Spotlight On: Matt Donato, Partner, Echelon Risk + Cyber

Key points:

• Echelon Risk + Cyber is scaling managed security services to support continuous, long-term client engagement.

• Charlotte’s growth, connectivity, and diverse business base make it a strategic hub for cybersecurity and risk services.

• Rising AI use, regulatory complexity, and third-party risk are driving sustained demand for integrated security solutions.

January 2026 — Invest: sat down with Matt Donato, partner at Echelon Risk + Cyber, to discuss how the firm is scaling managed security services, adapting to rapidly evolving regulatory expectations, and investing in talent to support long-term growth. “There are a lot of cybersecurity firms out there, so staying relevant means constantly investing in talent, capabilities, and relationships,” Donato said.

Join us at caa’s upcoming leadership summits! These premier events bring together hundreds of public and private sector leaders to discuss the challenges and opportunities for businesses and investors. Find the next summit in a city near you!

What were some of Echelon’s most defining achievements over the past year, and how are they positioning the firm for the next stage of growth?

We experienced accelerated growth, especially in the second half of 2025, and much of that was driven by how we evolved our service model. At a high level, Echelon Risk + Cyber is a cybersecurity and risk management professional services firm. We provide strategic and tactical advisory services, consulting, and managed services.

Historically, many organizations came to us for point-in-time engagements. They wanted to assess risk, test controls, or understand gaps. What we started seeing more frequently was those same organizations coming back and asking us to stay with them. They wanted ongoing support as they grew, went through acquisitions or divestitures, or continued expanding their digital footprint.

In response, we strategically invested in talent and technology to create a scalable managed services platform. Today, our business is evenly divided between advisory work and managed security services—an evolution that enables continuous engagement and stronger, longer-term client partnerships. We also nearly doubled our headcount over the past year, with a strong focus on talent acquisition and development. We’ve grown our footprint along the East Coast and continue to expand our talent presence in Mexico while serving clients across North America. As our organization has matured, the strength of our relationships has driven increased referrals and word-of-mouth, alongside a significantly enhanced go-to-market strategy and the development of strong, trusted channel partnerships.

At the core of all of this is the reality that technology is no longer just a support function. It’s central to how businesses operate, compete, and scale. That reality expands risk, increases regulatory complexity, and makes cybersecurity and risk management ongoing business priorities.

How has Charlotte become such an important hub for the firm, and what makes it an ideal location for your work?

Charlotte has been a great market for us for several reasons. It’s one of the fastest-growing cities in the country, and while it’s historically known for banking, we’ve seen meaningful diversification across industries.

We’ve served more than 60 industries since the firm was founded, and work with more than 350 clients across 50 industries. About 35 percent of those clients are located in Charlotte or the surrounding region, which I’d define as roughly a 45-mile radius.

What’s interesting about Charlotte is that even with its growth, the executive community, especially in technology, cybersecurity, risk, and finance, is still connected. People tend to know someone who knows someone. When you deliver consistent, high-quality work, that reputation travels quickly.

Infrastructure matters, too. I travel frequently, and Charlotte’s airport connectivity makes it easy to serve clients across the country and North America. You can get almost anywhere directly, which is a real advantage.

More broadly, where there’s growth, there’s risk. As Charlotte continues to attract capital, expand logistics and supply chain activity, and grow its population, organizations face more exposure, more third-party dependencies, and greater complexity. That creates sustained demand for the kind of work we do.

Cybersecurity services can feel commoditized. What differentiates Echelon’s approach?

The secret sauce for us is never resting on our laurels. We have a culture centered on continuous improvement and thought leadership. There are a lot of cybersecurity firms out there, so staying relevant means constantly investing in talent, capabilities, and relationships.

We spend a lot of time tracking changes in regulation, privacy, and compliance across a multitude of industries. Those requirements are no longer limited to traditionally regulated industries. Privately held companies are increasingly affected, whether through supply-chain requirements, customer expectations, or global competition.

We’re also intentional about how and where we show up. We publish regularly, speak at conferences, and maintain a presence not only at cybersecurity events, but also at industry-specific conferences in healthcare, financial services, retail, senior living, education, and more. That helps us understand the business context our clients are operating in.

At the end of the day, differentiation comes down to combining technical expertise, professional maturity, and business understanding. Our teams need to know their craft, communicate it clearly, and apply it in ways that align with how organizations actually operate.

What regulatory or risk trends should business leaders be paying closest attention to?

AI is obviously top of mind. It brings tremendous opportunity in terms of efficiency, automation, and enablement, but it also introduces new risks internally and externally. Threat actors are using AI to scale attacks, and organizations need to understand how AI affects data, privacy, and governance.

We’re also seeing continued expansion in regulatory expectations, especially around accountability and third-party risk. If one of your vendors or platforms is compromised, that can quickly become a gateway into your environment.

Security must be built by design, and it has to be aligned with an evolving regulatory landscape.

That mindset shift is critical. Security can’t be bolted on after decisions are made. It has to be integrated into how organizations build systems, select vendors, and operate day to day.

How are you investing in talent to support growth while maintaining service quality?

Talent is the most important long-term investment we make. We reinvest a significant portion of our earnings into training, leadership development, and professional growth.

In consulting, technical skills alone aren’t enough. Our teams need to be emotionally intelligent, client-ready, and able to translate complex issues into business decisions. That combination is difficult to develop, but it’s essential.

We also organize our teams around sector expertise, which allows our people to pair cybersecurity depth with real industry understanding. Being present at industry conferences and engaging in thought leadership helps our teams stay connected to how risk and regulation are evolving across different sectors.

What are your top priorities for 2026, and how do you view the year ahead?

2026 is about leveling up across culture, capability, and profitability. As we compete more directly with larger firms, we’re being intentional about scaling culture in a remote environment. That means creating more opportunities for connection and engagement, including leveraging co-working spaces and spending more time with both employees and clients. We’re tripling down, not doubling down; we’re tripling down in culture.

At the same time, profitability matters. You can invest in people, maintain a strong culture, and run a profitable business if everyone understands how the business works and why their role matters.

From a capability standpoint, we’re investing further in AI-related services and building proficiency around CMMC compliance for organizations tied to the defense industrial base. We want to stay ahead of demand, not react to it.

Overall, the year ahead is about disciplined growth, deeper expertise, and continuing to support clients as their risk environments become more complex.

Want more? Read the Invest: Charlotte report.