October is annually recognized at Cybersecurity Awareness Month – a time to check in on your personal and professional digital health and get educated on the measures you can take to prevent yourself and your business from a potential cyberattack. But it’s a topic that’s incredibly worthy of discussion no matter what month the calendar says it is, and that’s exactly why we sat down with NMG’s VP of IT & Technology Bryan Aller outside of October to talk about cybersecurity.
Rob Stott: We are back on the Independent Thinking podcast, and I felt the need to dress appropriately when we’re talking about cyber security. Now, I’m not in my mom’s basement, but I am in an office that’s in my house, and I have a hoodie on. NMG branded, even, Mr. Aller. Mr. Bryan Aller, our VP of IT and technology here at Nationwide Marketing Group. We’re talking cyber security, man. How’s it going?
Bryan Aller: It is going all right. I got to get me one of those NMG hoodies.
Rob Stott: Yeah, right? It feels like if we’re going to be talking about this, I should have it up. I thought about drawing the shades a little bit, if you’re watching the video. I don’t know, really get in the mood to talk about cyber security. But I held back… I got into the role, but I held back a little bit here. But no, we appreciate you taking the time and diving into a topic that I know… We’re just coming off of October, which is Cyber Security Awareness Month, but we did this purposefully. We waited to talk about it until November because, truthfully, it’s a conversation that needs to happen throughout the year, and I think you’d agree with that.
Bryan Aller: Absolutely, yes.
Rob Stott: So for those listening, tell us about yourself, your background, and your path to NMG, and then we’ll get into your role here.
Bryan Aller: Yeah, absolutely. So I’ve been at NMG now since February of this year. I’m serving as the VP of IT and development. Prior to this, I was at Comcast as a director of software engineering. I was overseeing big data platforms that were used across the enterprise with 10,000-plus users, which was pretty exciting. Spent almost 20 years at Comcast. And my background has spanned a variety of different departments.
So I started in ops and then I did some work with building out tools and developing tools, and then managing people developing tools. Then when I saw the potential for what you could do with data collected in those tools, it kind of took me on this path to building out platforms. Initially, platforms around data, and then later, managing the platforms themselves. And then, I guess the next logical step for me after having spent almost 20 years across all of these different lines of business is to kind of take it to the next level up.
And having worked in each of these functional areas, the opportunity to come work for NMG was pretty exciting because I was able to look at a portfolio of applications, of data, of exciting new technologies, and I could tinker with, and be creative, and drive innovation across each of these different areas in which I had worked individually. This is kind of that culminating moment where I’m bringing it all together, into one place.
Rob Stott: Yeah. Well, I feel like the Philly guy in me has to make the joke. So Comcast is more than just TV and Xfinity, as people realize, right? So it’s cool to be able to… For those in the area… And I know you’re not anymore. You’re out in Colorado? Is that right? Denver, out that way?
Bryan Aller: Yeah. I moved to Colorado in 2016 to build out a big data team here.
Rob Stott: Yeah. So I mean, if you’re listening to this, you can’t get mad at Bryan if you’re not happy with your cable or anything like that. It’s just well beyond that. He’s also part of our team now. But truthfully, it’s exciting because we talk a lot about data here and the possibilities of leveraging the data in a retailer’s business. So to see… You’re at the forefront of that, being able to play around with and, in your words, tinker with.
So what’s it about… And you can kind of tell already in how you answered that. What’s it about this space that gets you excited about being able to do that? Whether it’s the act of actually being able digging in deep, you’re getting your hands dirty with the data, or even more broadly, more generically about the strategy around it. Or is it all of it?
Bryan Aller: It’s a little bit of everything, and I think, in a lot of respects, it kind of ties back into a worldview and a set of life interests. So prior to getting into technology, and I’d been living in Philadelphia, and I had enrolled at Drexel University for my degree program, but I had a hard time trying to decide which way I wanted to go. Because I initially thought I was going to do biomedical engineering. It was going to be at the forefront of hardcore technology, and I could do that biology aspect that interested me, and I could go build some solutions and work in the medical field. But I didn’t have certain prerequisites for school.
And I knew that being in environmental science and working with the ecosystem outdoors was something I love, but it wasn’t going to pay well enough. Doing graphic design and digital media was something I was interested in, but I wasn’t sure if I was good enough. And I found my way into information systems as a program. It seemed like a nice mix of all of those worlds.
I could bring the linguistic piece in as programming languages, and I could bring in that ecosystem mindset into systems thinking and looking at how systems tie together. And then the creative aspect is the software development, because we’re building new things and solving for challenges every day. So it was kind of a sweet spot. And then, going to Drexel, have an internship program, and the ability to then go work out in the industry and try to apply these skills really just, I think, kind of sealed the deal for me.
Rob Stott: Yeah. Well, it’s the thing too about building systems for a very digital forward world these days. So I mean, it’s a space that is going to continue to evolve. We hear a lot about it. It’s impacting… I mean, obviously, right? You go from a Comcast to a Nationwide, very different industries as far as the types of tools and applications you’re able to build. People hear these terms, the digital… Digital is a big part of the conversation today at Nationwide and talking about data. I think there’s a lot of, I don’t want to call it apprehension, but maybe uneasiness because of what the thing we’re talking about today, right? Cyber security.
And when you talk about these digital tools, and you think about the retailers out there that it almost feels like it’s out of their grasp, the security around it or the ability to open themselves up to some bad actors out there that may be coming for data in some way. It’s something that they haven’t really, I don’t want to say 100% bought into yet, but it’s just that shaky ground right now. So what’s the approach there for you, as far as whether it’s explaining the space and helping them understand it or just get a better grasp of what they’re doing around it?
Bryan Aller: Yeah. And it can be tough too, because not only does it appear to be daunting, but looking for answers on the World Wide Web can yield hundreds if not thousands or billions, millions of results. And you find yourself trying to figure out, where do I begin, that this is… It’s such a huge concept. It’s not as straightforward as saying, “Hey, I lock my door at the end of the day when I go home and I leave my business behind.”
So I think one of the biggest things to start with when you’re trying to generate some sort of buy-in or get someone on board with cyber security as a vision is to quantify it for them. Sit down with them, personalize a little bit of that messaging, understand how they do business, and say, “You have a point-of-sale system. Here’s how your point-of-sale system could be exposed. Just like you lock your door at the end of the day, are you locking your computer so that it’s password protected when you walk away and someone else can’t walk up to it and do something on that machine?”
Normally, the risks alone would be enough to motivate someone to want to buy in. But oftentimes, small, medium-sized businesses are running on a tight budget, and so it’s not the first thing that comes to mind. Oftentimes will try to avoid it until maybe it becomes a bigger problem and there’s some sort of a serious issue. That starts to be a little bit too late in the game.
So there’s a bunch of different ways in which you can make this a little bit fun, even. If you can sit down and quantify the state of the business and look at things from end to end, it’s almost like going to the doctor for a health check. You know he’s going to tell you that you’ve got to exercise, and eat right, and be healthy. If you can take that same practicality and sit down with cyber security and say, “I’m going to keep my software up to date, and I’m going to update my passwords,” and you can put together what looks like a health check or checklist.
You can make it easier, demystify some of that vagueness, the ambiguity, make it very concrete, and start to foster a mindset. And I think that fostering the mindset and creating this tangible list of things to look at is the first step towards getting buy-in. Because now you’ve taken something from being this problem that was difficult to address into a problem that’s been quantified, and now I can gauge that logical part of my brain. The fear center has been turned off. Now I can start thinking about how am I going to solve for these challenges?
Rob Stott: Right. Well, what’s unique too, right, I mentioned your title, VP of technology and IT. Cybersecurity is just a part of that, right? It’s just a segment of your attention? Or is that an assumption on my end? Is cybersecurity something you’re aware of every day?
Bryan Aller: It is. It didn’t used to be. And I’ll say that the industry has changed a lot in the last 20 years. So when I first started working in IT, a lot of times the focus was on putting antivirus on your computer, making sure you’re scanning everything for viruses, and then putting firewalls in place so hackers couldn’t get through on the network. Since then, there’s been, I think, an evolution and a lot of learning in the industry the hard way. Because that approach was very much a bolt on after the fact. We treated security as just another feature.
And in the last probably five to seven years, the game has changed. So there are an increase in cyber attacks, there’s an increase in volume of cyber attacks, there’s much more payout for the black market for data, and the attacks have gotten more complicated with solutions that are provided by AI. So we do AI and machine learning. And it’s not just for the good guys, the bad guys use it too. So I think the challenge now is that you have to think about security in every design.
And overseeing both IT and development, I’m looking at security from what happens in our data centers, to what happens in the cloud, to what we’re building in our applications, to how we’re moving data between applications, and then ultimately looking at folks on their desktop computer. Like you’re on a company computer right now, there’s people in the office on a company computer. The communications in between, the security of your machine. So it has to be a part of every facet. Because it’s like medieval warfare. The hackers are going to look for the chink in the armor. They’re going to look for that one notch, that one area that’s not protected, and they’re going to use that as a way to get in. So it doesn’t matter how they get in, as long as they have a door.
Rob Stott: Right. Well, and what’s crazy too, I know you and I both have talked about some of the events or education around the space. And of course, the facts that are out there that are myriad that we’ve covered on the Independent Thinking blog or through NLAs like your own at Primetime, that you’ve presented, those chinks in the armor, more often than not, they’re the humans behind the machines is what we’re learning.
You don’t want to admit it, you hate to have to admit it, but I mean, the systems are what… Let’s be real. Hackers, if they want to find a way to get around some sort of system or software, they more likely can or will, but it’s the path of least resistance. And more often than not, it’s those human error instances that result in a company’s information, from as small as an independent retailer up to some of the largest companies in the world, that find themselves at fault.
Bryan Aller: Yeah, yeah.
Rob Stott: It’s crazy, man. And that goes back to the buy-in point of getting… It’s your focus in your day-to-day around cyber security and making sure that the company’s safe. But to the point of getting that buy-in and making sure people are aware, you do some pretty cool things here at Nationwide that I think a retailer could learn from in terms of how they get the staff on board. And you talked a little bit about it before, but I mean, something even as simple as just a town hall. I think as we’re sitting here today, we’re recording, I don’t know if you plan to talk about cyber security at all today or if you’ve got a minute yet. See, there you go. So let’s talk about some of those things and just the mindset of, from your seat, that recurring just constantly bringing it up and having it be part of the conversation.
Bryan Aller: Yeah, and I think that’s a key part of really fostering a mindset and a culture that is secure. It doesn’t matter how technically savvy your business is or how complex your solutions are. At the end of the day, you want to make sure that if you’re working with something that’s sensitive like customer information, or financial information, or healthcare information… And that spans multiple industries. The feedback I’m about to share isn’t specific to even what we’re doing here, but it is a good set of, I guess, credo or principles to live by.
Anytime that you’re looking at something sensitive, make sure it’s a part of the conversation. And anytime that you have an opportunity, especially when you’re looking to shift that culture, you don’t want to miss the opportunity to get the message out there. And so for me, this means that when we have our town hall meetings, like we’re doing later today, I have two slides in there, it’s not much, but it covers two very important points.
One, it’s going to be a reminder of something practical that we can do every day around phishing. Since emails are the largest vector, still, even today, even though we have all these fancy new technologies, email still remains the largest vector for getting things into the organization, good or bad. And the second thing I’m going to share is actually, I think, a really important strategy for being able to drive adoption, which is celebrating the wins.
Because we’ve taken something that’s super complex, and we have a very talented set of engineers and technologists who are working on solving for those problems. Oftentimes when we look at IT or engineering, our focus is on trying to solve problems, and so we’re constantly focused on the negative. It’s a challenge to take a step back and look at the positive. And so, that second slide today is going to focus on some of the wins that we’ve had here internally and to look at some of the quantifying metrics and KPIs behind where we have moved the needle.
Because that second piece, after you’ve demystified that concept of cybersecurity, is showing that you can in fact make a huge difference in the overall company stance, and that that is something that’s measurable, it’s work that you can show. And when folks are able to see the metrics, they can get behind the story. They can get behind the narrative, they can support you, they can help push those metrics in the right direction.
Rob Stott: Go ahead. So that’s the point, too. Back to the human error aspect, humans may be one of the most common reasons why a cyber event happens. On the other side of it, and it’s one of the greatest things I ever heard in this space and to the point of getting buy-in, an event from a partner of ours, TeleSystem… First of all, I don’t know if an IT thing in the IT space, but everyone making it almost like comedy for the rest of the company. You got to make it funny. And that’s how it becomes memorable. I mean, you do a great job of it when you present and things like that. But just they have an event called Hackers Suck, and #HackersSuck. It’s incredible, it’s funny, and it’s memorable, and it works. And that’s another just, I guess, side-bit tactic you can take.
But one of the keynoters that they had was, at one of the recent events, talked about how you have to make it personal. So when I’m sitting here, you mentioned it, in front of a company computer, and not something that… And this is not me telling the IT person here that… I don’t treat it this way. But when you think about a company computer, most people don’t think about it like their personal device. They think about it as, “Oh, it’s the company’s. Whatever.”
But when you make it personal and you position the things that can happen or put yourself in the shoes of the company, would you treat your information this way? Would you treat your technology this way? Would you treat your sensitive materials this way? No would be the reasonable answer that you’d likely hear from an individual. But it’s that human connection, I think, that everyone can get behind. And if there’s anything anyone gets out of this today, is that hope that you’re able to do that and go down that path of making cybersecurity something that resonates on a personal level with your employees. Because I think that’s your easiest path to buy-in for sure.
Some awesome stuff there. And I know we got a little bit more to dive into. One thing I wanted to ask, because I mean, you’ve been in this space, you mentioned it, two decades plus, I’m sure you’ve seen some crazy things out there. Is there anything memorable from a cybersecurity standpoint that… And this is, let’s be clear, upfront, and let everyone know, we’re not going to put people, company, individuals, yourself even on blast. But is there anything that stands out when you think of, just I can’t believe that that happened?
Bryan Aller: I’ve got a handful of things that do stand out over the years. Not all of them are as crazy as you might think, but some of them will make you scratch your head a little bit. So the first one that comes to mind, I had some very old 386 machines back in the early ’90s, still running Windows 95, to date it. And we had software that was loaded on floppy disks, and zip drives, and things of that nature. And what was interesting is there are viruses that would pop up all the time, and things were pretty early on, so folks were experimenting a bit. Not all the viruses were successful.
But the antivirus would be run on the shared computer at home very frequently. And there’s a virus that managed to escape detection for almost 10 years. And it wasn’t until about the early to mid-2000s that an antivirus update was pushed. It ran against a directory of just archived files that had been sitting on the computer we hadn’t touched in a long time, and it flagged a virus that had never made it anywhere.
It was a worm. It wasn’t particularly well-written. And so, just, I guess the reason it sticks out in my mind is to say that sometimes there are viruses or things that are latent there. Just like in the human body, if you get chicken pox, that virus is there with you forever. All the commercials on TV saying that when you’re in your 50s or 60s, you might get shingles. The virus is-
Rob Stott: Terry Bradshaw, man. I can’t get them out of my head.
Bryan Aller: Yeah. That same thing happens with computers too. There may be things that are already there. And so keeping your software up to date, it goes a long way to solving for things like that. Another one, and this is a personal anecdote, and there are folks from my college days that will remember this, I used to make a game out of guessing passwords. And for a while, I was pretty good at it.
And things have changed a lot since then. But I was able to guess the password of a friend of mine who left his computer unattended, and I got into the computer, and thankfully, being the nice guy that I am, I didn’t do anything nefarious, but I did change his password. I reversed all the characters and made it the same password, but backwards. And we got a good laugh out of it, but there was a lot of frustration that came with that too.
Rob Stott: Well, it just goes to show how easy it can be, right? You don’t know. And luckily you’re like the white knight, right? Out there doing things like Robin Hood of cybersecurity over here.
Bryan Aller: Yeah. Yeah. And part of it’s to teach a lesson, which is don’t use a really easy-to-guess password. Because there are folks like me out there that will do this, but there’s different levels of hackers. You’ve got your white hat hackers that are doing it from an ethical perspective. You have your black hat hackers, which are trying to break things. And you’ve got your gray hat hackers that are in between, and morality may be a question. So simple things that you could do.
But I’d say the more interesting use cases happen at a very large scale. And I have a lot of friends that work in the industry. I have a lot of interesting conversations over dinner, behind closed doors, under a veil of confidence. So without putting out names or specifics, there have been cases where, especially with cloud infrastructure and a lot of moving parts, where companies that I’ve worked with would attempt to build a platform very quickly, and in order to move fast, use off-the-shelf software from different vendors. And the off-the-shelf software, all those independent moving parts were secure in their own right.
And so, imagine if you were trying to build a car really fast. Go online, order an engine, order some wheels, put a couple doors on it, put a steering wheel in, and a dashboard. So all those pieces could be manufactured by someone that you trust. But then when you go to actually put them together, is there a gap in the chassis? Is there a gap in the connection? And there were a couple cases that I’ve seen where, on live production systems that were handling very large amounts of sensitive information, there were cloud-based hackers that were able to get in in between those gaps in the systems, elevate their privileges, and then start exploring.
Rob Stott: Wow.
Bryan Aller: And thankfully, we had other tools in place that were able to very quickly detect the fact that there was an intrusion, see that the pattern of behavior didn’t match what it was supposed to for that user, and then be able to lock it down and change the credentials very quickly. But had we not jumped on that very quickly, there would’ve been potential for a data breach. Because those systems, when you have those privileges, they could start reaching out into a database, they could run a report, they could go and change someone’s details.
Rob Stott: That’s crazy.
Bryan Aller: And it’s amazing how often that happens. And this is a more general observation of just how crazy cybersecurity can be sometimes. You can set up a server on the internet, and within minutes, you would likely be under attack. Because there are millions and millions of bots, and networks, and different bad actor groups all attempting to scan the internet for vulnerabilities. So don’t put your servers online, don’t put your platforms online without some sort of protection in place, because it doesn’t take very long.
In fact, there are tests out there, and there’s actually another convention called DEFCON, which is very hacker-centric. It’s usually in Vegas. I’d recommend you leave any personal devices in your hotel safe before you go in because you’ll walk through the door, and within minutes, anything you’re carrying on you could potentially be scanned, wiped, hacked. It’s fast. And it’s a badge of pride for those folks because that’s what they do in the industry for a living.
Same thing happens on the World Wide Web. That part, to me, is just crazy that I could stand up a server, and host a website, and be getting tens of thousands of attacks every day. And so, for me, especially here at NMG, I’m overseeing multiple e-commerce platforms, including OneShop. That’s something that we have to take very seriously. Because when that cycle is online, it has to be secure from the moment that it goes live.
Rob Stott: The worst thing you can do is let your guard down. And I mean, to all the examples and points you make right there, it’s crazy. Long gone are the days… I think back to Oregon Trail days and what computer systems were like, and even to early internet eras, and your prince from the Middle East reaching out, trying to store his 300 million rupees in your account, just needs your social security number, if you don’t mind. Those still happen, don’t get me wrong. And they’re hilarious when they do. But it’s the laughable ones that it’s like, “Ha ha. Nice try.” But they’ve gotten better.
You mentioned AI, the improvements of all the different types of phishing that are out there, and the spear phishing and whatever, these very personalized and individualized attacks that come through email, text, phone call. They’re all… Not to put her on blast, but the wife, we had a phone call come through to her with someone pretending to be our bank and saying that they noticed some really weird charges, they had our address, and got to a point where they were trying to send us to a website to fill out information and file a report. It was complete… I was like, “Hang up now.”
Luckily, this was two weeks after I was at this hackers event, so I knew what to look… I was like, “That’s not real. They don’t ask for that. The banks don’t do this.” So they get legit and they look incredibly real and hard to tell the difference. And it’s just keeping yourself alert and looking out for just those minor inconsistencies. It could be just one letter misspelled in an email to tell the difference between what’s a legit email from your company’s CEO or not.
And I know there were some examples shared, again, just not to over-reference that event, but some video capabilities where people are using deep fake AI to do video calls that, the only way you can really tell is if you get that person or that image to stay on the screen longer than a few seconds because they only have so long that they’re able to truthfully look like a real video before they start looping or something like that. But it’s incredible the detail and just complexity of some of these attacks today. And I mean, it’s all just about being alert, and aware, and second guessing, and not assuming that everything’s right and real and whatnot out there. But again, just long story short, don’t let the guard down.
Bryan Aller: Yeah, yeah. Absolutely. Yeah. And that example of your wife getting phished for bank details is something that happens to corporations too. Simple thing that you could do is make sure you’ve got a callback procedure in place. So you get the call in, somebody’s asking for bank details, and whatever bank you’ve worked with, small businesses, establish something that says, “Hey, I’ll call back. I’ve got this special code, and we’ll know how to handle the wire transfer information securely.”
Rob Stott: Also, I think of, just recently, I think I shared my own experience on Teams that we have, where I had someone text me claiming to be our CEO and asking for something by my full name. And I was like, “Come on.” It was one of those obvious examples of it wasn’t real, but that’s what they’re doing. Just these bad actors out there texting you, looking for information, trying to set up a phone call, or just get something out of you. And it’s just, it’s crazy. And it’s non-stop.
But it also, again, to our point at the top, we’re talking in November. We’re publishing this in November. And it’s a conversation that can’t stick to just the 31 days of October. Cyber security is certainly a year-round conversation. And appreciate you taking the time to jump into it with us, man, because this was cool and one that I know you’ll have NLA’s in the future, I’m sure, and we’ll have opportunities to continue to connect on this. And I look forward to every town hall, whatever you’re bringing to the table. Because it’s always fun and keeps it top of mind for us, and I hope top of mind for our members as well, as they listen to this. So Mr. Aller, it was a lot of fun, man.
Bryan Aller: Yeah, likewise. Yeah. Thanks for having me, Rob.
