It's anything but a game when adversaries seek to break into the network of gaming company Electronic Arts, reports Greg Masters.
Video game players are used to fending off alien invaders or fierce linebackers and maneuvering past all sorts of obstacles to attain ever more glorious levels of achievement.
But, back at the drawing board where these challenges are dreamed up, the IT staff at Electronic Arts (EA), one of the world's largest gaming companies, faced a new adversary, something so insidious that even its own software developers couldn't have imagined it a few years ago. The tables turned. Or rather, the door opened. And that's because the staff no longer was solely creating digital content and developing entertainment. With its global headquarters in Redwood City, Calif., and facilities all over the world where more than 9,000 employees keep the action going, the need to reduce cyber risk within its own environment became a priority.
That is, somewhere out there lurking in the nether regions, enemies were at the gate. Perhaps having already mastered the tactics of a skilled video game player, growing legions of attackers are turning their focus away from the game console and applying their talents to penetrating inner sanctums from which they can derive real treasure in the form of intellectual property.
The company faced a need to make good investment trade-off decisions around security and risk management, says Eddie Borrero (left), director of security and risk management at EA, who joined the company a year ago to lead management of EA's cyber threat management and IP protection programs.
"In today's world, security executives need to be able to align their investments with business goals and be able to show that there is some sort of return – be it risk reduction, business enablement and or financial savings," says Borrero, who previously led security and risk management strategy at Pacific Gas and Electric and served a CISO role at Robert Half International, a global staffing firm.
Borrero and his IT department, consisting of 900-plus employees, began the process of identifying, measuring and communicating the cyber risks the firm was facing so smart risk mitigation investment decisions could be put in place, he says. "In addition, we really needed to be able to show our business owners that the investments we are making are a value-add and have actual benefits that will support our overall business goals and objectives."
A number of executives were involved in reviewing and approving the cyber risk framework his team was using to articulate and measure cyber risks, but only his IT and security teams were involved in deciding on a solution to automate and support the company's risk framework process.