Ep. 280: Christian Hyatt - Best Practices for Cybersecurity and Compliance in Business
Welcome back to another episode of Count Me In. I'm your host, Adam Larson. And today, we're diving into the world of cybersecurity with Christian Hyatt, cofounder and CEO of Risk 360. Christian's journey is intriguing. He began in public accounting before transitioning into cybersecurity, where he's made significant impacts.
Adam Larson:In this episode, we explore the evolution of cyber threats and the sophisticated criminal organizations behind them. Christian shares the challenges of regulation and compliance, the macroeconomic forces driving cybercrime, and the importance of building a strong internal cybersecurity culture. Whether you're part of a large corporation or small business, Christian offers practical advice on boosting your cybersecurity measures. So get ready for an enlightening conversation that you won't wanna miss. Let's dive in.
Adam Larson:Well, Christian, I'm really excited to have you on the CalMeIn podcast, and you are an expert in cybersecurity running your own firm. But you did start in cybersecurity, and maybe we can talk a little bit about your background, as we get started.
Christian Hyatt:Yeah. Absolutely. So, probably like so many people in the audience, I I started my career in public accounting. I graduated college from the University of Georgia, and I wanted to get into consulting. And, like so many of us said, you know, 22, what is consulting?
Christian Hyatt:Who knows what consulting is? So, I was recruited heavily out of the big four. I end up going to Grant Thornton, which was the 5th biggest accounting firm. I think they've dropped a couple of spots. I think they're, like, the 6th now.
Christian Hyatt:But, the reason I went over there is because they were, they had a cybersecurity advisory arm. And, kind of the way I was thinking about it was it was almost a startup inside of this 50,000 person firm. So I was like, cool. Well, I'll do that. And then ended up being awesome.
Christian Hyatt:I was able to, help out on all sorts of engagements. I got, the opportunity to to sell to customers very early on because it was kind of a new practice. So I was a 22 year old helping put together proposals and sitting on sales calls. I was helping figure out what report deliverables should look like, which was which was really exciting, figuring out delivery methodologies. And, over time, I realized just how big of a problem cybersecurity was and how much it was impacting society and us individually as well as, of course, businesses and how big of a business problem it was and, and just went on from there.
Christian Hyatt:I always had an entrepreneurial bug, though, always. So I wanted to do that. I'm getting my mentor talk to me in getting my MBA. So I went to Georgia Tech, got my MBA, met my business partner. I got a partnership opportunity in accounting firm, so I was kind of on the fence.
Christian Hyatt:Do I go to partner out, or do I take the entrepreneurial leap? And and so I decided to make the leap, and I knew my backup plan was all pretty employable. Could probably go get another job. And, my very first client was a $30,000 client. I knew that was enough to pay the bills for a while, and I was hopeful that I would be able to figure out the rest.
Christian Hyatt:And and sure enough, you know, almost 10 years later, we've we've built a pretty solid company about something we're passionate about.
Adam Larson:That's awesome. And so what are what what is what is what is risk 360 doing? What what are what problem are you guys solving?
Christian Hyatt:Sure. So, well, you know, one of the biggest problems in cybersecurity is for organizations and is, regulation and compliance. So there's all these acronyms, SOC 2, ISO 27,001, PCI DSS, you know, the whole alphabet soup of different, requirements that organizations often have to do. And, most organizations are spending an incredible amount of time and effort getting those certifications and maintaining those programs. And what risk 360 does is sometimes we're the auditor, so we can issue some of the certifications.
Christian Hyatt:More often than not, an organ we're helping an organization implement a program for the first time. So maybe they hear some new acronym like ISO 27,001, and they don't know how to get started so we can help them implement that program. And then often, they don't even have the people to do it. So they'll outsource the whole function to us. Almost like outsourced accounting, but outsource compliance as a service.
Christian Hyatt:And then we have a platform called Full Circle that helps harmonize all of that. So our bread and butter is if an organization has 2, 3, 4, 5, 6, 10 of those different, requirements that they have to comply with is we help them harmonize that, build one streamlined efficient program to manage all of that, and then give them the consulting resources to help with that as well. So that's that's who risk 360 is.
Adam Larson:Wow. I mean, you guys are doing some awesome things because when it comes to cybersecurity, it's kind of like this mythical world. You know, you always think of, like, the anonymous things with the face mask and the the the weird thing with the matrix, code running down the screen. But maybe you could kinda help us on help the the audience understand, like, who are the bad guys really out there when it comes to the when who are we protecting ourselves from?
Christian Hyatt:Yeah. So something pretty interesting happened over the last couple of years, in that, there's a ransomware crew, one of the biggest organizations, criminal organizations that we know about named Conti had some, internal turmoil and ultimately, dismantled. But upon their demise, one of their members leaked, a lot of internal documents on Twitter. So for the first time, research organizations like NSA and and the UK intelligence services were able to comb through those documents and see who are the bad guys. Like, what are they all about?
Christian Hyatt:And what we found was that they are very much not unorganized hackers and hoodies that we would like to believe them. These are sophisticated, well organized organizations, to the point that they have, defined and documented organizational structures. They have different departments. So for example, Conti had a an r and d group. They had an operations group.
Christian Hyatt:They had negotiators for for the scheme that they were running. They also had an accounting and finance department. They had human resources. They ran payroll biweekly just like any normal company. They did performance reviews.
Christian Hyatt:They had SLAs for help desk. They, it was just a real organization with policies and procedures and everything that you would believe it to be. And that is to the extent of the the criminal organizations that we're up against are these highly organized efficient machines. And then what surprised me most as an entrepreneur is that it is the the revenue and the margins these companies operate at. So Conti, they were doing about $200,000,000 in revenue, per year, and that's not the incredible part.
Christian Hyatt:What the incredible part is is they had about 80% margins. So you can just imagine. If you're thinking about why does this why is this happening? Why does what are the incentives that get these criminal organizations to keep doing this? And you're talking about organizations that largely operate in the second and third world making $200,000,000 in revenue with 80% margins.
Christian Hyatt:So there's just an incredible amount of incentive for for organized crime to continue to do this, and it's not the hackers in the hoodie. It's very organized, sophisticated organizations that we're up against.
Adam Larson:You mean they're not dark rooms with loud, techno music playing all the time?
Christian Hyatt:I didn't say that. They might be in dark rooms with techno music. But
Adam Larson:Okay. So, you know, our these organizations aren't paying taxes, but, you know, our government's finding them out, and are are they helping the GDP so much that they don't wanna dismantle them? Like, what's going on?
Christian Hyatt:Yeah. So, you know, a lot of times people ask, like, why why doesn't the US government do something about this? Why don't we go over there, stop the bad guys, put them in jail because they're causing so much havoc on the economy? And the reason that the the government's largely permit us to operate is because we're riding this really fine line between a a hot war and, you know, keep it quiet, low simmer economic war. So Mhmm.
Christian Hyatt:Cybersecurity warfare is very real. But if we were to go to Russia or China and extradite some guys, you know, like, grab them and take them back to the United States, that could that could start a very real hot war. So the United States and Russia and China and others, all the players in this game are highly incentivized to keep this at what I call just a low simmer. So the way that that functionally operates is the bad guys, they're pretty much free to operate to, I use free in quotes, free to operate if they don't do too much damage. You know, they can attack financial organizations.
Christian Hyatt:They can attack corporate organizations. What they can't do as a rule is attack critical infrastructure or attack hospitals where human life would be at risk or attack military units or anything like that. That that would that would trigger a possible hot war. So you'll even see in, like, the hacker forms where they're releasing these tools. Sometimes they'll even put up, disclaimers and appropriate use of using the tool.
Christian Hyatt:So maybe they they release a ransomware tool, and it'll explicitly say, you know, don't use this on hospitals or critical infrastructure and so on and so forth because there's kind of this honor code amongst thieves where they kinda know the scope and boundaries of how they're permitted to operate as well as geopolitically. You know, China and Russia don't wanna do too much to the US. The US doesn't wanna do too much to China and Russia because they don't wanna kick off some bigger thing. So we're in the kind of in this limbo ground where think people are permitted to operate as long as they don't go too far, and it's kinda kept quiet and hush-hush and and political. And and that's my read on why they're they're still operating and why it's such a big issue still.
Adam Larson:Wow. I it doesn't surprise me, but it's still surprising that that happens. But it it kinda goes like, you know, the cops don't always arrest the the the person peddling drugs in the corner because they wanna get the person who gave him the drugs or who sold them the drugs. It it's it seems kinda like that where they don't wanna go for the small fries. And as long as they're not doing anything too crazy, they'll leave them be.
Christian Hyatt:Yeah. I think it's a little bit like that. And I I think about, like, why why is all this hap why isn't this so popular? Mhmm. And, you know, head of the show, I was thinking about some of the the mac the macroeconomic forces at play that are leading us here.
Christian Hyatt:So for example, one trend is if you look at cybercrime, cybercrime's, predicted to be about $10,000,000,000,000 criminal enterprise.
Adam Larson:Mhmm.
Christian Hyatt:And just for context, that would it's about the 3rd largest economy after the US and China. So just an incredible scope. It's also larger in outpacing the criminal drug trafficking. So as far as criminal organizations goes, it's very, very lucrative up there the top. So that's kinda one factor.
Christian Hyatt:Then you have the second factor where we're creating more data than we've ever created before, like, just mass digitization. You can think of Internet of thing devices, your cell phone, your smartwatch, so on and so forth. And we create more data. We've created more data in the last year or 2 than we've created in all of human history. It's it's in the zettabytes.
Christian Hyatt:And just for a little bit of context, if you were to write on a piece of paper, you know, a typical piece of paper in 12 point font front and back, and you just started stacking that, that stack of paper would reach to the next galaxy. There aren't enough trees in the world to to print that much data, and it's growing that much every it's growing more and more every year. So it pays to pays to seal. Cybercrime's huge. There's more data created than ever before, meaning there's more stuff to steal.
Christian Hyatt:And then you have this environment where organizations are more and more relying on third parties to do business. So, you know, if you're an accounting department out there, you might be outsourcing payroll or you're probably using SAP or Oracle or maybe even QuickBooks in the cloud. You know? Every it's you're not vertically integrated anymore. Your critical data doesn't just live with you.
Christian Hyatt:It lives with your 3rd parties. So it's not just you you have to be concerned about their cybersecurity. It's your 3rd parties. 2 thirds of all cybersecurity breaches in some years originated from third parties. That's how big of a deal it is.
Christian Hyatt:So from a macro trends perspective, you have cybercrime pays, you have more digitization than ever. All of the state is a steal, plus this reliance on third parties and this whole ecosystem, and it just makes it makes it right for cybersecurity to be a big problem and a growing problem.
Adam Larson:Which is all the more reason to make sure that cybersecurity is kind of up to snuff within your organization. So if somebody's trying to say, hey. You know what? I wanna, like, ramp things up, but I don't know where to start. What would be the first steps that they should do?
Christian Hyatt:Yeah. I mean, depends on depends on your size of of business. You know? Most businesses that like, the folks listen to this podcast, they're they're in an accounting department. So, presumably, their business has some scale.
Christian Hyatt:You know? So if I'm thinking about a business like that, it's like there's always this delicate dance that businesses have to play because they're they're trying to be profitable. They're trying to run efficiently, yet they have to build enterprise value, and they have to future proof their business by investing in critical infrastructure, IT, and cybersecurity, which is often a cost center. So what is the right balance between investing in the future of your company and the risk management of your company, but also being very diligent with profits and and your budgets, especially in today's economic environment where we're all trying to be lean and trying to do as much as we can to help our company's profitability. And I think that's where, like, accountants can can help think through that problem.
Christian Hyatt:Like, what are the ratios that make sense for investment? Because that's where CSOs need help. So, CSOs, chief information security officer. So that's the problem that we have as security professionals often is, you know, given infinite budget, we would do infinite things to protect the business. So we have to strike that delicate balance of of budget versus risk management.
Christian Hyatt:And I think there's an important partnership between CFOs and accounting and the security department to understand what the business needs out of cybersecurity. So if you go back a few years ago, there was a it was a time of rapid investment. The economy was booming. There was a lot of private equity money out there. Venture capital was was, giving money out, so you could proactively invest in cybersecurity.
Christian Hyatt:In today's environment, organizations are largely trying to get lean. They're trying to get efficient. Cybersecurity is often seen as a cost center. So CISOs are kinda left scratching their head. What does the business need out of me?
Christian Hyatt:What's that balance between risk management and and spending on the budget? And I think that's a really good conversation with CFOs or accounting professionals because CFOs and accounting professionals are also at the intersection of risk management and budgets and finances and profitability. And I think I say all that to say, I think there needs to be a conversation amongst executives about how to invest and get the most out of your money, more so than the what you should do because there's almost an infinite number of things that you could do if you're trying to get one off the ground. Does that make sense?
Adam Larson:It does. It really does. Because, you know, you have obviously, the finance and accounting team has to be a part of the conversation, you know, because you gotta know how much you can spend and what's best for the organization, so bringing them into that strategic conversation. But I think more importantly is you have to recognize that this is a key element that needs to be paid for or else you could lose a lot of things.
Christian Hyatt:Yeah. Absolutely. I mean, one of the challenges we have is in the security community is, you know, the organization is governed either by board of directors or executive leadership team. And, often there's an audit committee, there's risk committees, and trying to decipher what the organization wants is is very difficult and what the organization needs. And security professionals, what we do is we often get in our foxhole.
Christian Hyatt:We're very plugged into the risk and into the headlines and to all the possibilities that could happen. We're often less plugged into the business objectives and the budgets and the things the board wants and the what what's happening at the audit committee and all those kind of obligations. Whereas accounting professionals are just so plugged into that. And, and I don't think they talk enough. I really don't.
Christian Hyatt:I don't think cybersecurity and finance and accounting leadership, are at the same same table often enough, and I think there's a huge opportunity to get at that table, talk about what the businesses need, and strike that balance between risk management and cybersecurity.
Adam Larson:What does that conversation look like between the cybersecurity and the CFO? What does that conversation look like?
Christian Hyatt:So one of the things I've found, when I'm coaching organizations, we'll help them build security programs. And the number one problem that I see is that there isn't a form for them to talk. Like, there really isn't a space dedicated for the CFO or similar to talk to the security team. So the the worst case scenario is that the conversation goes undone. There just is no conversation.
Christian Hyatt:So one of the first things that we recommend when we walk in organizations is, like, yeah. You gotta figure out your governance strategy. So the the word we call it is we call the information risk council. And what that does is that gets security leadership, technology leadership, and often the CFO, maybe even legal at the same table to talk about organizational risk. And it starts with education.
Christian Hyatt:So often a CSO will do a maturity assessment and say, hey. Look. This is the current maturity of the organization. Here's our biggest gaps. Here's some opportunities for improvement.
Christian Hyatt:But the thing is the CSO can't just go start maturing the organization because it might be out of alignment with the key business objectives of that organization. So an easy example might be, hey. My business is really focused on, growth in the health care sector. Well, that's good to know because the CSO needs to be thinking about HIPAA and protecting health care data and so on and so forth, and they would invest in that. Alternatively, they might find out, hey.
Christian Hyatt:Our organization is cutting cost right now. We have to get to profitability. We have to be extremely lean, so we need to be outsourcing key functions. We need to consolidate tools. Well, that's a very different conversation.
Christian Hyatt:And if the CISO and the CFO and the leadership team aren't having that conversation, there's a huge opportunity for the CISO just to go off in the right direction, thinking they're doing the right thing but not doing the right thing. So my biggest piece of advice is to get everybody at the same, table and be crystal clear about what those business objectives are. Allow the security team to align their activities to those business objectives, And the CFO and accounting professionals have such good business acumen. You know, they can ask hard questions to ensure alignment. So for me, that conversation looks like alignment.
Christian Hyatt:It's it's about clarity of business objectives and then ensuring alignment and then being a partner with the the security team to help make sure they're they're in alignment with the business objectives.
Adam Larson:Can we talk a little bit about the you know, you talked to you said that a lot more organizations are, you know, kind of outsourcing more of the things like HR is over here and this service is over here. How do you have a comprehensive security plan when you're using so many other vendors? How can you align all that together?
Christian Hyatt:Yeah. There's this whole ecosystem of third party risk management and certifications. That's that's a big piece of what risk 360 does. So what typically happens in organizations is you kinda hopefully have an inventory of your key vendors that have key data. I'm gonna use a a payroll provider in this example.
Christian Hyatt:Well, you first of all, you need to vet that vendor. What does their security program look like? That's typically done in the form of questionnaires. And more often than not, contractually, there's some commitments, and you're also expecting that vendor to get some kind of third party attestation. So that could be a SOC 2 report, an ISO certification, something like that.
Christian Hyatt:And then you're gonna rely on that 3rd party. This is where a lot of accounting firms do. You know, they're doing their attestation reports and and vetting that vendor. So that's kind of the that's the ground that's step 1 is just really thorough and meaningful third party risk management. And then the second thing that I think, happens is just having a really deep relationship with your vendor.
Christian Hyatt:Like, I I know for some of our biggest clients, we try to get away from being transactional, and we really try to plug in to what what they're trying to accomplish as a business and how we can support them do that. And we actually coach our clients through how to manage us. Like, how do you have a meaningful conversation with your your vendor that's in alignment with your business objectives? And you probably only wanna do that with your biggest key vendors, but it needs to happen. So you probably assign a relationship owner.
Christian Hyatt:So the long story short is it's complicated, and there needs to be a program around how you manage third party risk. And that often is, again, at the intersection of the CISO who's managing third party risk and the CFO who's probably involved in procurement and paying those vendors. So it's another topic where there's gotta be a a huge amount of collaboration between those 2 to manage the risk.
Adam Larson:Yeah. There really does. There has to be a lot of collaboration, and you have to you have to be really organized internally in order and and have a lot of communication between the because, you know, your CFO has to talk to your IT. He has to talk to the the the the CISA. Right?
Adam Larson:The the chief the I don't
Christian Hyatt:even know what that means. Chief information security officer. Yep.
Adam Larson:There we go. I know you said it earlier, and I was like, I lost it. But that but if you have a big enough organization, there has to be great communication for all those things to be in in alignment in order to better help the organization.
Christian Hyatt:Absolutely. I mean, our tendency is to kinda operate in our silos, develop centers of excellence. And so easy to say if you're in a security professional, why does accounting or finance care about what I'm doing? And conversely, it's so easy if you're in accounting and finance to say, those are IT guys. They're the cybersecurity team.
Christian Hyatt:But when you really think about objective alignment, budgets, risk management of the organization, there's so much in common, and it requires that amount of collaboration.
Adam Larson:So are there key metrics? I mean, obviously, every organization is different, but are there certain key metrics? Do you gotta put, like, a sticker on the wall that says days without a hack, 0 or 5 or whatever? Is that your key metric, or are there other key metrics you should be looking at as a organization?
Christian Hyatt:Yeah. I mean, there there are many. If if I was an executive, some some of the ones I would be looking at, and I'm gonna harp on this all the time, is, business objective alignment.
Adam Larson:Mhmm.
Christian Hyatt:Like, I know that's not a KPI. You can't really put a number on that, but you can examine a plan. And it's how how aligned is the security organization to those business objectives and a lot of challenging of that. Like, it's or is what you're really doing really helping the business? Is that in alignment with what we're trying to do?
Christian Hyatt:Like, that in of itself is like a KPI milestone, something that needs to be challenged over and over again as the organization changes. That is a key one. I think, measuring security efficiency, is important. Ways to do that is to, think about, how are you spending your money in terms of tools? You have too many tools versus not enough tools.
Christian Hyatt:Are you hitting your budgets or exceeding your budgets? Those are important. Vulnerability scans is an easy one. So what most security organizations do is they're continuously scanning and evaluating their organization. They'll find a vulnerability, and then they'll do their best to close that vulnerability in a timely basis.
Christian Hyatt:So how fast can they do that? I would also look at cultural things like employee retention. Because if you have a really healthy culture and you're retaining top talent, things kinda take care of themselves. And not that I rarely see that as a KPI and a security team, although security tends to be very high turnover. So those those are a few that may maybe people could look at.
Adam Larson:Mhmm. That makes sense. You know, speaking of culture, is there, like, an internal education that needs to happen with an organization? Especially if, you know, let's say, an organization comes there to you to risk 360 and say, hey. We're doing all these things together.
Adam Larson:Now when they're implementing that, you know, what what does that look like inside of an internal culture as you're changing the organization?
Christian Hyatt:Yeah. So, a piece of context is that if you look at, like, almost all, most of the cybersecurity attacks are from someone, an employee clicking a link, having a laptop stolen, getting scammed, something relatively simple. You know? Just just someone getting scammed. And the most effective way, to prevent that, absent technology, there's some tools that can help is employee vigilance.
Christian Hyatt:You know, you see the email come through and you recognize that as a possible scam. Someone calls you and asks you for a bank account number and you question them and you're vigilant and you hang up and you call back and verify that it's legitimate. So those tiny behaviors throughout the organization are a really powerful way to protect the organization. So security teams go to great lengths to try to build security culture within an organization. The problem is is you'll you'll see things like phishing training or or the security team will say, hey.
Christian Hyatt:Sign up sign this policy, this annual policy awareness, or take this security training that you have to do. And what do people do? They they watch the training, click, click, click, click as fast as they can to get through it, probably don't, watch it deeply. It also feels annoying. You're like, it's just another admin task, and I'm already so boring.
Christian Hyatt:I think the reason employees tend to feel that way is because they don't have the context as to why this is so important. So, some of that one of the things that I think organizations do really well and I actually spoke at one of our clients today. They had an all hands meeting, and they invited me to come speak and talk about cybersecurity for an hour and do q and a. And I've done that kind of thing before, but what that did is it just it engaged the workforce. I was able to give them a little bit of context and make it very personal to them.
Christian Hyatt:Like, this is how it impacts you and your family. This is how it impacts your business and why it's important. And then all of a sudden light bulbs were often people. I'm like, oh, man. This is critical for our business to succeed.
Christian Hyatt:This matters to me in a very real way. Oh, and this is why our cybersecurity team is asking us all these questions and making and sending us training all the time. And and I think that little bit of just relationship building, whether it comes from a 3rd party like I just did, or if it's just your your security team doing the rounds and giving people context into why it matters, I I think just goes so far inside of an organization. Because when people have the context, they tend to take things a lot more seriously. So culture matters, and the way to get culture, I think, is through really strong relationships and giving people context.
Adam Larson:I think that's some that's some amazing advice, you know, even outside the cybersecurity kind of vacation. Yeah. Absolutely. Having a good culture with the organization is extremely important.
Christian Hyatt:Yep. Absolutely.
Adam Larson:Yeah. What about smaller organizations? Because, you know, not every organization is gonna have a CISA as you you know, you've been mentioning that title. Not every organization is gonna have that. And sometimes, you know, the information technology comes underneath the CFO suite and suddenly they're managing the CFO the accounting teams and the IT teams.
Adam Larson:You know, what advice would you give to somebody who's like, I need to get into this, but I I'm not a CISA necessarily.
Christian Hyatt:Yeah. I think the bottom line is is most organizations don't have any security people. They have maybe IT, and that might even be outsourced. So security by default becomes an IT responsibility. And, and that's just the reality of things, and that's okay.
Christian Hyatt:So the question is if you're in that situation, what do you do? So my advice, if I was gonna, like, assess IT for effectiveness in security, I would advise them to leverage the tools that they all are already have to the fullest extent. A couple examples. So one example is almost every organization is either using Microsoft 365 or Google Suite. Right?
Christian Hyatt:Those tools come with an abundance of security features. Examples would include multifactor authentication, single sign on. They can do login monitoring. And often, those are just features that no one's using. They haven't turned them on, and they're not using them.
Christian Hyatt:So maybe you if you're a CFO, you ask the question, hey. Will you go over all the security features that we're currently paying for and tell them tell me whether they're enabled or not and explain to me what they are and use that as a KPI to drive performance even if you're managing a third party. And if something's turned off, then you can ask the question, why is this off? And if it's turned on, you can ask the question, well, how are we using this? Can you show me an example of this in action?
Christian Hyatt:So that's probably, like, the number one piece of advice. Use your your tools that you're already using to their fullest extent because Microsoft and Google and others are doing us big favor by building security in fairly natively.
Adam Larson:Yeah. That's great. Like, look at what you already have. I love that. Especially for smaller organizations who might not be able to do, you know, spend the same spend, but you're already spending on another tool.
Adam Larson:Maybe that tool can help give you what you what you need to start off at least. For sure. Well, Christian, I think this has been a great conversation. I really appreciate you coming on and just chatting about cybersecurity within organizations with me, and, thanks again for coming on.
Christian Hyatt:Absolutely, Adam. Thanks, man.
Announcer:This has been Count Me In, IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.ima net.org.