Michael has been with Casinos Austria for 26 years. He started in the IT department and eventually took over the role of Data Privacy Officer in 2001. Responsible for overall information security strategy and, working closely with the CEO, Michael establishes policies relating to compliance and anti-money laundering. As well as overseeing all the activities related to the development, implementation, maintenance and adherence to the organization’s privacy policies, he is also the link between his organization and the Austrian Ministry of Finance.
Dealing with the number of regulations is definitely number one. It is a developing field for lawmakers and this makes the laws less stringent than they should be. Additionally, this means that we sometimes have to deal with laws that are in conflict with each other such as money-laundering and data privacy. Another issue that I face, which is probably the case for many compliance officers, is keeping the awareness of compliant behavior high. It is a constantly ongoing process that requires continuous education about the rules that must be followed and we deal with this by running educational campaigns. While there are many ways to approach user education, I find running in-person educational sessions to be much more effective than the rest (e.g. e-learning).
Different gaming markets tend to have different issues but one overall issue I found is, surprisingly, not technical but social, namely dealing with social engineering tactics. This is actually quite a problem because advanced spear phishing attacks that use social engineering methods are very difficult to recognize and therefore challenging to prevent. This is usually dealt with by keeping awareness high but, as mentioned before, that requires constant communication. Because it is such an issue, this will be my main focus for 2019.
In an ideal situation, the most important aspect is to get support from the top as I cannot execute my plan if I do not have the support of the board. Additionally, constant communication within the organization is key so having weekly meetings with the board and other departments to discuss strategic issues is ideal.
Surprisingly, a lot of our competitors in the gaming industry do not have a high level of information security. This seems to be especially common with some of the younger organizations that might be prioritizing high growth over security practices. Casinos Austria has been operating since the 60s so we have very well established compliance procedures. It is not the case that these younger organizations do not care about information security but rather that they usually address this in an unstructured way without many processes. It is extremely important to have a clearly defined information security strategy and that usually means having processes in place.