Matt Donato, Partner, Echelon Risk + Cyber

In an interview with Invest:, Matt Donato, partner at Echelon Risk + Cyber, discussed the company’s significant milestones over the past year, including rapid growth, key partnerships, and innovative services that have made a substantial impact on its clients and the broader cybersecurity community.

What are some of the most significant milestones and achievements for your company over the last year?

Echelon is just shy of 4 years old, and we’ve been on a high growth trajectory over the last three years due to the increasing demand for help in cybersecurity and risk management. In terms of milestones, we’ve achieved several: We’ve hired a significant number of consultants, serviced numerous clients, and quantified the amount of money we’ve saved organizations by reducing their risk. This quantification is a big milestone for us because it shows our meaningful impact on these organizations. 

Additionally, we’ve launched new service lines and formed partnerships with large organizations like CrowdStrike and Teradata. These partnerships help co-brand and evangelize our capabilities and service catalog. We recently celebrated 30,000 followers for our Cyber Intelligence Weekly, a publication started by our CEO and founder, Dan Desco. It’s released every Sunday, providing concise, data-rich content during a time when people are likely to read it. We also partnered with the Detroit Pistons in the NBA to provide services in exchange for branding and marketing opportunities. We’ve been doing a lot of work with the NBA in general, which is helping us grow our presence in that community. These milestones reflect our growth and success in the industry.

What are the most pressing cybersecurity threats that businesses are facing today and how does Echelon stay ahead of these evolving threats?

This is a broad and important question, as many trends exist. Threat actors range from those with economic motives to nation-state adversaries disrupting operations or supply chains, with significant disruptions seen from China.

Our mission is to help businesses of all sizes mitigate risk and mature over time. We work proactively to prevent threat actors from penetrating organizations, stealing data, compromising operations, or disrupting supply chains.

We assess each client’s cybersecurity landscape, identify exposures, and reduce risk incrementally. Breaches and technology vulnerabilities are rampant, making it easier for threat actors to compromise businesses. Insider issues, like employees clicking on malicious links, are common and can lead to compromised emails, unauthorized payments, and other breaches.

Additionally, software vulnerabilities due to inadequate patching and weak business logic allow threat actors to gain access and potentially take control of operations. Losing control of their business can be devastating, which is why our proactive approach is critical.

What are some of your key priorities and goals regarding funding and investment over the next few years?

Our primary goal is to continue investing in small businesses, meeting the significant demand for capital from these enterprises. We aim to expand our investments across all 50 states; we’ve already invested in 42 states and recently closed our first deal in North Dakota. Achieving nationwide coverage would be a significant milestone. Another key priority is to recruit more banks as investors. When banks join our ecosystem, we can better help their customers solve financing needs. We want to continue growing our team and improving our strategy, focusing on providing both debt and equity products to small businesses.

Our mission is to bring essential capital to small businesses, which are the backbone of the U.S. economy, making up about 60% of it. Small businesses need capital to grow and advance to the next stages, eventually becoming larger enterprises. For instance, Amazon started as a small business and is now a $2 trillion market cap company. We want to continue playing our role in helping these companies grow, create jobs, support the economy, and remain competitive in their fields. Our focus will be on maintaining and enhancing this support for many years to come.

What methodologies do you use in tailored cybersecurity assessments to accurately identify an organization’s risks?

There are many ways to assess an organization, and the assessment’s orientation can vary, but generally, we aim to understand broader risks and identify specific gaps. We often start by determining if the business aligns with an industry best-practice framework, such as CIS or NIST CSF. These frameworks provide foundational baselines for mapping control environments, including systems, business controls, and processes. We assess the maturity of these elements, identify gaps, and map our findings against the selected framework.

Based on our analysis, we advise on specific gaps and provide recommendations to strengthen the organization’s resilience. We can focus on technical infrastructure, business processes, or people. Our goal is to clearly articulate the problems and gaps and then provide a detailed remediation plan. We go beyond merely identifying issues; we develop a course of action and an actionable plan, encouraging clients to implement our recommendations. Whether they do this independently or with our assistance depends on their industry and budget. Our methodology varies depending on the technical or non-technical focus, but the ultimate goal remains consistent: to enhance the organization’s security posture.

How can having diverse backgrounds and flexible thinking provide an advantage in addressing the ever-changing cybersecurity landscape?

Diversity in thought, background, gender, and nationality is crucial. As a remote-first company, we have team members across North America, in Guadalajara, Mexico, and beyond. We encourage people to work from anywhere, including digital nomads who travel the world while working. This culture fosters diverse thinking and exploration, which is vital for cybersecurity.

We focus on empowering our team to succeed personally and professionally. From a talent acquisition perspective, finding qualified cybersecurity talent is challenging, let alone ensuring diversity. We’ve created an inclusive environment where everyone feels empowered, secure, and able to contribute to the business’ direction.

In cybersecurity and broader technology sectors, many professionals have highly technical backgrounds. We aim to develop talent that is not only technically proficient but also has the business acumen to understand and address business risks across various industries. This requires a diverse approach to talent acquisition, ensuring we bring different perspectives and skill sets to our team. This diversity enhances our ability to tackle the dynamic challenges of cybersecurity.

How is Echelon innovating to address emerging cybersecurity challenges, and how do you share this knowledge with your teams and the broader cybersecurity community?

Our mission-led organization prioritizes impacting the business community and critical infrastructure companies. We believe cybersecurity and privacy are basic human rights, and we embody this mindset daily in our interactions with our team and clients. Innovation is crucial; we develop talent, new business methods, and ways to mitigate cybersecurity challenges. Staying on the bleeding edge is essential because threat actors, especially those economically motivated, move faster than businesses can respond.

We foster an environment where people are empowered to push the envelope and innovate. For example, AI is a significant focus for us. While it’s often overhyped, understanding AI governance and its implications for businesses and customers is critical. We encourage our team to explore new ideas by forming tiger teams and workshops to address emerging issues. We set the expectation from the interview stage that we value all ideas, large or small, and we support taking calculated risks.

What are your top priorities and goals for the next few years, and how do you see the industry’s future?

To date, we’ve serviced nearly 250 clients and aim to reach 1,000 in 10 years. We also plan to embed new practices, such as AI and operational technology (OT). For instance, the OT space includes energy grids, utilities, and oil and gas industries. The Colonial Pipeline breach highlighted the impact of cyberthreats on critical infrastructure, causing billions in losses and long-term disruptions. We aim to specialize deeply in these areas to provide robust solutions.

Continuing to grow our top line, retain talent, and develop internal promotion paths are key priorities. Last year, we converted five or six interns into full-time employees, all of whom have since been promoted. We engage with the academic community and support military transition programs like SkillBridge to build talent pipelines.

The cybersecurity industry is fast-paced and well-capitalized, but there’s room for improvement. Businesses often fail to fully engage their boards and investment communities on cybersecurity’s importance, impacting societal interactions and medical data. Effective cybersecurity should be seen as a value proposition rather than a cost center, offering meaningful ROI by reducing risk, improving customer security, and resonating within the community.