for sharing your story. You’re doing important work and we appreciate you.
Christian Hyatt: [00:21:44] Thank you very much, Leigh.
Lee Kantor: [00:21:45] All right, this is Lee Kantor. We’ll see you next time on Atlanta Business Radio.
About Our Sponsor
OnPay’s payroll services and HR software give you more time to focus on what’s most important. Rated “Excellent” by PC Magazine, we make it easy to pay employees fast, we automate all payroll taxes, and we even keep all your HR and benefits organized and compliant.
Our award-winning customer service includes an accuracy guarantee, deep integrations with popular accounting software, and we’ll even enter all your employee information for you — whether you have five employees or 500. Take a closer look to see all the ways we can save you time and money in the back office.