Game on: Case study with Electronic Arts and Allgress

The search began with a look at some of the governance, risk management and compliance (GRC) products listed in the Gartner Magic Quadrant. But, in the end, Borrero says a platform from Allgress seemed to be the quickest way to get the functionality EA was looking for at a reasonable cost.

Allgress is a collaborative tool specifically designed to make the job of information security professionals easier, says Jeff Bennet, president, COO and founder at the Livermore, Calif.-based company, which aims to provide CISOs with the ability to make effective investment decisions that align security and compliance programs with top business priorities. It is also vital to communicate the value of those decisions to senior executives and manage risk, fines and brand damage, he says. "Our solution provides an intuitive workflow, rich reporting, scenario modeling and charting that concisely and immediately shows your security posture," Bennet says.  

The tool displays risk using measures that are meaningful for an organization, Bennet (left) adds. "We provide context to our risk. Business metrics, easy-to-use modeling tools and a unique presentation layer make business risk intelligence easy to communicate and easy to interpret. CISOs can effectively advise senior leadership and align risk with the goals of the business to become effective partners in the business."

Borrero says he's a very cost-conscious leader who is continuously looking for the best bang for the buck. "We chose to move forward with Allgress because it has all the features we are looking for without significant deployment and ongoing staff support costs," he says.

So far he says his team has been very happy with the deployment. "The interesting thing is that I put the most junior guy from our team on getting Allgress up and running." And after quite a bit of customization, the integration of EA's cyber risk profile, the process has been proceeding without any hitches, he says.

"So far, it's been pretty seamless," says Borrero. "We're actually in the phase of fully stress-testing the product. So far, no hitches, no glitches, but we think the next year or so will tell the tale."

Right now, he's lined up a few people to leverage and run different assessment projects within Allgress. And, though at present EA is using its own homemade risk framework, which aligns with a lot of regulations, the Allgress tool, he says, might be useful for that demand in the future.

"We've seen how the baked-in policies can map directly to compliance regulations and policies, but right now I'm really just looking to kick the tires with the risk assessment features."

Today, the implementation of the Allgress offering is touching just a couple of different environments at EA, but the goal is to populate it with information from each line of business to give an enterprise-wide view of risk. This in turn will give Borrero and his team a greater understanding of where it can make the biggest risk improvement or lower risk, he says. 

"I think in today's cyber landscape, it's extremely important for security professionals to be able to articulate the value of the investments they're making," says Borrero. "In our trade, that really relates to risk reduction, cost savings and/or business enablement. So if you can't show that, eventually you'll get the question, 'What is the value of security for the company and how does that value equate back to the investments we're making?' You've got to get ahead of that curve," he says.

Security is no longer just a technology, he adds. "It hasn't been for a while. It's a business function, and we have to partner with our business groups and our executives to support and enable the strategies that are being developed from within the organization.