Kevin has an extensive background in information security, systems architecture and communications. As Chief Information Security Officer at International Game Technology, he holds global responsibility for information security as well as governance, compliance and threat intelligence.
Most of the challenges you tend to face as CISO are people challenges like understanding how different areas work and what their state of security is. This is critical, but can be difficult especially when you are trying to integrate all the different operations into a single security unit.
The two main functions of my job are to communicate updates to the board and keep a finger on the pulse of the business. This means that I need to translate tech speak into business speak for the board, because if I can’t communicate it well, then nobody will listen. Therefore, the art of presentation is key and you should avoid communicating anything too technical. Ultimately, when speaking to the CISO, the board is interested in understanding our risk profile. If the profile is acceptable and you can communicate that clearly, they will be happy.
From a high level, the two most important security aspects that every company should care about — not just gaming companies — are knowing what your attack surface is (i.e., the different attack points) and what your defences are. Based on those two, you can then determine what your KPIs should be. Other than that, understanding how well you are implementing governance, risk and compliance requirements and meeting your regulatory obligations should be on every company’s mind. You need to make sure you are operating in line with the regulatory requirements. If you are compliant and you understand what your attack profile and defences are, you can solve a huge portion of what the board is concerned about.
Companies should accept that it is just a matter of time before something happens, and they need to be prepared for attacks to get through their defences. I’ve been exposed to a lot of organizations that focus entirely on preventing attacks and do not have a plan for dealing with successful attacks. It is important to be prepared for every scenario, and this is not something that many companies are doing. The key is understanding that technology is ultimately a means to achieving an acceptable risk profile.
The biggest threat is phishing, and this is not unique to the gaming industry. Being able to deal with phishing attacks and reacting to successful ones should be at the top of everyone’s mind. Phishing attacks are basically 90% of the way people are attacking you; all other attack vectors are significantly smaller. Many threats can be dealt with quite well, but addressing the social engineering aspect that makes phishing attacks hyper-targeted is extremely difficult.
Information security is all about being up-to-date. The joke used to be that technology changes in dog years; now it’s more in the mayfly territory, where every single day something new comes up. I take advantage of any article that highlights new possible attack vectors, or helps me understand how I could deal with these attacks. If you don’t know what you are dealing with, then you will simply not be able to deal with it. Another option is to go to tradeshows or networking events that involve a lot of knowledge sharing.