Richard Ly – Plus Company

In March 2020, companies across the globe were racing to adapt to COVID-19’s rapid spread: shuttering offices, setting up first-time Zoom meetings and struggling to move operations to the cloud.

At Toronto-based Vision7 International—which was renamed Plus Company in 2021—they did nothing.

In the years prior to the pandemic, the IT department at Vision7 had been scaling operations to transition to remote work. By 2018, the entire company was work-from-home-capable. Richard Ly, now Plus Company’s chief information security officer, had helped shift everyone onto laptops, so when the pandemic hit, they weren’t scrambling for hardware like other companies.

Richard Ly | Chief Information Security Officer | Plus Company

That kind of careful planning has helped Plus Company’s IT department meet more recent technical challenges, too.

“Security is never the same work every day,” Ly says. “With the breakout of war in Ukraine, organizations like Plus Company saw new and unique challenges, such as a surge of ransomware coming from Russia and adjacent locations which seemed coincidentally timed.”

Building up from scratch

Blocking ransomware is all in a day’s work for Ly, who has been with the company for nearly eight years. Securing Plus Company’s networks helps ensure that the creatives who populate its marketing agencies are safe to do their work.

Plus Company is comprised of more than 20 agencies with over 3,000 employees around the world. When it was formed from the spin-off of Vision7 in 2021, Ly had to change the company’s security direction and assemble a security department from scratch. This included creating a unified, streamlined tech stack from 10 teams who’d been using 100 different applications. He says this was crucial to scaling Plus Company’s operations and facilitating better interactions with clients.

Ly also shifted Plus Company from an ad-hoc security approach (in which threats were addressed on a case-by-case basis) to the industry-standard approach of following best practices. In doing so, Ly got Plus Company to the minimum level necessary to protect against lawsuits.

Before this, the company would sometimes get contracts from clients that included provisions about data protection or encryption. However, the security department never saw these contracts, so when it came time for clients to conduct an audit, Plus Company (then Vision7) couldn’t prove compliance, opening it up to potential lawsuits.

Now the security department goes over each contract with the legal team and confirms it can do what clients are asking for. And if it can’t be done, Ly’s team marks the request and adds a comment to that effect before the contract is signed.

Getting everyone on board

Meanwhile, according to Ly, the architecture and procurement process has been simplified by CDW—a technology solutions company that, in his words, “helps us with just about everything.”

“They have the most reliable supply lines, and their sales staff were the most knowledgeable and helpful to us, even when we didn’t really know what we wanted,” Ly says.

In implementing technical changes, he’s had to get IT staff and other employees on board with his preferred security approach, known as “defense in depth.” It’s a layered take on information security that borrows from the concept behind a medieval fortress.

When hackers attack a layered security system, they shouldn’t be able to get past the outer perimeter; if any one layer of security fails, the other layers should remain effective at thwarting them. For example, Plus Company uses multi-factor authentication, geolocation-based authentication and strong employee passwords.

While the concept makes sense to employees when Ly explains it, they aren’t always eager to go along with it in practice.

“When it is implemented, I feel like it is always politically opposed,” he says. “People don’t see the need for redundant controls, necessarily, and it’s always a hassle to convince them.”

But Ly won them over, and now does tabletop exercises with employees to prepare for the next security event and to educate them on how to mitigate threats. He’s also made sure Plus Company managers understand why his department is taking certain measures.

An energetic workplace

As Ly likes to say, it’s his job to make sure the company never gets hacked or sued. And he takes both possibilities seriously.

“I have an incredibly supportive executive management team and amazing department members and coworkers,” he says. “The IT team, they’re all incredibly smart people, hardworking and fast learners, all of them.”

The job has turned into a long-term labor of love for Ly, who joined Vision7 in 2015 for what was supposed to be a six-month gig. After starting his career in other industries, he finds working in a marketing agency environment invigorating.

“Everyone here is young. Everyone here has energy. There is passion here,” he says. “It’s not something that I’ve found in manufacturing or government or retail.”

When Ly isn’t working or hanging out with co-workers, he’s busy caring for his two rescue dogs. He got them from his sister, who runs a dog rescue nonprofit, Stray to Play, that saves dogs from crowded kill shelters across North America and finds them homes in Toronto.

He loves coming home from a long day at work and being greeted by his beloved charges. However, his time spent at work is also quite enjoyable.

“Last night, we had a Diwali/Halloween party, and a lot of people showed up; the IT team, because we’re not that extroverted, sat around and played board games, and anyone who needed a break from the party could come and join us,” Ly told Toggle in October. “And this is the type of energy that you see every day, the type of vigor that you see put into work every day. It’s very different; you can’t just go back into retail after that kind of thing.”

View this feature in the Winter I 2023 Edition here.