INTERVIEW
[evolution] naturally led toward a greater technology interest and requirement for me to re-train in a number of those IT-specifi c skills around what’s involved in computer hacking, and what’s involved in running an illegal downloading operation”.
Sign of the Times
In 2003, the threats [facing EA] were really on the physical supply chain side. “Looking back now, it should have been very easy – in those days it was a fairly straightforward role”, Mott says.
A change of CEO and thus change in direction in 2009 proved to be a game- changer on the security front. “The computer game industry went through a general decline throughout the industry between 2006 and 2009 – part of it was just the macro-economic condition that all the other businesses were facing. Part of it, though, was something of our own doing; we weren’t producing the sorts of games that consumers wanted to buy and enjoy”, he admits.
The newly appointed CEO, John Riccitiello, passionately believed that EA needed to accelerate its transition into an online services company that has an extended relationship with the consumer. “That was a root and branch change for the company in every aspect”, he notes. Today, EA’s online revenues are growing 30% annually.
Mott believes that the importance of information security has always been on the agenda at EA. “The fi rst principle of my role is to protect the core asset: our intellectual property.” It was in 2008 that Mott considers the security landscape became “extremely volatile and very unpredictable”, mostly as a result of increasing multiple attack vectors. In 2003, the EA security department was made up of a team of six. Today, Mott leads a team of 50 dedicated full-time personnel within the company. In addition to full-time security staff, Mott oversees a program of sentinels – staff who aren’t employed in a security capacity but who are advocates of what the information security team is trying to do. Mott took this idea from
Yahoo!, which has a similar program called paranoids. “They are basically advocates within the business that help to deliver the security mission”, he explains. “They have specifi c formal objectives and tasks that are assigned by the central security organization to look after particular elements of the business units”. If you include the sentinels in the count, Mott leads around 150 employees in the information security movement.
One for All Working as part of a greater team is an objective that Mott has externally, as well
There are two types of CISO, he tells me: “Those that have been attacked, and those who don’t know they’ve been attacked”.
as internally. He talks passionately about industry sector collaboration and the importance of “coming together in a more formal way”. Current obstacles, he explains, include legal barriers around sharing information and intelligence. “We need to become a little bit better as an industry at looking after each other.” If a gaming company suffers a data breach, then it impacts the rest of the industry, says Mott. I ask him to tell me more, and he obliges. “People tend to use the same user name and password for all of their accounts. If one million accounts are hacked on one gaming site, those details will be circulated and used in attacks
against other gaming sites. Those one million accounts suddenly become so much more valuable to the hacker.” In these situations, it would be straightforward and logical, Mott details, to collaborate with the rest of the industry: “We [could do] a search and match and [if] we found the same consumer name and password [used for a different account], we could advise the consumer to change their password and user name to protect their account.” It’s clear that as Mott talks about this, the Sony PlayStation breach from April 2011 is at the forefront of his mind. “It didn’t just hurt Sony, it hurt the whole industry”, he says, confi rming my suspicion. “And it continues to do so – that was the fi rst time that the gaming industry had the wake-up call.” It shouldn’t have come as a surprise though, Mott laments. Gaming companies have moved from producing software to effectively becoming online banks. “There’s the e-commerce component, providing the payment method. We’re also managing consumer accounts, so there’s lots of personal information that’s being stored and processed, in addition to people’s social identities”. It is for these reasons, admits Mott, that EA has become as large a target as a bank or defense company. On the topic of industry collaboration, I ask Mott whether espionage is a big threat in gaming. Considering the importance of intellectual property, one would assume that it would be. “I’ve never seen any evidence that we face an espionage threat from rival companies”, he responds. “I work fairly regularly with my peers, which we consider our competition, and I don’t see any sort of inference of any risk around that.” While the threat of espionage might not be a primary concern for Mott, the insider threat – however – very much is a source of anxiety. “Eighty percent of staff [at EA] work in product development, and are, by defi nition, technical”, he observes. “They therefore have a very good understanding of what the risk is because they’re developing the code line by line”.
www.infosecurity-magazine.com /// 13
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60