Christian Hyatt, CEO & Co-Founder of risk3sixty, knows the secret to building a strong cybersecurity team, and he calls it: Security Team Operating Systems. Walking through his entrepreneurial journey from inspiration as a young child to discovering his interest in the new phenomenon of cyber to co-founding risk3sixty, Christian covers every aspect of intelligent leading and team building. Ready to take your team to the next level? Christian knows 5 key elements you won’t want to miss.
[00:00] Tackling cybersecurity as a business owner in an emerging industry
[07:04] Building better teams with an emphasis on core values
[14:16] Noticing the potential of decentralized technology and data
[18:51] Stepping away from hands-on technician work to be the boss
[22:37] Leading healthy teams through missions, KPIs, and meeting cadences
Thank you to our sponsors Axonius and AttackIQ for bringing this episode to life!
Want to learn more about how Mindbody enhanced their asset visibility and increased their cybersecurity maturity rating with Axonius? Check out axonius.com/mindbody
AttackIQ - better insights, better decisions, and real security outcomes. That's why we partnered with them to create free cybersecurity trainings! Check it out at academy.attackiq.com
Where did the journey of wanting to be a cybersecurity and privacy business owner begin for you?
While many guests on Hacker Valley take the journey from technician to eventual business founder, Christian felt the urge to become an entrepreneur from a young age. Watching his father and grandfather run their own businesses, Christian understood the responsibilities of taking this journey and wanted to make an impact in an industry that was blossoming with potential. Cybersecurity came into Christian’s life later, when he was employed at a consulting industry, but he saw the potential for growth immediately and wanted to be a part of it.
“Along the way, what I learned about myself is I really love building teams. When we built risk3sixty, we were really culture-oriented, even from the early days. We were thinking about scaling the business, career plans, coaching plans, culture kind of stuff.”
What are some of the lessons you’ve learned in the process of building your team at risk3sixty?
Christian cites the books Traction by Gino Wickman and Scaling Up by Verne Harnish as two of his biggest inspirations and influences for team building early on in his entrepreneurial journey. Both of these authors heavily focus on the people element of professional teams, and Christian has implemented that same approach when forming cybersecurity and privacy teams at risk3sixty. The right people in the right positions will make or break a company, which is why risk3sixty has training and apprenticeship programs in place to build a strong foundation of skills with people who are passionate about learning and growing with the company.
“It turns out, if you get the right people in the door, you invest in them, you coach with them, you develop relationships, they're going to serve your clients like no one else is going to do it. They're gonna be part of that mission, they're gonna want to serve, and you do great work.”
Now that you aren’t as hands-on with security assessments as a CEO, what have you learned from the bigger picture, macro-perspective role you have now?
Many cybersecurity technicians feel understandably cautious about taking over C-level positions because of the lack of hands-on technical assessment work. However, for Christian, he’s enjoyed gaining a different perspective on the industry and learning the “why” behind the “what” as CEO of risk3sixty. As CEO, Christian is able to better understand overarching trends and changes in the security assessments his company performs and has the opportunity to talk directly with security executives about opportunities for growth and investment.
“You can walk into an organization and if they don't have a strong leader at the helm, they don't have a security team operating system, they're a little bit dysfunctional, I know already that I'm going to see some problems in there.”
What are the most important characteristics that you're finding for folks that are leading really healthy cybersecurity teams?
Security team operating systems are made up of the non-technical skills and characteristics that make a team effective. When Christian’s team at risk3sixty needed to hone in on these specific elements, they narrowed it down to 5. Teams need to have a (1) defined purpose and mission to go after and a (2) core set of values to not only guide them through their work, but also understand their (3) set of expected behaviors and standards. There also have to be (4) consistent meeting cadences in place and (5) a solid, standard process of goal setting, KPIs, and score carding.
“A great team defines their purpose and mission. Usually, that’s aligned with a business objective. It might be about protecting data, it might be about customer trust, whatever it is that makes sense for that business, they've set a mission that that team can rally around.”
Keep up with Christian Hyatt on LinkedIn
Purchase a HVS t-shirt at our shop
Continue the conversation by joining our Discord
Hacker Valley Studio 00:07
Who says tech can't be human?
Growing a business is really hard, and that's not unexpected. It's just once you feel that you're like, "Man, it really is hard." And the reason it is hard is because it takes sustained discipline, patience, and consistency. You have to consistently put other people's interests ahead of your own.
Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
What's going on, everybody? You are in the Hacker Valley Studio with your hosts, Ron and Chris,
Welcome back to the show.
Glad to be back again. We've brought in a special guest this episode into the Hacker Valley Studio. Our guest today is Christian Hyatt. Christian is the CEO and Co-founder of risk3sixty. He's passionate about building amazing companies, cybersecurity, and privacy. Christian, it's a pleasure and an honor to speak to you. Welcome to the podcast.
Thanks for having me, guys. It's a pleasure.
Outstanding. We were talking to folks on LinkedIn, and we said, "Hey, we need to invite more people onto the podcast. Who should we talk to?" And someone nominated you. But for the folks out there that don't know who you are just yet, tell us a little bit about your background and what you're doing today.
Yeah, so as you guys mentioned, I'm the CEO and Co-founder of a company called risk3sixty. What we do is we help build assassin and help companies get certified. We mostly work with high growth tech companies, we work with companies all across the US and some globally, helping them build out cybersecurity and privacy programs.
Outstanding. So, when you got started in this crazy field of cybersecurity, what was it about this field that really enticed you and caused you to become an entrepreneur in it?
I always say this. I'm very blessed to be in the cybersecurity field. I have learned to love it over time, but I am absolutely not the person who is fascinated with cybersecurity, or even IT, long before starting a business. I graduated college looking for a job— this was back in the recession period. I wanted to be a consultant. Like many young college grads, I didn't know what a consultant meant. So, I got hired at a big consulting company and this is kind of as cybersecurity was becoming a thing. They put me on a couple of engagements and after being successful on a couple of those, I became the cybersecurity person. So, they started to staff me on engagements in cybersecurity, but what I really wanted to do the whole time was start a business. I always make the joke. I didn't care if the business was a taco stand or a coffee shop or a restaurant, it didn't matter to me. I just wanted to start a business.
I learned that cybersecurity was an emerging industry, it was very interesting. I felt like I was making a big impact. I saw the convergence of cybersecurity and privacy coming to a head. Then I took an opportunity to do an MBA as an inflection point for me to decide if I was going to take a partner route at a big public accounting firm, or start a business. I learned, through the course of doing that MBA, that I wanted to take the risk, start a business, and do that. The right place to do that, for me, was this huge phenomenon that has formed: cybersecurity. So, I made the leap, got one client, got two clients, got three clients, started hiring people, trying to do really good quality work, and ultimately, we built a business out of it. I'm just very fortunate, I think, to be in the right time and place where there's such an important thing, something to start a business out of
Love that. I would love to hear some of your journey. Maybe this is your founders’ journey, right? The journey for you to really discover that you wanted to become an entrepreneur. I feel like, in cybersecurity, there's a lot of people in the industry that want to be technical. They want to know everything, they want to be able to secure or break all the things, but for you, it's a bit different. It's about building company. So, where did that begin for you?
Yeah, I don't know where the origin came from. I've kind of tried to self examine like, Why does
Christian Hyatt want to start a business? My dad and grandad, they owned landscaping businesses, they were manual laborers. One of my passions today when I go home, I maintain my whole yard. But upon reflection, I think it's seeing them start a business, build something, even though it wasn't big, they built something. That kind of resonated with me. And then, growing up, and then also through college, and even in my consulting career, for some reason, my natural orientation was kind of business problem-based.
I saw how cybersecurity, for example, was a business blocker for many organizations. So, for example, a lot of our high growth tech companies can't do business with the big companies unless they can speak to cybersecurity. They need certifications to have access to those markets. So, that was an interesting business phenomenon to me. I saw how security breaches were negatively impacting businesses, that was interesting. I saw how security and privacy was impacting society and the way we think and data harvesting, things like that. All that was very interesting to me.
And then along the way, what I learned about myself, is I really love building teams. So, when we built risk3sixty, we were really culture-oriented, even from the early days. We were thinking about scaling the business, career plans, coaching plans, culture kind of stuff, mission, vision, values, types of things. That stuff really energized me, probably from a long history of playing sports and things like that. So, I think all of that stuff kind of converged for me and resulted in a business, and then we kind of limped along and did things off instinct that turned out to be correct to build a business around it. My business partner is also named Christian, coincidentally, I felt super fortunate to have met him. He's a West Point grad, just a stand-up guy, great business mind, and the way I met him was actually the first day of our MBA program. He was sitting in the front row, his nametag said, Christian. I thought, "Well, that's a really easy icebreaker. I'll go sit next to the other guy named Christian." And then, months later, we're still sitting by each other talking about how we're going to start this business. We were one of the only two people out of the MBA program that started a business, it's just like a little bit of luck along the way, too. So, that's kind of how I got here, I guess.
That's incredible. When you talk about building teams, I mean, that's such an important facet of being an entrepreneur, being a leader. When you started building your own teams, what were some of the lessons that you pulled from sports, or some of the other situations that you found yourself in throughout your life?
Yeah, I mean, building teams. So, I read a couple books early on in the entrepreneurial journey. It's kind of weird, when you start a business, certain things you read just hit differently, because they're so applicable to what you're trying to do in the moment. Two of the books that I read that really informed the way I think around team building, is a book called Scaling Up by a guy named Vern Harnish, and another book called Traction by Gino Wickman. Both of these books are kind of building a business 101 type books, and they put in place models. At the top of both of those books list were people. You want the right people to help you build a business, you want the right people in the right seats to make sure they're in the right roles to help you build that business. So, that's something that I took to heart as we were hiring our first employee.
We put together this model that Gino Wickman recommends in his book, it's called GWC core values. What that stands for is: Do they get it? Do they want it? Do they have the capacity to do the work? Do they align to the core values? We have five core values, and so we created the system that everybody that we interviewed had to score a minimum of 16, they have to do a case study, and then they have to pass the GWC core values test. So, that was one thing, just getting the right people in the door that aligned with the vision, had the right skill set, had the right attitude to help build the business.
And then, one of our core values is craftsmanship. We said: How do we get these fantastic people in the building and then turn them into master craftsmen when it comes to cybersecurity? So, then we created a coaching program, and we call it the journeyman apprenticeship and craftsmen program. At the end of the craftsman program, if you finish the whole curriculum, you get a custom leather apron. We just said, "Hey, what does it take to become awesome at your job?" And then that one-on-one touch, where you're coaching people, trying to develop them, investing in them, and it turns out, if you get the right people in the door, you invest in them, you coach with them, you develop relationships, they're going to serve your clients like no one else is going to do it. They're gonna be part of that mission, they're gonna want to serve, and then you do great work. It turns out if you do great work, well, you get more clients. So, there's literally nothing fancy into how we've grown the business. It's just really investing in people, the people delivering great work, and then clients wanting to do business with you because of that. That's worked for us so far.
Some of the things that you don't really get to hear about is the negative side of growing a business. Maybe not even the negative, but the side effects, the consequences that may surface. Sometimes you'll hear sayings like, "A bad apple will ruin the bunch." This is in the perspective of technology or people or processes. One of those elements just making it a very uncomfortable place to work. Throughout your experience, your founders’ journey and building this company for years now, have you seen any of that happen? Do you have any stories that you can share there?
Yeah, I mean, I think for me personally, as an entrepreneur, one of the things that I have learned is that growing a business is really hard, and that's not unexpected. It's just once you feel that you're like, "Man, it really is hard." And the reason it is hard is because it takes sustained discipline, patience, and consistency. You have to consistently put other people's interests ahead of your own. I think a lot of people think when they start a business, they're going to get success immediately, that first year is going to be huge. For us, we've had success along the way, but it's been very incremental. It's just required us to maintain discipline over a long period of time. I always make the joke to the team, I'm like, "Hey, success is easy. You just have to do the right thing forever, and you'll be successful." That level of discipline is just really hard, you can't really take a day off, you have to give people your time, even if you're not feeling it that day. That's the personal stuff. And then, when it comes to the team at large, some of the things that you don't see is, it all comes back to people. You kind of gave the analogy one bad apple ruining the whole bunch, but that is true. It's absolutely all about people. It's getting the right people doing the right jobs. It's everybody's in a constant stretch position, so you're trying to help people fail successfully. So, give them at-bats where they might fail, but it's going to help them grow, help them groom and coach them. So, it's always in the business books, focus on people, people first, but absolutely, if you're trying to grow a business, it is 100% all about the people. If you get that right, a lot of other things will fall into place.
Security controls failed everywhere, they fail constantly, and worst of all, they fail silently. That's why you need Attack IQ, the leading automated insights platform to continually validate your defenses. Better insights, better decisions, and real security outcomes. Get it all with Attack IQ. Plus, check out the Attack IQ Academy for free cybersecurity training, featuring the good people here at Hacker Valley Studio. Register today at Academy.AttackIQ.com, and let them know Hacker Valley Studio sent you.
It's all about the people and everything else will fall in place. I think you're absolutely right because when you get the right people in place, that's when people start building the right processes, you start bringing in the right technologies. But if you try to do it the other way, like you bring in the best technology and you have the best processes, but you don't have the right people, it's kind of for not. You did all that work for almost nothing. But when it comes to looking for people with strength, looking for diversity of thought, what are some of your tenants for finding some of those folks?
That was actually a struggle for us early on because early on, people want to work with people who are just like them. So, they're really aggressive, they have common backgrounds, they may be all played sports, whatever that might be. For me, what I found is, if you look at our clients, they're extremely diverse. We have people of color, we have females, we have people with big companies, small companies. So, to build a successful company, you need people that can empathize and understand and have different perspectives as your clients. So, one of the things that we did was do just that. We recruit from a diverse pool. So, for example, here in Atlanta, there's really great historically black colleges and universities. We make a conscious effort to recruit out of there. Our head of HR is a woman in technology here in Atlanta, we recruit off the big campuses here in Atlanta, UGA and Georgia Tech. We're really conscientious about finding people of diverse backgrounds, but even more importantly, or at least as important is diversity of thought, that's super important. That was kind of a blind spot for me walking in the door. I just, it wasn't on my radar that we needed to do that, but over time, it manifested itself that we needed leaders with different empathy levels, different backgrounds and experience, people who came from industry, people who are lifetime consultants, and I think that just builds a well-rounded team. So, I agree, very important for us.
Let's talk a little bit about that diversity of thought. Right before we hit record on this episode, we were talking about potential subjects that would be really fun to dig deeper in. We were speaking about crypto and many other things. Me and Chris are a huge fan of crypto, cryptocurrencies, NFTs. What areas are you digging deep into now? What is peeking your interest?
Okay, so, the crypto thing. I don't personally invest in crypto. What interests me is less the financials of it, I get why that's interesting, it's cool to watch the market swing and to be part of the game and I think all of that's important. There’re some guys on my team that are really into that aspect, and whenever I say that, they tell me all the reasons why I'm wrong about that way of thinking. But what interests me a lot about blockchain tech, crypto, decentralization, is that that opens the avenue and potentially solve some problems for some of our current problems we have today.
So, here's some of the problems that exist today. One, you think about things like social media, or cloud services, or anything that's a central hub for communication or technology. The downside of central hubs, like social media, Facebook or Twitter, whoever owns all that property is centralized, all of your data belongs to them. From a privacy perspective, you have to, for example, request your data to be deleted. You don't have a ton of control about how that data can be used, necessarily. You're relying on either them being ethical or regulatory enforcement for your data to be protected. If there's a data breach, all that data is exfiltrated, you just don't have a lot of control as a consumer.
Similarly, with cloud technology, or cloud platforms, everyone's on AWS, Azure, or GCP. If you're in the cloud, largely, those are the big providers. But if they go down, like we've seen AWS have a couple of hiccups. I remember Slack was down a while back, or some other service provider had issues, there's just a lot at stake and you're giving a lot of control over to those entities in a centralized format. That's not necessarily a problem, but it could be a problem. What is interesting is that decentralized technology is presenting an avenue to solve some of those issues. So, for example, if you think about social media, for example, there are currently technologies in place for decentralized social media. So, there's something called Macedon, where you can spin up your own instance of a social media site, and you can federate to others. Theoretically, every company or even every person could have their own social media site where they control all of their data, and then they federate to anybody they want to talk to. So, that model gives the individual a lot of power in terms of how they want their data use, and if they want to retract that data from the masses. There's also decentralized data center services, there's a company called protocol labs that allows you to give up some of your local compute resources on your laptop and they accept you because you can mind some of their coin, but they've essentially created a decentralized version of cloud data storage. That solves a lot of problems in terms of computing power, available resources, that kind of thing. So, that stuff excites me, I see people coming up with new and innovative ways to use decentralized technology, blockchain, and crypto, and I think that's going to have big impacts to the security and privacy world.
So, when you think about things like web3, and the role that different technologies are going to play in the future, even in cybersecurity, what are some of the things that you are excited about when it comes to this technology? We obviously know there's decentralized, but are you already thinking about applications? Is there a play for your company to do something in that arena?
Possibly. We already do pen tests and security assessments for decentralized or crypto-based companies. A lot of the pillars of information and security are not that different when it comes to helping those companies become secure, but there is some interesting cutting-edge tech. For example, cryptography, some of that, you're seeing some companies come up with some innovative ways to use cryptography. One of the more interesting things that I've seen a company using, this doesn't have mass adoption, but I've seen them use crypto and blockchain for identity and access management, where basically instead of logging into a server based on certain credentials, you could use blockchain and crypto to log in and bulletproof your access. I've seen some of that. So, I think a lot of things when it comes to identity, maybe cryptography, probably access, the way data is accessed and where, we
might see some evolutions of security there. But I think we're pretty early in this journey, so I can't even dream of how else people might be using crypto to do that.
I got to ask, as a founder and CEO of your cybersecurity company, are you able to get your hands dirty? That's been one of my things, as a practitioner, a technologist, is having my hands on the tech. I feel like sometimes it's hard to do that as a CEO, or a Founder. Where are you at with that today?
I'm losing it, that's for sure. Definitely not as hands on as I used to be. There was a time where I did a huge chunk of the security assessments, I was on walkthroughs. with clients, I was doing the assessment work myself, but that quickly evolved. I'm definitely more company building now, more client relationship, but what that does afford me the opportunity to do is to think more macro. So, for example, at risk3sixty, we use this platform, it's a platform that we have built in house to do all of our security assessment work. So, one of the things I have access to is all the security assessment findings that we've ever put in the platform. Every year I'm working on this right now so it's top of mine, I'll do a dump of all the assessment results that we have done, categorize them, and I can look at themes. At this point, we've done over 1000 assessments, so that's really interesting. I can see, "Alright, what's the
trajectory?" Is this year's data different from last year's data? Are there themes? Is there something different from a first-year company versus a three-year company? Are there some new phenomena that's happening that's presenting a risk to organizations? I can start thinking about thematic type stuff. What's the direction the industry going? Is it the same security hygiene type stuff? The other thing I get to do is talk to a lot of security executives. So, I get to hear directly from them: What challenges are they having? What's their plan to mature the security organization? And also, where does security fit in in terms of overall business objective alignment? Why has the organization chosen to invest in cybersecurity, and what does it helping them do? So, some of those things are really cool. I get some of the why behind the what. So, although I'm a little more hands off, some of that macro stuff is equally interesting to me and is like flexing a new muscle.
What were some of the biggest learnings from a macro perspective that you've been able to glean? What is a really interesting trend that you're like, "Wow, I really didn't expect that one?"
Huh, this probably isn't surprising, but the number one finding for the last couple years, the thing that really drives a security program has been leadership and governance. That's totally the non-tech thing, it's not sexy. But what we have found, the number one trend is if an organization has a really good leader at the helm, we call it a security team operating system, meaning that they have a system in place to manage their security team that looks like mission, core values, meeting cadences, KPIs, goals score carding, there's a few things they have in place. They run a really tight ship. That is pretty much the number one thing that predicts security team success for that organization. So, it's kind of interesting, you can walk into an organization and if they don't have a leader at the helm, they don't have a security team operating system, they're a little bit dysfunctional, I kind of know already that I'm
going to see some problems in there. But if I walk into an organization, and they really have a tight ship, it's a strong culture with a great leader at the helm, I can predict that they're probably going to have a tight ship, no matter what tech stack they're in, no matter what industry. After I saw that, I was like, "Yeah, that makes sense." You know, you have good people, they're gonna have a good program. But seeing it in the data, see our assessors go in, time after time, note those findings and look at the overall state of the program, the objectives they achieve or didn't achieve, and it comes down to people. It just reinforces that people think we were talking about before. But you can pretty much, like clockwork, predict the success of an organization's security program based on their leadership and governance structure and how well that team is operating. I found that pretty reaffirming, but also interesting.
What are some of those leadership perspectives that folks should be thinking about? What are the most important characteristics that you're finding for folks that are leading really healthy teams?
Yep. I use the word security team operating system. So, that's something when we come in, we're helping build out a security program, it's a set of non-technical things we do to help put in a really effective team in place. You can read all the security certifications, you can read anything and one thing that is missing from the body of knowledge of information security, is how a leader is supposed to lead a team. What do you do when you walk into a team? What are your meeting cadences? Do you do one-on-ones? Do you meet weekly? Do you meet quarterly? Do you meet monthly? How do you do goal setting and score carding? How do you hire people? How do you put together security team budget?
So, what we did is we said, "Alright, what does a great team do?" We chalked it up to five things. Number one thing that a great team does is they define a purpose and a mission. That sounds very philosophical and soft and mushy, but if you look at all the great security teams that we've worked on, any that I've researched, they have set a mission for that team that they can go after. That's usually aligned with a business objective, it might be about protecting data, it might be about customer trust, whatever it is that makes sense for that business, they've set a mission that that team can rally around. The second thing that they have done is they've established a set of core values. Typically, the core values either aligned to the company, or they've made up their own core values as a subculture at the security team. That's important because it sets the tone. It tells them what's acceptable behavior as a security team, and what standard are we going to hold ourselves to.
The next thing they do is a great set of meeting cadences. So, that might be weekly one-on-ones, they have a weekly team meeting. Maybe they're doing quarterly information or risk council meetings, annual strategy meetings, whatever that is, they have a meeting cadence that becomes the pulse of that business. The last thing they do is they're really good at setting goals, KPIs, and score carding. What do you want to accomplish? When do you want to accomplish it? How do we know that we've succeeded? Some really good ones I've seen have somewhat gamified that, where quarterly objectives are attached to bonuses, or a score boarding, or going to a special event. That is an ecosystem that is not at all something that would be taught to you from a professional or technical perspective that I've realized is absolutely essential for any really strong team to operate. So, when we walk into an organization, and we try to help them build something out, yes, we care about all the foundational security principles, but some of that secret sauce is helping them build a really well-oiled team in the context of security and I think that's been very effective.
Outstanding, I think you ran the gambit just now. That was really, really enlightening for a lot of leaders out there to really understand: How do I be as impactful as possible? Whether you're talking about someone that's a mid-line manager, leading a function, or someone who is leading an entire security program. There's somebody that's listening, and they're like, "Wow, this is really, really insightful really helpful for me," and you have a captive audience, what is that thing that you would love to just double click on that would be really impactful for everyone out there?
When building teams, one of the things we try to do at risk3sixty, we produce a huge amount of free thought leadership. So, if people are looking for other resources, things to think about to help build out this stuff, the security team operating system that I just laid out, you can go to YouTube, look up risk3sixty. I literally have a whole video where we lay out all of this stuff. We also have white papers on that same stuff. So, if people want to know how to do this, the tactics behind doing that, it's absolutely free. You can go to risk3sixty's website, check out our resources, or go to our YouTube videos, we put all this content out for free. It's just a way we try to give back and hopefully encourage people to build out a program kind of like what I'm talking about.
Outstanding. Thanks for taking the time out of your busy schedule, Christian, to hop on the mics with us. For the folks that want to stay up to date with you and all the incredible things you're doing in cybersecurity, what are the best ways for people to do that?
Yep, you can check me out on LinkedIn. I'm pretty active there. Just look up Christian Hyatt on
LinkedIn, connect with me or follow me, or you can check us out at risk3sixty.com.
Yes, check out Christian, stay up to date. We've dropped your website and social in the show notes for everyone to stay up to date with you. Christian, we really appreciate the time. With that, we'll see everybody next time.
Thanks so much.
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.