1. Page 1 of 10
Internal Use Only
How Dashboard Analytics Bolster
Security and Risk Management Across
IT Supply Chains
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to
manage and reduce risks across their entire IT and services supply chain.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Bitdefender.
Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana
Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.
This security enhancement discussion examines how innovative managers are increasingly
benefiting from interactive dashboard analytics. The resulting actionable knowledge elevates
security situation awareness to the higher order value of overall business risk assessment and
mitigation.
Stay with us to learn how Bruce Auto Group has gained such deep insights -- not only into how
its distributed apps, systems, and data are secured, but also into the hidden risks that can
develop across entire IT and data services supply chains.
Here to share his story on how to elevate IT security to a
mission-critical value of comprehensive risk mitigation and
overall business resiliency is our guest, Paul Jobson, Director of
Marketing and IT Strategy at Bruce Auto Group in Wolfville,
Nova Scotia, Canada. Welcome, Paul.
Paul Jobson: Good morning, Dana. It’s very nice to be here.
Gardner: We’re delighted to have you with us. Tell us about
Bruce Auto Group and your role there.
Jobson: Like many auto dealerships, Bruce Auto Group started
off as a family-owned business. I bring that up because when
it’s a dealership of one store, IT security tends to be an
afterthought. But if we roll back the tapes to 15 years ago, we were lucky to have had someone
related to the family who took an interest in the IT and secured us before it was in vogue. It was
probably overkill at that time.
Like most automotive retailers, everyone has been going through consolidation. We began from
humble roots in 1927. Until the last decade or so, we were one or two stores. Now, we’ve
expanded to 10 dealerships, spread across close to 200 miles, with head office consolidation,
and, of course, a lot of remote workers. So, the IT security part has really gained prominence in
the past couple of years.
Gardner: Like most expanding organizations, it’s not only what goes on inside your business,
you need to also keep track of the many tendrils that extend out to your service providers. That
Jobson

2. Page 2 of 10
Internal Use Only
includes online interactions, as well as emails and communications. We’re all now part of a
complex, rich ecosystem, and risks sometimes pop up between the cracks among these
organizations.
Security details as diverse as each automaker, buyer
Jobson: Yes, and car dealerships are unique in the sense that although our businesses may
appear similar, each of the original equipment manufacturers (OEMs) – such as Hyundai, Ford,
GM -- they all have their own niches. They all have their own way of doing business. Of course,
our integrations with them are critical to the way we do business.
As a result, we don’t get to scale as easily as some other businesses do. It’s as if with each IT
solution, we start with customization and then find a way to make it more standardized across
the group.
Gardner: And, of course, the car business is really the transportation services business. So, the
way you communicate and gather financial data from your customers, not just your suppliers, is
essential. Therefore, you need to be especially secure and resilient. No one in the ecosystem
wants to think that communicating with their automotive transportation provider is a risk.
Jobson: That’s right. What we’ve learned is that security is synonymous with privacy. When
people apply for a car loan, they’re providing us critical information. There’s an ongoing
relationship because we continue to service these people. We want to do everything we can to
protect their information.
There’s a lot of hard work to do in the IT
world, but one of the nice synergies is
that by focusing on making us secure,
we actually help to make the client
secure as well. So, we really appreciate
the importance of that part.
Gardner: You are the digital man in the middle, right? You’re in between all of those suppliers
for parts, for OEM cars, and for financial services. You have a panoply of financial organizations
– from credit to insurance to government agencies -- and that all leads back to the customer and
their data.
By being in the digital middle, you’ve had to move beyond mere IT security and into risk
management.
Jobson: Well, that’s right. Keep in mind, too, that a lot of times your biggest risk is people. You
have a new employee, and it takes time to onboard and orient them. You must build systems
that consider where people are, and not put them at risk. We’re the first line of defense to make
sure we’re protecting both our security and the private information of our customers.
Gardner: That requires both education and awareness, which brings us back to the need for
visibility -- not just inside your own systems, but as far and wide as possible. How have you
developed such extended enterprise risk management (ERM)?
There’s a lot of hard work to do in the IT
world, but one of the nice synergies is that by
focusing on making us secure, we actually
help to make the client secure as well.

3. Page 3 of 10
Internal Use Only
Risk management at the root of protection
Jobson: That’s a great question, and it’s been really interesting. My background is in digital
marketing and enterprise software. Security has always been an aspect of that, so I’m
comfortable working with cloud applications and setting up service integrations. It’s second
nature. So, it became logical as we expanded that this would fall under my domain.
The challenge was, coming from a marketing background, we have a lot of people to help us
with security, but it’s more about putting together an operational plan. How do you put the day-
to-day activities all together? That was a challenge. We needed a way to communicate that to
the executive team.
To adopt such a risk management strategy, we worked with Bitdefender because we really liked
their people. On a quarterly basis, we’d get together, and they’d give us a rundown of what they
had been seeing in the field and across our businesses.
That’s how we came across their dashboard with the executive summary. The second I saw
that, I knew I had my tool to manage our day-to-day progress on securing the enterprise.
It’s funny, when you come from the outside, your first perception is it’s the people and the
passwords that are going to be the highest risks. And when you know your risks, you can
manage them. For us, the first ground zero for IT security was making sure we understood
these risks.
So, we put in endpoint security across the organization. We run about 300 desktops. Installing
that on every single one of them was a logistical feat. But everyone understood why, and we did
it. Once we did, we started to get all these signals back to our Bitdefender GravityZone
executive summary dashboard.
For the very first time we got a score. I wish I could say differently, but when we first got our
score, the risk was high. It indicated a high level of risk, and that made all of us very
uncomfortable. We immediately began to determine what our risks were. We found some real
surprises.
Our top category was misconfigurations, and
those misconfigurations could be anything from a
printer that has not been updated to a traditional
user of computer services. The first reflex is to
think about your laptops and desktops. You don’t
always think about the printers, but it’s a computer
in the same sense as your desktop endpoint is.
Once we began to understand the true risks, we looked at security very differently. We realized
that every connected device was potentially a risk that we needed to pay attention to. We liked
the Bitdefender dashboard because it told us where we were on a score of 100, and it broke
that down into three categories: misconfigurations, app vulnerabilities, and human risk.
We were quickly able to target the high-risk areas in each one of those categories. We put
weekly plans into place for the IT team to say, “Okay, this week we need to address this.” And it
The first reflex is to think about your
laptops and desktops. You don’t
always think about the printers, but
it’s a computer in the same sense
as your desktop endpoint is.

4. Page 4 of 10
Internal Use Only
was much more fun and so there was more engagement from the IT team because we were
proactively setting the agenda.
It wasn’t just the typical, general red flag alert: There’s something wrong with a computer. It
moved us from firefighting to fire prevention. And I have to tell you, we got hooked. That’s the
way my team wants to work. They can collaborate together. They’re excited to come back and
say, “We worked on 40 endpoints and got the risk from high to medium.” That’s instant reward
and you get gratitude for protecting the whole organization.
There wasn’t a measurable way to go back to the team and say, “You did well,” until we had this
dashboard. We all saw the risk score coming down in real-time, in front of our eyes, and it just
transformed the way that we work as a team.
Gardner: It gives you a whole new sense of knowledge about your situation, and to what
degree you can be in control over your destiny. But also having those scores gives you some
ammunition you can take to other people in terms of, “Here’s what we’re accomplishing. Here’s
why we can get cyber insurance if we want to. Here’s how we can increase the knowledge
across our workforce about how to be better prepared or to modify behaviors.”
It certainly sounds like you’ve crossed the Rubicon, if you will, of not being a deer the
headlights, unaware of what’s coming next, and instead being in charge of your destiny and
having the tools to further reduce risk.
Deal with risk consciously, competently, confidently
Jobson: That’s right. There’s a matrix where
you’re unconsciously unaware, and then you
get conscious on risks. I’d say we’re now
consciously competent. Although some days
we roll back, we’re more and more in the
consciously competent part. The IT team is
more comfortable approaching big tasks
because, again, we can be proactive. We’re ahead of the curve. We’re not waiting until there is
a situation. We’re dealing with it before it’s a problem.
For example, in just six months we have effectively accomplished an agenda that had hovered
around for three to four years. I attribute that to having a score. Anyone out there who’s
wondering what the first step is: First, I would say, is read the Cybersecurity Framework by
NIST. It’s an overwhelming document at first, but it’s an unbelievable document because it gives
you context. Once you’ve read through it, and then you match it up with a scorecard – such as
we’re getting right now with the Bitdfender executive summary -- you’re able to put a game plan
in place for everything you need to do.
Gardner: Let’s drill into the executive dashboard. While you’re getting a top-level view, because
there are agents and technologies to bring you all the information you need, you are able to drill
in and find out more information. But it doesn’t flood you like a fire hose with too much
information.
The IT team is more comfortable
approaching big tasks because …
we’re ahead of the curve. We’re not
waiting until there is a situation. We’re
dealing with it before it’s a problem.

5. Page 5 of 10
Internal Use Only
How confident are you that you’re attaining a comprehensive view when you drill into the level of
detail that’s possible?
Jobson: The dashboard and the sensors -- you could think of your whole network as sensors –
are giving us information much faster than we could realize from our own logs and audits. For
example, we have a Voice over Internet Protocol (VoIP) system that a threat recently emerged
in rather quickly. It was developing literally by the hour, and the dashboard was the first one to
bring it to our attention.
Incidentally, twice a day, I look at the IT news and it was only in the second half of the day that
this threat started to emerge in the news. But our GravityZone program served that up to us first
thing in the morning. We were already ahead of the threat. That allowed me to reach out to the
suppliers earlier. I wasn’t waiting in line saying, “Okay, what’s the best way?” We still needed to
function as a business. Right away we were able to mitigate the situation quickly. And to our
knowledge, we mitigated a rather large risk with very little disruption to our staff -- and more
importantly, no privacy breaches.
Gardner: With that sense of accomplishment, you’re able to reduce the overall stress on your IT
and security staff. That’s important these days because it’s hard to find and hold onto qualified
people. If you can give them an environment where they feel like they’re making a difference,
they have the tools to attack these problems early -- and do it so they’re not in a fire drill -- that
must make for a good labor environment.
Move beyond reacting to reassessing
Jobson: Yes, that’s a really good way to say it, Dana. When you’re reacting, you’re just
reacting. You haven’t had time to read through the different mitigations, the plans A and B. Now,
most of the time, we don’t have to react with intensity. We still need to act, but we have different
mitigations in place. The team can talk about what’s the best approach. We can do a store by
store and kind of learn from each store as we apply the process. We can do a quick follow-up
with the team and say, “Okay, great. What
problems did you encounter? Were there any
dependencies that were affected?” So, it’s the
way to go if you want to come out of this and be
able to go home and sleep well at night.
Gardner: Right. And it’s interesting, too, Paul, because you are not trained as an IT person, but
you’ve been able to get into this at a higher risk assessment and mitigation level. By having the
right technology, you have crossed a barrier from when only a techie could do this to now, when
somebody who can use the tools well is managing rather than struggling.
Jobson: One of the interesting side-effects of having a dashboard like this is you can focus on
the people element. At the end of the day, for me, I wish IT stood for innovation and team,
because we’re using the tools to help people be more productive. We’re assisting the team with
solutions that work for them and allow them to function better and better.
What’s nice about having a tool like this is that you’re actually able to share the information with
the users. Sometimes we’ve had to reach out to users and say, “You know what? Sorry to
A quick follow-up … it’s the way to go
if you want to come out of this and be
able to go home and sleep at night.

6. Page 6 of 10
Internal Use Only
interrupt you, but our system has flagged you. You have an app or configuration that’s been
flagged as high-risk. We need to deal with it immediately.”
By just seeing the words “high-risk,” our users deescalate. They do not wonder, “Okay, do you
need me to do this? Do you really need to touch my computer right now while I’m at work?”
They may be with a customer, but the second we see the dashboard alert and look at the
affected devices, we say, “Hey, sorry, but you’re one of them.” As we tighten our policies,
people are more understanding because we share the insights that we get from the security
system.
We can say, “Listen, it’s not that we want to block you on this photo app, or it’s not that we don’t
want you to be able to put your favorite picture on the desktop background. But there is a
greater agenda that we have, and these are some of the ways we’ve been told to mitigate it,”
whether it’s from signals from our security system or from looking to the NIST Cybersecurity
Framework.
Gardner: We would be remiss in talking about your security posture if we didn’t bring up email.
It is still one of the leading threat vectors -- after all these years. Tell us how you deal with email
security. I’m sure you have it coming in all different directions. Is there a way in which you’re
managing your email issues and leveraging this dashboard at the same time?
Successful email security system screens out spam
Jobson: Yes, email security is the single most important vector of any security program
because it’s where the rubber meets the road for most users. That’s where we get the most
outside influences.
We have a three-tiered approach to how we do things. First, we make sure to protect all the
endpoints. Second, we secure the network using an
XDR solution. But last, and we did it last because it’s
the most involved, we have an email security
process in place. And when I say it’s the most
involved, it’s because if you are truly trying to
achieve email security, you are going to put in rules
and guidelines that are going to be restrictive.
So, on a typical day, we probably quarantine about 800 emails that get reviewed quickly by the
IT team. They are assessed for their risk and then forwarded on. But what’s nice is we’re able to
quickly see patterns. We’re also able to call people and say, “What are you sending? You’re
sending an encrypted, password-protected thing. We have no idea what’s in there. Is there a
way we can make a change, or is there another way we can get the information, like can we get
it off a web link?”
We find a way to reduce the risk. And when we’re sharing with our suppliers, some are rigid.
They can’t make the changes, but we have had some that said there is another way to deliver
the service.
If you are truly trying to achieve
email security, you are going to
put in rules and guidelines that
are going to be restrictive.

7. Page 7 of 10
Internal Use Only
Combined, that all reduces the risk from email. But something else amazed us initially. When I
said we were quarantining about 800 a day, we get about 2,000 that are genuine spam. They’re
not all evil, if you will. Some of them are just people promoting themselves. But when you have
300 users a day using their computers, there will be risks in the spam. By putting in this frontline
of defense, we have not had any significant scares, and I attribute it to our processes.
The email security feature I like the most:
Every single link in an email, when it is
clicked, goes through a secure scanner first.
So, we don’t have to count on a person who’s
a day or two in who doesn’t know if they’re
receiving a legitimate link from one of the
manufacturers or not. The system has their
back on that. We’ll scan it for them.
And we do get some angry calls every now and then from someone saying, “I was trying to do
this. I’m blocked.” But it changes very quickly when we go back to them and say, “Hey, you
know what? Are you aware that was a malicious site? Did you know that site was trying to take
your credentials and our system blocked you and protected you?”
The business team is just so much more supportive of additional initiatives once they’ve gone
through that process. You don’t know what you need until the need comes up. So, once they’ve
gone through that process, we just find they’re so much more willing to help secure the
business.
Gardner: And again, with email -- like some of your other services you mentioned earlier -- it’s
the knowledge about what’s going on that brings you to that higher-order discussion about how
to be risk-averse rather than how to be unproductive. And so, that’s the key, I think, is you’re
able to get people’s buy-in rather than have it just seem like they’re being naughty.
Jobson: That’s right. But I will say to anybody implementing it, there is a transition period. The
first day you turn it on, be prepared. One of the things we’re learning is communication is
critical. We do a style of management that’s all about cascading messages to employees and
we found that, you know what? I think the perception of the IT team sometimes is, “Oh, does
anybody notice what we do?” The answer is yes. On a grand scale, they notice what we do.
When we make small changes, users are affected, and they communicate back to us. So, good
messaging helped us get through it. We had a tuning process that we did and we were grateful
to our user’s patience while we did it. But today, everybody’s confident that we’re much more
secure because of these measures that we put in place and it’s worth the inconvenience or
sometimes having to wait an extra hour for a flagged email to pass through the gates.
Gardner: The alternative might be that your business is down for three or four days -- and talk
about aggravation.
Jobson: That’s right, and the reality is we just can’t monitor the volume. You need to leverage a
system to monitor that for you.
Gardner: IT and security people are dealing with so many different tools. There’s a new tool
coming out every week for some other new aspect of security issues. What’s your philosophy
Every single link in an email, when it
is clicked, goes through a secure
scanner first. We don’t have to count
on a person … who doesn’t know if
they’re receiving a legitimate link or
not. … We’ll scan it for them.

8. Page 8 of 10
Internal Use Only
about how to handle that sprawl, to get the most out of the tools but without being overwhelmed
by them? Is the dashboard part of that ability to get the right balance?
Plan ahead to prevent tool sprawl
Jobson: That’s a great question. You need a plan on how you’re going to implement these
things. For us, in looking at the dashboard, we love the information that we get back. It scans a
lot of the network, but there were some limitations on endpoint security.
That led us to the next path, which the NIST Cybersecurity Framework also hinted at, and that’s
the internet of things (IoT). And for us that meant raising our awareness about how much priority
and privilege each device should get. We started to think about segmented network security,
which is what you can do with XDR. So, we’d have networks for IoT, networks for our guests,
networks for our main enterprise business, network for staff devices, and we’re able to reduce
the risk by going into these specific lanes for each category.
When you get a signal back from the dashboard, the solution
isn’t always an IT thing. Sometimes the solution could be
sending a memo saying, “Please don’t install any unapproved
apps unless you reach out to the IT department first.” Or it
might be going further, as we’ve done, and put some clamps
down on what can or cannot be installed on people’s PCs.
So, we have used education, restructuring the network, calling the manufacturers, and further
isolating some devices. We have some suppliers that have devices that they never update. It’s
not our property. No problem, we’ll put that on a network outside of our regular network to keep
us safe. So, each one is a problem to solve. How you solve it is really up to you.
Gardner: Right. But the key is that you have that knowledge and insight that the risk is there.
Jobson: Absolutely.
Gardner: Before we close out, Paul, let’s look to the future. How do you expect to leverage
automation more? You said you can’t do this all manually, and even using intelligence to gain a
larger view of risk. Do you look to the dashboard to help you attain more automation and
intelligence?
Embrace expertise to manage elevated threats
Jobson: The dashboard is one of the tools we’re using, along with Bitdefender GravityZone.
There is a series of tools we use to manage things. One thing we really like is like the
Bitdefender Threats Xplorer. A lot of people’s notion of security is just an antivirus scanner on
the PCs. Scarily, for a lot of businesses, that is their level of understanding. But the threats are
becoming more sophisticated. You can either ignore that or you can work with partners that
have more experience.
As we look to the future, XDR has been an area where we’re paying more attention. It gives us
greater insights on the devices that aren’t PCs and it watches our whole network. But it’s also
giving us in real time a description of the threats as they’re happening.
When you get a signal
back from the
dashboard, the solution
isn’t always an IT thing.

9. Page 9 of 10
Internal Use Only
For example, we recently had an incident. It was from a remote software that we use to support
people. The supplier made a change in their software, and the change had a piece of software
that was associated with malignant code. That malicious software was attacking businesses,
and we were in a meeting at the time, the whole IT team, and our system started to shut down
users.
By the fourth or fifth person being shut down, someone knocked on the glass and pulled us out
of the meeting, and said, “You know, there’s four or five PCs shut down.” We were nervous that
this was a virus. In fact, what it was our system operating in real time. When it saw a threat, it
turned that PC off and isolated it. When it did that, the software, the remote software would go
to the next node and try to scan the network. And, so, it would be shut off, too.
In a very short amount of time, it shut off the five offending PCs. If that had been a real risk …
What’s so great is my team cannot be on alert
all of the time. We are relying on the
automation and technology to take care of
things and let us to do the analysis after-the-
fact. If you’re not leveraging these tools that
can do that for you, you might be creating a lot
of risk for yourself.
Gardner: Any recommendations to those listening?
Jobson: In IT, you have so many choices. I mean, you just have to run any popular program,
PC optimization program, and it’ll tell you 1,700 fixes you can do to fix your PC. You scale that
over a large organization, and you can literally have hundreds of thousands of choices.
For us here at Bruce, the tech team, it was critical that we had something that prioritized it from
a risk point of view -- from mildly inconvenient to threatening your business. Once we had that
prioritization, and the whole team understood what it meant, that’s when we started to gain
enormous traction on long-standing issues with how we were managing our PCs.
In order to have a game plan, you need to know what the objectives are. Our Bitdefender
scorecard helps us identify the highest priority objectives.
Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored
BriefingsDirect discussion on how Bruce Auto Group gained deep insights not only to how their
systems, apps, and data are secured -- but also how risks can be averted across its entire IT
and services supply chain.
And we’ve learned how innovative managers like Paul have elevated IT security to a mission-
critical value of comprehensive risk mitigation and overall business resiliency. Please join me
now in thanking our guest, Paul Jobson, Director of Marketing and IT Strategy at Bruce Auto
Group in Nova Scotia. Thank you so much, Paul.
Jobson: Thanks again, Dana. Have a great day.
Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions. Your host and moderator
for this ongoing series of BriefingsDirect discussions. A big thank you to our sponsor,
If you’re not leveraging these tools that
can “take care of things and let us do
the analysis after-the-fact,” you might
be creating a lot of risk for yourself.

10. Page 10 of 10
Internal Use Only
Bitdefender, for supporting these presentations. And a big thank you as well to our audience for
joining. Pass this on to your IT and security communities, and do come back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Bitdefender.
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to
manage and reduce risks across their entire IT and services supply chain. Copyright Interarbor Solutions, LLC, 2005-
2023. All rights reserved.
You may also be interested in:
• For UK MSP, optimizing customer experience is key to successful security posture and
productivity
• Why today’s hybrid IT complexity makes 'as a service' security essential
• Defending the perimeter evolves into securing the user experience bubble for UK cancer
services provider
• How A-Core Concrete sets a solid foundation for preemptive security
• How an MSP brings comprehensive security services to diverse clients
• Better IT security comes with ease in overhead for rural Virginia county government
• SambaSafety’s mission to reduce risk begins in its own datacenter security partnerships
• How MSP StoredTech brings comprehensive security services to diverse clients using
Bitdefender
• For a UK borough, solving security issues leads to operational improvements and cost-
savings across its IT infrastructure