It’s anything but a game when adversaries seek to break into the network of gaming company Electronic Arts, reports Greg Masters.

Video game players are used to fending off alien invaders or fierce linebackers and maneuvering past all sorts of obstacles to attain ever more glorious levels of achievement.

But, back at the drawing board where these challenges are dreamed up, the IT staff at Electronic Arts (EA), one of the world’s largest gaming companies, faced a new adversary, something so insidious that even its own software developers couldn’t have imagined it a few years ago. The tables turned. Or rather, the door opened. And that’s because the staff no longer was solely creating digital content and developing entertainment. With its global headquarters in Redwood City, Calif., and facilities all over the world where more than 9,000 employees keep the action going, the need to reduce cyber risk within its own environment became a priority.

That is, somewhere out there lurking in the nether regions, enemies were at the gate. Perhaps having already mastered the tactics of a skilled video game player, growing legions of attackers are turning their focus away from the game console and applying their talents to penetrating inner sanctums from which they can derive real treasure in the form of intellectual property.

The company faced a need to make good investment trade-off decisions around security and risk management, says Eddie Borrero (left), director of security and risk management at EA, who joined the company a year ago to lead management of EA’s cyber threat management and IP protection programs.

“In today’s world, security executives need to be able to align their investments with business goals and be able to show that there is some sort of return – be it risk reduction, business enablement and or financial savings,” says Borrero, who previously led security and risk management strategy at Pacific Gas and Electric and served a CISO role at Robert Half International, a global staffing firm.

Borrero and his IT department, consisting of 900-plus employees, began the process of identifying, measuring and communicating the cyber risks the firm was facing so smart risk mitigation investment decisions could be put in place, he says. “In addition, we really needed to be able to show our business owners that the investments we are making are a value-add and have actual benefits that will support our overall business goals and objectives.”

A number of executives were involved in reviewing and approving the cyber risk framework his team was using to articulate and measure cyber risks, but only his IT and security teams were involved in deciding on a solution to automate and support the company’s risk framework process.

The search began with a look at some of the governance, risk management and compliance (GRC) products listed in the Gartner Magic Quadrant. But, in the end, Borrero says a platform from Allgress seemed to be the quickest way to get the functionality EA was looking for at a reasonable cost.

Allgress is a collaborative tool specifically designed to make the job of information security professionals easier, says Jeff Bennet, president, COO and founder at the Livermore, Calif.-based company, which aims to provide CISOs with the ability to make effective investment decisions that align security and compliance programs with top business priorities. It is also vital to communicate the value of those decisions to senior executives and manage risk, fines and brand damage, he says. “Our solution provides an intuitive workflow, rich reporting, scenario modeling and charting that concisely and immediately shows your security posture,” Bennet says.  

The tool displays risk using measures that are meaningful for an organization, Bennet (left) adds. “We provide context to our risk. Business metrics, easy-to-use modeling tools and a unique presentation layer make business risk intelligence easy to communicate and easy to interpret. CISOs can effectively advise senior leadership and align risk with the goals of the business to become effective partners in the business.”

Borrero says he’s a very cost-conscious leader who is continuously looking for the best bang for the buck. “We chose to move forward with Allgress because it has all the features we are looking for without significant deployment and ongoing staff support costs,” he says.

So far he says his team has been very happy with the deployment. “The interesting thing is that I put the most junior guy from our team on getting Allgress up and running.” And after quite a bit of customization, the integration of EA’s cyber risk profile, the process has been proceeding without any hitches, he says.

“So far, it’s been pretty seamless,” says Borrero. “We’re actually in the phase of fully stress-testing the product. So far, no hitches, no glitches, but we think the next year or so will tell the tale.”

Right now, he’s lined up a few people to leverage and run different assessment projects within Allgress. And, though at present EA is using its own homemade risk framework, which aligns with a lot of regulations, the Allgress tool, he says, might be useful for that demand in the future.

“We’ve seen how the baked-in policies can map directly to compliance regulations and policies, but right now I’m really just looking to kick the tires with the risk assessment features.”

Today, the implementation of the Allgress offering is touching just a couple of different environments at EA, but the goal is to populate it with information from each line of business to give an enterprise-wide view of risk. This in turn will give Borrero and his team a greater understanding of where it can make the biggest risk improvement or lower risk, he says. 

“I think in today’s cyber landscape, it’s extremely important for security professionals to be able to articulate the value of the investments they’re making,” says Borrero. “In our trade, that really relates to risk reduction, cost savings and/or business enablement. So if you can’t show that, eventually you’ll get the question, ‘What is the value of security for the company and how does that value equate back to the investments we’re making?’ You’ve got to get ahead of that curve,” he says.

Security is no longer just a technology, he adds. “It hasn’t been for a while. It’s a business function, and we have to partner with our business groups and our executives to support and enable the strategies that are being developed from within the organization.


For reprints of this case study, contact Elton Wong at [email protected] or 646-638-6101.