This page contains a Flash digital edition of a book.
Security is Like a Rubik’s Cube


“Security is like a Rubik’s cube”, Mott tells me, just as our interview draws to a close. “You’re trying to get to a position in security where all the sides of the square are the same – you’ve got to just keep twisting and shaping your program until you succeed. When you complete it – and leave the Rubik’s cube on your desk – you come back in the morning and someone has had a go and left it back at square one. You wouldn’t then follow the same twists and turns to get it back to where you were before, would you?”


took [information security] seriously”. Mott hopes that this refl ects the company’s recognition that the information security program is relevant to what EA is trying to achieve from a business perspective.


Talking about information security in business language is essential to the company’s buy-in, Mott explains. “What we’re doing has to support revenue generation, business services and our employees in their day-to-day job. [If it does this] it becomes a pretty easy discussion.” At the executive level, talking about revenue and reputational risk is a pretty straightforward conversation, asserts Mott, who prefers this tactic to that of scaremongering.


He takes a similar approach with educating EA staff. “We have a roadshow event which goes around all of our big product development sites. We set up an internet café in the restaurant area – people can bring their laptops, get them checked out, get a virus taken off, or something like that. We call it a security café, and we serve coffee and cake and discuss with employees what we could be doing better.” Mott believes that creativity is one skill that all CISOs should have on their resume. “The more innovative, creative and adaptable you are, the more successful you’re going to be”, he declares. “Today’s security café works for us, but tomorrow it might not work, so we’ve just got to re- evaluate what’s the best way of doing it.”


Putting it into Perspective Mott is responsible for the security of one of the world’s most successful gaming companies, in an industry that only nine months ago suffered one of the most notorious security breaches to date. This must be a man with a good portion of the weight of the world on his shoulders? “Nothing keeps me awake at night”, Mott laughs. The reason? “In my job, I don’t save lives. I work for a gaming company, and of course, security is important to the business, but in the grand scheme of things – and the world order – it’s not important.” Having said all that, Mott admits that he does worry about things, and at the top of that worry list is complexity. “It’s organizational complexity, threat landscape complexity, the numerous different attack vectors that we face now”, Mott says. “Whether it’s cyber threat, advanced persistent threat, insider threat, disaster recovery, threats to your supply chains – what you now have to have in your skill set is just so big and so complex that there’s no individual person that can do it.”


Back to that worry list. After complexity,


Mott’s next biggest concern is ubiquitous connectivity. “By that, I mean connectivity that you can and can’t see. Unless you know who’s connecting to your network, or who’s engaging with the business, our


biggest threat has often come from things that we don’t know about, or haven’t seen. His risk management agenda isn’t based on his worry list however. Instead, he chooses to allocate his budget based on four things: 1. Industry standards and business requirements


2. Regulatory requirements 3. Risk assessments


4. Security threats and breaches “It is around these four things that I take my pool of money, assign resources, responsibilities, roles and technologies – everything I need to support that allocation of funds”, he reveals.


Every CISO, Mott insists, should know what the benchmark funding is. “Take a rationalization of how much ground you’re expected to cover as CISO, and then either tune up or tune down that benchmark. The benchmark needs to be a combination of the different authoritative sources; for example, x% of global IT spend, or x% of the company revenue, should be spent on risk management.”


Mott Against Threat Mott brings to our meeting a list of what he considers to be the 22 most challenging threats that he is up against. I ask him for his top three. Number one, he tells me, is unquestionably cybercrime. “More specifi cally, the sophistication we’re seeing


www.infosecurity-magazine.com /// 15


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60