Michael Hammond, Principal & Owner, OCD Tech

Invest: sat down with Michael Hammond, principal and owner of OCD Tech, to discuss the company’s growth and achievements over the past year, covering cybersecurity trends, company expansion, regulatory compliance, and the challenges of attracting top talent in the rapidly evolving tech landscape.

What have been some of OCD Tech’s significant achievements and milestones to date?

OCD Tech — the name OCD came from CPA firm O’Connor and Drew. We started as an IT audit and security group within that firm about 13 years ago, in 2012. The CPA firm had been around for 75 years, but didn’t have any I.T. audit or security practices. I joined to establish that group. At the time, the firm had about 80 people, and over the next 10 years, we grew the I.T. audit and security group to about 100 people. 

As we grew, the CPA firm noticed that most of our clients were different from their traditional accounting clients. Ours were primarily publicly traded companies, Department of Defense contractors, and other heavily regulated entities, while theirs weren’t. Because of this, we decided to split the IT audit and security group into its own separate entity, which became OCD Tech. I took over as managing partner of the new firm, building on everything we had developed over the prior decade.

About three years ago, we had a significant client ask if we could replicate what we did for them in the U.S., the U.K., and Mexico, using local resources, people, and currency. We opened an office in Mexico City and grew it to over 65 people in just two years. This expansion allowed us to service the entire hemisphere, with offices in both Boston and Mexico City. We also attracted U.S. clients interested in using nearshore resources in the same time zone without having to go to India or the Philippines, which allowed us to offer lower-cost solutions for certain services. 

Given the growing importance of cybersecurity and hybrid work solutions, how is OCD Tech adapting to support businesses in these areas?

For Department of Defense work, we only use U.S.-based resources, as that’s required. For other work, we decide based on where the best resources are available, whether in the U.S. or Mexico. A lot of my time is spent making sure our employees are prepared. I travel to Mexico City for one week every month to connect with the team. We also handle things like wet signatures down there since a lot of paperwork in Mexico still requires physical signatures, unlike in the U.S., where we can use digital signature.

In both the U.S. and Mexico, my main focus is on ensuring our employees have the resources they need, whether it’s for technical support, resolving scheduling conflicts, or professional development. We do “Lunch and Learns,” where each employee gives a 15-minute presentation once a year. This helps them build presentation and public speaking skills, which are crucial since our work is client-facing.

How are you attracting and retaining top talent and ensuring your team stays updated on the latest cybersecurity trends?

For our internal team, training is key. I pay for every certification the team wants to pursue, provided they pass. This motivates them to continue learning. With IT security evolving so quickly, it’s important for our team to stay exposed to new technologies. Certifications aren’t everything, but they help ensure exposure to different areas.

When interviewing new candidates, I look beyond formal education. Cybersecurity graduates are common, but I want to know what hands-on experience they’ve had — whether through personal projects, capture-the-flag competitions, or contributions on platforms like GitHub. I also ask about their LinkedIn or Twitter profiles, where they might have shared their work. Practical experience is crucial since what’s taught in college often doesn’t keep up with the fast pace of change in cybersecurity.

Are you using AI or machine learning to help address emerging threats and create efficiencies for your team?

Yes, like many others, we’ve integrated AI into several areas. Our marketing team uses it to create materials, and we even used it to replace a time-entry system that was costing us over $30,000 a year by having ChatGPT help write a new one over a weekend. Internally, we use AI to streamline processes, but we’re cautious when it comes to client data. We don’t send any sensitive information to third-party systems like ChatGPT due to security concerns and the potential for AI to provide inaccurate results. Right now, we’re focusing on internal uses of AI, but we’re keeping an eye on how the technology evolves.

What are your thoughts on the future of cybersecurity, particularly for small and medium-sized businesses?

We still see the same basic security issues with small and medium businesses today that we saw 10 years ago — weak passwords, lack of multi-factor authentication, and failure to patch systems. Unfortunately, as attackers use AI to write malware and automate finding vulnerabilities, the pace of attacks is only going to increase. We expect more fully automated attacks in the near future, where malware can adapt and improve on its own without human intervention. This is why it’s so important for businesses, regardless of size, to address these vulnerabilities now. 

What are your top priorities for OCD Tech in the next two to three years?

Our top priority is preparing for new Department of Defense regulations. The U.S. government is cracking down on intellectual property theft, and soon all companies in the defense supply chain will need to comply with strict new cybersecurity regulations. We’re focused on training enough people to handle the audits these companies will require. It’s a major effort, but critical for our growth and national security.

Do you have any partnerships with educational institutions to help meet this growing need for talent?

We’re working with partners in the education sector to help train our staff. Some of these are accredited higher education institutions, while others are third-party companies. They all follow a standardized curriculum to ensure consistency in training. This allows us to ensure our team is fully prepared to conduct the audits required by these new regulations.