The following document is an approximate, but not exact, transcript of the Operational Leaders podcast conversation between host Terrance J. O’Malley and guest Bart McDonough.
Please support the production of this podcast by downloading the Bart McDonough episode.
Welcome to the Operational Leaders podcast featuring leaders and innovators in the investment management industry, where we discuss the business of running the business with host and top industry executive Terrance J. O’Malley.
Terrance O’Malley 0:18
My next guest has more than 20 years of experience working in business development, IT management and cybersecurity within the alternative fund industry. In early 2019, he published his debut book: Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals. He is the CEO and founder of Agio, a hybrid managed IT and cyber security provider. Please welcome Bart McDonough. Thanks for joining us today.
Bart McDonough 0:47
Thanks for having me. Appreciate it.
Terrance O’Malley 0:49
Can you introduce us to Agio and tell us about managed IT in cybersecurity?
Bart McDonough 0:54
Yes. Managed IT and cybersecurity services that Agio provide, traditionally I think we’ve called those outsourced IT or outsourced cybersecurity. I think as we’ve evolved a bit we consider it managed IT, which is really usually this acknowledgement that the firms have some ownership of their IT, they have a greater involvement. So we call it managed IT. We are managing our clients’ IT infrastructure and the services that support that. As clients have transitioned more to the cloud, we end up supporting more of their services and less of their quote unquote, physical infrastructure.
Bart McDonough 1:30
On the cyber side, it’s really two areas: cyber security operations, which is the day to day blocking and tackling. the finding of various threats and attacks from hackers. And then there’s something called cybersecurity governance, the risk profiling the risk management as well as meeting any compliance needs and requirements. And so those are the three main areas of our business. What we consider IT operations (or outsourced IT), cybersecurity operations and cybersecurity governance.
Terrance O’Malley 2:00
Are these similar disciplines, or are they distinct?
Bart McDonough 2:02
They’re very similar in that there are some principles that we think are kind of table stakes that everyone should have and do. And then there are other areas that come with tradeoffs with maybe convenience and security, convenience and reliability. And so that’s where the art comes into this. There’s a little bit of what we consider the science, the white paper design that everyone should be doing. And then there’s the more nuanced decisions that clients get to make. And we’re there to educate them on the risk/benefit analysis of a lot of those decisions. And really that framework, that methodology of assessing risks and benefits is the same across cybersecurity and IT, and one of the differences we think is that a lot of the people that we compete against, really do one or the other. They just do IT or they do cyber. We think it’s critically important that IT and cyber are blended together, that cyber is at the table. And one of the challenges – that if you work with just a cyber firm – is sometimes they can be a little academic. They can say, in an ideal world, this is the way everything should be configured. The problem is, sometimes that makes the operating day to day very difficult. So for us a real differentiator is the fact that we have IT and cyber together as one offering for our clients.
Terrance O’Malley 3:26
Bart, can we take a step back. Talk a little bit about your career in the early days, how you got started in the business.
Bart McDonough 3:32
Yeah, my first job was actually I worked at a baseball card shop and that didn’t really translate to anything at Agio. But once I got into college, I thought I was going to be in finance and always kind of tracked stocks with my dad and all that stuff. Then I got an internship at American Express financial advisors in Oklahoma City, and within three or four months of starting college. And I was working with a bunch of financial advisors, helping them with all their paperwork. But what ended up happening is I got known, I got a reputation in the office for being able to fix people’s computer problems. And so while I started working with one advisor, two advisors, I ended up solving computer problems for lots of people in the office.
Bart McDonough 4:10
And then finally, the guy that they brought in to run the office – and he was this rough and gruff guy from Brooklyn, New York – and he came in one day. He stopped me in the pantry and said, “Hey, I’ll pay your college tuition if you fix everything that has electricity running in it,” and even made some joke about he wanted me to fix the toaster oven in the pantry at the time. But that really changed my trajectory from working in finance to moving into technology. Now I’ve always really supported technology in the finance space. But ever since then, I’ve been doing technology support, infrastructure, architecture, security, for that financial services space.
Terrance O’Malley 4:49
After that, what was the transition from there? Obviously, you ended up heading east and then ultimately, starting your own company.
Bart McDonough 4:56
Yeah, so I did a variety things. I moved to Dallas for a few months with American Express. I got kind of quote unquote, promoted. But I realized that I left my home and family and friends and I was in Dallas and I thought, you know ” if I’m going to leave my family and friends in Oklahoma, I really wanted to go to the big time.” And for me, I mean, it sounds cheesy, but New York was that ultimate ultimate destination. It was you know, if you can make it there, you can make it anywhere. It was the big leagues of what I wanted to do.
Bart McDonough 5:23
And so after being in Dallas for only three months, I flew up to New York over a winter break, interviewed at a bunch of different places and got a great job with Sanford Bernstein at the time. Now they’re Alliance Bernstein. And so I went from the summer working in Oklahoma to January of the next year I was working on Fifth Avenue at the GM building and 767 doing various IT support work for Sanford Bernstein. And then a couple years after that I had a great job at a firm called OptiMark. It was one of the first real electronic matching engines. But ultimately, I think the technology gets sold to NASDAQ. But it was a really great exposure for me not only on a technical level, but also really to better understanding the equity markets, trading and all that. And then went from there to a company called Blue Stone Capital. That was really trade.com. So we were doing, we operated under the brand name of Trade.com, and we’d go to banks and equip their commercial websites for stock trading. So we had this kind of white label package. And then with the dot com crash, that kind of went away and I started my own business selling computer prep materials online, kind of got bored with that. It was doing well but it was just myself and the computer and a website.
Bart McDonough 6:44
And then I got called by two different recruiters the same day about the same job at SAC in September of 2001. Just a few weeks before 9/11. I went through the process and started there a few weeks after 9/11. I was there pretty much the entire decade of the 2000s before starting Agio in 2010.
Terrance O’Malley 7:07
So in 2010, you decided it was time to take a look at outside opportunities. What was the transition process like?
Bart McDonough 7:13
Yeah, we made a deal with the management at SAC. Basically, I outsourced a portion of my job to myself in a way. And then I realized that there were a lot of other companies that needed support from people who understood kind of enterprise technology and enterprise technology management like SAC had. And so within two years, we had almost 50 clients, and we almost tripled the size of the firm from the initial contract with SAC. And so there was definitely a market out there. It was definitely an interesting time those first couple years.
Terrance O’Malley 7:48
Was there a moment when you said, “Hey, this is gonna work”?
Bart McDonough 7:52
Oh, you know, I think every entrepreneur goes through that. Maybe you still go through that today where you think, “Oh my gosh, you know, what’s the downside of it?” But yeah, I think there was a moment where I gave a presentation to the firm. And I still remember it, where I said, “We transitioned from having a client to really having a company.” Because we started the business with one client. And the life and death of the business certainly was reliant on that one client. And once we started diversifying, once we had more revenue from other clients than we did from our first client, I knew we were going to survive, if you will. But you know, any entrepreneur who starts a business understands when you’re aggressively trying to grow and all of that, it’s a rocky time throughout that entire journey.
Terrance O’Malley 8:37
When you look back, how you started and where you are now, is there any piece of advice as an entrepreneur that you would give others who maybe are seeing opportunities in the market?
Bart McDonough 8:48
Yeah, for me, I have some teenage children and I talk about this kind of stuff with them a lot. You know, I’m not sure this advice would be unique to entrepreneurs, but certainly talk to other entrepreneurs about all they’ve gone through, really understand the financial 101 basics of running a business, understand cash flow, understand balance sheets, understand your income statement. So those kind of basic fundamentals.
Bart McDonough 9:13
But I think the strategic advice I would give is focus, is identify a problem, identify a solution that you’re trying to either deliver to your clients or solve internally, and really sprint forward. Even if that sprint only takes a week, or a month or a quarter, really apply very structured disciplined focus. I think just discipline starts out trumping intelligence. It starts out trumping hard work. It is really, I think, this magical thing if you can harness focus and all your energy on solving something and taking an entire organization and getting them focused. It can be very powerful. I think too many people I talked to, they’re just scattered all over the place.
Terrance O’Malley 9:57
So on a related point, you recently published what has been billed as your debut book. Tell us a little bit about the book, and are there more to come?
Bart McDonough 10:06
One of my absolute favorite things in my job is I do these Cybersecurity Awareness seminars. And so they are 45-50 minutes. It’s an opportunity for me to teach. My mom was a teacher and her entire family were teachers. And so I think there’s somewhere in my DNA that I was kind of designed to do some teaching. And so I love talking to non-technical people about cyber security. And there’s this moment in the class where the light bulb goes off, and they start realizing the threats and what they can do to really minimize the potential impact to them.
Bart McDonough 10:41
And so I was doing these and I did hundreds of these. I think we’re, you know, over the thousand times this point. And what started happening was there would be a line of people asking me questions after the seminars, where they would ask me questions, and it really wasn’t about work even though the seminar was designed to provide them better cybersecurity at work on how to protect the business. They would ask me all these questions about how to protect their kids, themselves, their parents. I had all these questions. And so I started writing the notes down. And the question got very repetitive. There was a lot of overlap in all the questions. And so I started writing the questions down and supplying the answers and even sent some kind of supplemental PDFs to some of the businesses.
Bart McDonough 11:23
Well, that PDF grew longer and longer and longer. And I thought, there’s a lot here that people need and most of the cybersecurity books are actually designed for cybersecurity professionals. And there really wasn’t anything out there designed to what I kind of called the working professional or the adult that has a lot of their life online. And so that’s the audience of the book, a very broad audience. I have this business that’s focused on a very niche market largely. And yet I have this book that was really focused on kind of anyone that’s online, certainly adult and older, kind of after your teenager years. And so I wrote the book and it’s been a ton of fun. It’s very different than what I do day to day from running Agio.
Bart McDonough 12:08
And are there going to be others? Yeah, you know, I certainly talked to my publisher frequently about it. Right now I’m kicking around the idea of some kind of book on cybersecurity for board members. A little different audience, but you generally have a group of people that need to be very informed about cyber that aren’t. And there’s a lot of exposure there for their companies. So just kicking around some ideas there also, you know, some more cyber-smart themes for maybe teens, for seniors, things like that. So kicking around some different ideas.
Terrance O’Malley 12:40
Where can we find a copy of your book?
Bart McDonough 12:42
You find it Barnes and Noble, Amazon. Wiley is the book publisher. The idea is the book is kind of split into two parts. I meant to say this. The first part is kind of explaining the environment. And then the second half of the book is like very specific recommendations and advice. So if you aren’t sure how to protect your email, you go to the protect-your-email section and it will talk about it. If you’re not sure how to protect your Wi Fi, go to the protect your Wi Fi section. And I try to give very actionable recommendations, not theoretical, not academic, like “go do this.” Because I know your audience, I know this community. People just want to be told what to do from an expert in a field and be given that very prescriptive advice.
Terrance O’Malley 13:26
Bart, with that, let’s transition a little bit to where things stand now in the marketplace. We obviously have had the Coronavirus and its fallout, and that’s really put working remotely front and center. And obviously that means there’s got to be technology solutions. How is it impacting your business and maybe talk a little bit about that from both a cybersecurity perspective and a managed IT perspective?
Bart McDonough 13:51
I’ll talk about IT first because I think that hit us – being in the business and kind of the larger community – first as we all need to work from home. So we needed to be prepared and have the technologies in place to work from home. So in March, I kind of anticipated that people were going to be working from home. So I got Agio working from home in early March. We shut down our offices in New York first and then some of our other offices after that. I got all of Agio working from home because I didn’t want to be in a scenario where we were transitioning to work from home at the same time our clients were. And so after we started working from home. We worked with our clients to make sure that they were all enabled to work from home, whether that was remote desktops, or VPN, or whatever. We were inundated with calls from end users trying to get their home set-up, if you will, working. And that was a rush for about three weeks. We saw a huge volume spikes and all of that.
Bart McDonough 14:47
And then things settled in because people started getting to work. They were no longer working on how to work, they were actually just doing their jobs. So by April what we saw was, we were kind of back to a normal state on issues with our end users. There was a decrease in system changes, but we really saw a kind of a steady state amount of issues and requests from our end users.
Bart McDonough 15:12
And then came kind of the cyber activity. So what we found, and I’ll give you a little background on criminals. One of the ways they try to trick us, it’s very simple formula. They try to raise your sense of urgency, and they try to couple that with some sense of who you are. So it’s a simple formula of threatening digital pain with familiarity. And nothing probably has been better than COVID for that formula from their perspective. So I’ll give you an example where we saw some really devastating impacts. You know, at the time in March, we were all as the global community when an email would come in from our HR department, an email would come in from our child’s school, and it would say, you know, “update on what we’re doing around work from home or school from home.” We were all clicking on those links. They’re all reading those newsletters, emails very quickly. And what happened is the bad actors took advantage. So they started pretending to be the HR department, they started pretending to be the local school district and say, “click this link for the latest update on school closure or business operations, whatever.” They did the same thing pretending to be the CDC or the WHO. And they were really effective.
Bart McDonough 16:32
Now, what would that mean “they’re really effective”? Well they got users to click on links to install malware, to give up passwords. I mean, some estimates say that phishing attacks increased 500%. The other day, I read some study that said they were up 6000 percent. And so really, the method and the payloads weren’t any different for this attack. But I would say the general public susceptibility to those attacks were kind of at an “unprecedented” level – maybe that’s the most over used word lately. But certainly, we had to work with our clients to really make them aware of these threats and provide them additional warnings and protections.
Terrance O’Malley 17:15
Are there a couple of specific pointers that you’re giving out to your clients during this “unprecedented” time?
Bart McDonough 17:22
Yes. A few specific things we were getting out. One was to really standardized, centralize any COVID related communication, and “standardize” might mean we’re only going to send it out at 5pm, and this is going to be the format, and this is going to be who it’s from. Anything else is going to be false, is going to be faked. That alone is just, narrow the possibilities around fake updates. That was one that if everyone had heeded that advice from the very beginning, I think we would have prevented some damage.
Bart McDonough 17:55
And then we really wanted people to make sure that they were only using their devices. And if they had to share their device with a child, or another adult in the house, that they were making sure that they were logging in separately. We had a couple of instances where kids were using mom and dad’s computer, work computer, logged in, downloaded a virus they thought was a game and caused some problems. So those are two very, very, you know, kind of basic pieces of advice. But we wanted to make sure we warned our clients about those two things.
Terrance O’Malley 18:27
So on a slightly different tack, and I think this probably can get tied back a little bit to the Coronavirus. One of the discussion points before all this came up with the idea of the cloud, and also the private cloud versus the public cloud. For those of us who aren’t steeped in this side of the business, can you just explain those concepts a little bit better and how they might come into play and what’s likely to be the outcome long term?
Bart McDonough 18:57
Yeah, so the private cloud public cloud distinction. Unfortunately, it’s really mislabeled. So private clouds tend to be run by, at this point, smaller organizations like ourselves, like AGIO has a private cloud. But the base technology and the premise of it is really no different than a public cloud, which is best represented by things like Microsoft Azure and Amazon Web Services. And so really, it’s the size and scale of the offering, which is distinguishing between a quote unquote, private cloud and a quote unquote, public cloud.
Bart McDonough 19:34
So we sell a private cloud, but my recommendation to a business is to go to the public cloud. And so we certainly provide and support our clients in the public cloud. I think Microsoft’s offering right now is far superior to any private cloud, or other public clouds right now for most alternative fund businesses. So we help clients go to those and configure them correctly. There’s a lot of complexity going into them. But you know, the power of Microsoft right now is, we think, something that businesses should be tapping into and leveraging and not competing against.
Bart McDonough 20:09
So where do I think this goes? As a business owner, we have close to 300 employees. We run almost our entire business out in the public cloud. So I would be hypocritical if I told you I think any other business should do something differently. I think not only the technology innovation, but the scale that they offer, the flexibility that those solutions offer, is what every business should be aligning themselves with. I also think there are really wonderful not only on the IP side, but cyber security guardrails and protections that those public cloud companies offer that simply smaller companies can’t compete with. You know Microsoft, their cyber division for their public cloud is probably bigger than all of the other private clouds, maybe put together, in what they’re doing. So I’m an evangelist for using the public clouds and the secret sauce from a business like us is to make sure that we’re tying it together and taking advantage of all those capabilities and scale so that your business can be protected, while at the same time really grow in a cost efficient manner.
Terrance O’Malley 21:18
So if I think about the cloud as somebody else holding servers, and I’m just using them and accessing them through the internet, instead of using my own servers or maybe keeping legacy servers? Is this the end of servers as we know them?
Bart McDonough 21:30
That’s exactly right. So you know, we talked about them as on-premise, right? That’s the difference between the cloud – clients now they have on premise servers or not. Is it the end of physical servers as we know it? I think there are still some really good use cases for what we call on-premise servers again. But for the most part, those use cases are dwindling. And I do think the days of on-premise servers are certainly numbered.
Terrance O’Malley 21:55
So taking another scenario. You work with a lot of new managers, a lot of startup managers. What advice do you give them to get it right the first time?
Bart McDonough 22:04
I think the tech solutions, quite candidly, there’s a lot of good providers out there that will give you your IT in a box. We think ours is better than most because of our emphasis on cyber security. So I think from an operations standpoint, you want to make sure that the IT solution that you hire, that you buy, that you partner with, really has a great emphasis on cyber and it’s not just traditional, quote unquote, IT.
Bart McDonough 22:31
I think the area that they get wrong is understanding the risk decisions that they make, and working with their provider around their IT environment. I’ll give you an example. They say, “You want a redundant configuration in your office, or do you want a non-redundant one ? You want one firewall, or do you want two?” And they look at the price tag and they go, “I want one.” They don’t understand the risk that that decision implies, should that one firewall go offline and have a problem, whatever. And then there’s tons of other decisions like that. And then they get two years, three years in, and they’ve now built kind of a house of cards, because they’ve made a lot of these decisions that might not be a lot of money to on the other side. But they have made a lot of these short-sighted decisions, something goes wrong, and they have a catastrophic outcome for their IT.
Bart McDonough 23:30
Sometimes – we say this a lot – that if we just do what our clients tell us, it’s not what they want. So sometimes we have to challenge our clients in a way that we have to explain the totality of the decision that they’re making, and not just do what they tell us in the moment. And so I just see a lot of managers making a lot of short-sighted decisions.
Terrance O’Malley 23:52
You sort of anticipated my question. If you’re a startup manager, maybe you have a limited budget, you don’t have the ability to hire a full time IT person, and you’re presented with some of these questions from an outsourced provider or solution in a box. How do you know how to answer those questions? Somebody says, “Well, you can have option A, it’ll cost you x, or you can have option B, it’ll cost you x plus 20%.” If you don’t know any better, you’re just gonna say, “Well, I’ll just go with the first option.”
Bart McDonough 24:17
Yeah, and I think that’s where a manager should just ask a lot of questions around what are my choices here? What are the risks associated with this decision? What can go wrong with this decision? I mean, I think you can ask very generic questions like that around some of the main points. What’s the worst-case outcome if we go this route? Okay, so how do I remediate that? What’s the cost of that remediation? Oh, it’s only 20%? Well, that seems like a no brainer. I think a lot of these managers are very good at making risk-based decisions in their investment career and I find that they don’t think about generic risk-based decisions in their technology purchasing.
Terrance O’Malley 24:56
So Bart, big picture, what are some of the trends that we might see in the IT field – managed IT, cybersecurity, and other things that you’re seeing?
Bart McDonough 25:05
For trends in the business, I don’t think any of these are going to be a real surprise to the audience. I think we’re going to see more and more adoption of cloud technologies. And at the same time, while a lot of those cloud technologies individually are quite secure, I think the other trend we’re going to see is more and more hackers of people’s data, but more specifically, of their funds. We’re seeing just a real increase in that. And one of the reasons why that’s happening is – as we’re getting this, what I call cloud sprawl, yeah, it’s termed “shadow IT” as more and more companies are adopting more of these cloud services – there’s not a unified approach to how to secure them. And I’ll just give you one example that we see often, even places that are pretty good at cybersecurity, of all these various cloud services. We did one recently have a firm that had a CRM where they were tracking their client’s account statements and everything. When we went and looked at it, they had like eight former employees that still had wide open access into the CRM. And so that’s just an example of where even a firm with really good cyber posture overall can have a problem if they forget about a service. It can really lead to big holes and damage. And so in general, we’re seeing greater adoption of cloud and greater security threats. And you need to work with a partner that can help you bridge those two together.
Terrance O’Malley 26:29
Bart, thanks again for coming by today. It’s great to have you on. It’s great to have an expert who can take complicated matters and explain them in a way that we can all understand. If people want to know more about Agio, and they want to know more about you and your book, where can they find that information?
Bart McDonough 26:44
Yes, so Agio.com. And then I do have a personal website, bartmcd.com, that goes into the book a bit more and some speaking engagements and things like that. So Agio, A -G – I – O .com and bartmcd, all one word, B – A – R -T – M – C – D .com.
Terrance O’Malley 27:00
Thanks again for joining us.
Bart McDonough 27:02
Awesome. Thanks Terrance. Appreciate the time.