‘I Always Sleep With One Eye Open:’ American Airlines IT Chief Talks Security and Change

July 9, 2024
American has developed two major tools to help with its operations: HEAT, which stands for Hub Efficiency Analytics Tool, and smart gating.

There’s one major challenge that makes Ganesh Jayaram, chief digital and information officer at American Airlines sleep with one eye open at night: cybersecurity.

Cybersecurity has long been a threat to information technology systems and hits even closer to home after a ransomware attack impacted the city of Dallas’ servers last year, pushing city councilors to approve about $2.7 million to shore up the city’s IT security.

This year, personal data from about 73 million current and former AT&T account holders were leaked on the dark web. It’s a technology team’s biggest problem, but one of thousands that Jayaram’s team of problem solvers attempts every day to adapt to the changing world for travelers.

American has developed two major tools to help with its operations: HEAT, which stands for Hub Efficiency Analytics Tool, and smart gating. HEAT helps in extreme weather events, while smart gating is a tool that is used to reduce taxi time.

American’s IT team is streamlining some of the simplest questions, like a payment method for a flight to more complex ones like how a bag makes it on a connecting flight. About 2,000 employees work at the Fort Worth headquarters and some work at American’s office space in Phoenix. There’s a “hangar” space that allows for collaboration among major projects that IT workers take on.

The Dallas Morning News sat down with Jayaram, who has been with American since Sept. 2022, to discuss some of the challenges and new tools the airline is constantly developing. This interview has been edited and condensed for clarity.

Recently, major airlines like Alaska Airlines and Southwest Airlines have had major operational disruptions due to technical issues. How much of a hand does IT have in those disruptions and what are you looking for?

So, a couple of things. One is you look for people who have gone through high levels of complexity in their daily work, to build it in their muscles to recover quickly. Some of those you can plan for.

You know a weather event is going to happen, you know an ice storm is going to hit. How do I plan for it? And for us, first and foremost, safety is job No. 1 and second, we want to make sure that we plan to recover pretty quickly. That is part one.

Part two is to make sure that you are consistently and continually investing in technology. In our case, we’ve made significant investments in technology, not just the integration timeframe, but coming out of the pandemic, really increasing year over year spend in technology, well north of what our revenue projections would be. We’ve invested more in technology, recognizing that some of the stuff that we’re doing today is manual or it is augmented, we can automate some of that.

As long as you continue to improve on your technology stack, we call it the technology stack, you can continue to modernize the technology stack, you build more resilience. It’s not that the equipment won’t fail, not that the hardware won’t fail. It’s not like that the software won’t crap out. But two things that you got to be quick on: one is to be able to detect it as soon as it happens ... and the moment I know it, then I need to have experienced people that can go work on it and make sure that recovers quickly.

The third thing that we do is process training. When you have an issue, which we always have, what we try and do is to minimize the impact. You never want to have those examples that you gave. If we can make sure that the customer doesn’t suffer, that’s a win. How do you minimize the blast radius of the impact? It all goes into how you design the solutions.

On a weekly basis, my leadership team sits down and reviews all the incidents that happened at a certain severity level that could have a big impact operationally or commercially and in some cases, our vendors have designed the solution. We invite them to be part of this. We say, “Tell us what happened.” We learn from it. We can then put in the process changes. We can put tools like reimbursement, technology, whatever the case might be, to make sure it doesn’t happen again.

As you continually learn, we will reduce the blast radius.

The best way to think about this is we measure how much downtime our apps have. We’ve been measuring this well before I came in, but we’ve driven it all across the organization and we report it every month: year-over-year 30% improvement from 2022 to 2023 and from 2023 to 2024. So, total amount of outage for our apps is down 30% each year. That’s a journey that we want to be on.

How do you pay attention to cybersecurity threats as a major airline?

When you think about resiliency, there are two buckets to resiliency. One is just that we cannot go down because of changes that we drove in. The second thing is we cannot go down because somebody hacked into our systems.

Those are factors in many cases that are being imposed on us by a third party. If you have a vulnerability in the way you’ve designed your application or because you are running a really old system, it is prone to be discovered by a third party. In many cases, we are a critical infrastructure. We consider ourselves a critical infrastructure to the nation. Therefore, nation-states take an interest in the operations of an airline. As the largest airline, I always sleep with one eye open. This is an area that I’m most concerned about, from a cybersecurity stand point.

People are getting smarter. These criminals are much smarter at attacking us. We have to just be always on watch. We have tools that we’ve invested in, that alerts us when these activities take place ... our teams jump on it to try and fix it as soon as they can. We learn and get better at it.

Do you see room for airlines and airports to lean more into AI, the metaverse and all of these new technology advancements growing more popular?

Probably a little bit further out in the future.

When you have a physical product like what we are driving which has a huge safety component to it, our focus is first and foremost on ensuring that we’re taking the privacy of our customers first and foremost in everything that we do. Ideally, we want to deliver very personalized services to you that recognizes your travel, not just your travel patterns, your preferences and so on, but we’re also highly regulated. Everything that we do to be hyper-personalized, also comes in with the constraints of working in a more regulated industry.

We’ve been implementing AI long before the term “AI” became cool to the rest of the industry. If you think about the number of flights, we have 6,000 flights a day, 600,000 people in the air every single day, it takes a significant amount of technology data processing, which cannot be done with the human mind. That’s what AI is. You’re using the computer to solve for problems that are highly data-oriented. Not just the operations but the supply chain that goes to make sure that the aircraft gets cleaned, that food gets delivered, that the bags get transferred. It’s poetry in motion that needs to happen every single time that a flight arrives and takes off. We do a lot of AI it’s just that probably we don’t go out and publicize it as much. AI is something that we’ve been doing for a long time.

Gen AI, now, is the next version of that. What can we do with generative AI to improve our productivity our efficiencies in terms of internal operations? That’s our big focus and eventually, I think once these questions about privacy and other things are addressed, you’ll start to see us and others drive more personalized offers using AI as well.

What keeps you awake at night during peak seasons of travel?

We talked about cybersecurity. That’s job number one.

But what keeps me awake at night is to ensure that technology is not the cause for our operation’s underperformance or for our customers having a poor experience at any part of the sale or the service process. Those are the two biggest pieces.

We also have technology that serves team members. We all have laptops, we all have phones. That we can live with if we have an outage or so on but a customer cannot, should not, have to suffer an outage because of us. The same thing with our operations. As we get into peak summer, one of the main things that we have done ... we go in and make sure that we have tested the resiliency of our systems. We work with our vendors to let them know that this is a really critical period for us. We get even more careful about what implementations we drive.

As a technology team, we track thousands of changes in every product that we’re working on. The question is how many of these really can be impactful and can bring down our operations. Those that are really big changes, we put a lot of hyper-care around it, which means that we tested probably multiple times over, especially if you’re going to do something over the peak summer period.


©2024 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.