Mott’s Seven Rules of a Security Program
1. Accept, act and tone: “Management need to make a conscious decision to do something tangible. They should live and breathe as if it’s important to them”.
2. Invest time and money 3. Human resources:
“Find a really strong leadership team to manage the security program”.
4. Strategy:
“The key is to have a plan that is different from everyone else’s plan. Many CISOs will pick up a traditional security framework and apply it – hackers know these frameworks too. You also need to separate out the hygiene stuff from the true progress. Make sure the IT department is getting it right. An IT department can make a security group look, quite frankly, bloody awful.”
5. Execution: “You’ve got to really nail that strategy.”
6. Persistence: “Be dogmatic and persistent”.
7. Adaptability: “Don’t become too rigid – adapt and change so you don’t become predictable”.
While that’s advantageous for those who have good intentions, it could work against EA in the cases of those who don’t. “We do get the odd case where we’ve got someone who thinks it’s acceptable to take something that’s proprietary to EA away with them and start their own business – that happens in every business. You always get bad apples, right?”
Mott explains that a good proportion of
EA’s threat comes from their supply chains, but agrees that the insider threat “is the hardest thing to factor against. Your fi rst assumption has to be trust. Everything after that is incident-based”.
How He Rolls
Every CISO has their own ideas about how best to secure their organization. Mott is very clear about what he doesn’t believe in: security policies and classroom security education. He later expands on this, explaining that he isn’t totally against security policies, more that he doesn’t believe they achieve a great deal on their own. “I think there are a lot of other things that you want to be doing before you start drafting policies”, he clarifi es. “Producing hundreds of policies just dilutes the whole effort. People become numb and the complexity [of multiple or lengthy policies] kills the intent.”
The most crucial part of policy making, explains Mott, is ensuring that it addresses the real – as opposed to the perceived – threat. “You need to be able to explain how a policy will generate revenue, make jobs easier, and the environment a little bit more pleasant and safe. If you can’t do that”, Mott says honestly, “then it’s a policy that’s never going to work.”
After the Sony breach, Mott analyzed the EA information security policy for relevance. “The very next day [after the news of the Sony breach hit] I was called to see the CEO.” It was only the third time Mott had met him. “He’s now defi nitely on my back in a good way, as he should be. He wanted to know what had happened [at Sony], and critically, could it happen at EA, and what
14
were we doing to make ourselves secure against that type of attack?” As it so happened, Riccitiello had a right to voice his concern. In June 2011, EA suffered the same fate as Sony and fell victim to an attack that exposed nine million customer accounts. Mott volunteered this information to me before I had a chance to ask, which – in my opinion – is a sign of strength. “I’m not a CISO with a clean bill of health”, he admits. “It was not a pleasant experience, but any CISO should go through it to understand what it feels like.” There are two types of CISO, he tells me: “Those that have been attacked, and those who don’t know they’ve been attacked”. EA had the detection controls in place to know that an incident had occurred, and the team was able to look at what happened to the asset that was stolen – in this case, it was a fi nancial attack.
“Like any breach, it could have been protected against”, he admits. “It would be unforgivable to get caught on a basic vulnerability, like a SQL injection attack, or if you’ve got core assets, data, or intellectual property that you’ve exposed to the public internet because you didn’t upgrade your software – nowadays that is unforgivable.” The attack that EA faced, however, was “particularly sophisticated”. Even with hindsight, Mott is not convinced that he could have prevented it, but says that lessons have been taken from that incident.
The Breach Before the Storm Within two weeks of the Sony breach hitting the headlines, information security was the fi rst item on the agenda at the EA board of directors’ meeting. The board, says Mott, sit in Silicon Valley and are “technology people”. For that reason, “they completely get security risks. Our CEO has a very deep understanding too”. Mott remembers their meeting immediately after the Sony PlayStation breach. “Either he read up on [information security] very quickly, or he always had a technical understanding of the risks. “I wouldn’t be working here if I didn’t think that our CEO and the company
January/February 2012
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60