Walking into the Electronic Art (EA) offices feels a little like walking into a gamer’s dream. Star Wars paraphernalia dominates the modern office’s corridors, and young graphic designers walk around in t-shirts and drink coffee like it’s going out of fashion.
Spencer Mott, EA’s vice president and CISO, describes the company culture as dynamic, creative, fun and funky. “I don’t know if you can use the word ‘funky’ nowadays. I’m probably too old to use it”, he smiles. No, Spencer Mott, you’re not too old to use that word.
“There’s a lot of individual accountability here”, Mott explains. “The people that survive at EA are those that can produce results, rather than those that can follow orders”. As Mott has been employed at EA since 2003, it’s safe to assume that he falls into the former category.
Mott joined EA to fulfill the role of ‘European IT and intellectual property security manager’, looking after a portfolio of intellectual properties and helping EA succeed by putting good protection measures around their business model. He considers the career move as something that he “fell into almost by chance”. This seems to be a common theme among information security professionals I interview.
Prior to this ‘chance appointment’, Mott spent 15 “really interesting and fulfilling” years working for the Metropolitan Police. His work predominantly involved “CID-type roles, and other specialist operation-type functions”. Frequent work in the high-tech crime unit ensured that Mott developed a good understanding of computer crime and its investigation techniques.
A career break from the police led to Mott’s employment at FACT – the Federation Against Copyright Theft. “There was a lot of synergy in terms of what they were doing in the private area for the American film industry, and encompassing a number of the police skills that I’d got over the years”, he recalls. In the four years that Mott spent working for FACT, he saw the problem of physical piracy give way to that of computer-based crime and online piracy. “That [evolution] naturally led toward a greater technology interest and requirement for me to re-train in a number of those IT-specific skills around what’s involved in computer hacking, and what’s involved in running an illegal downloading operation”.
Sign of the Times
In 2003, the threats [facing EA] were really on the physical supply chain side. “Looking back now, it should have been very easy – in those days it was a fairly straightforward role”, Mott says.
A change of CEO and thus change in direction in 2009 proved to be a game-changer on the security front. “The computer game industry went through a general decline throughout the industry between 2006 and 2009 – part of it was just the macro-economic condition that all the other businesses were facing. Part of it, though, was something of our own doing; we weren’t producing the sorts of games that consumers wanted to buy and enjoy”, he admits.
The newly appointed CEO, John Riccitiello, passionately believed that EA needed to accelerate its transition into an online services company that has an extended relationship with the consumer. “That was a root and branch change for the company in every aspect”, he notes. Today, EA’s online revenues are growing 30% annually.
Mott believes that the importance of information security has always been on the agenda at EA. “The first principle of my role is to protect the core asset: our intellectual property.” It was in 2008 that Mott considers the security landscape became “extremely volatile and very unpredictable”, mostly as a result of increasing multiple attack vectors.
In 2003, the EA security department was made up of a team of six. Today, Mott leads a team of 50 dedicated full-time personnel within the company. In addition to full-time security staff, Mott oversees a program of sentinels – staff who aren’t employed in a security capacity but who are advocates of what the information security team is trying to do. Mott took this idea from Yahoo!, which has a similar program called paranoids. “They are basically advocates within the business that help to deliver the security mission”, he explains.
“They have specific formal objectives and tasks that are assigned by the central security organization to look after particular elements of the business units”. If you include the sentinels in the count, Mott leads around 150 employees in the information security movement.
One for All
Working as part of a greater team is an objective that Mott has externally, as well as internally. He talks passionately about industry sector collaboration and the importance of “coming together in a more formal way”. Current obstacles, he explains, include legal barriers around sharing information and intelligence. “We need to become a little bit better as an industry at looking after each other.”
If a gaming company suffers a data breach, then it impacts the rest of the industry, says Mott. I ask him to tell me more, and he obliges. “People tend to use the same user name and password for all of their accounts. If one million accounts are hacked on one gaming site, those details will be circulated and used in attacks against other gaming sites. Those one million accounts suddenly become so much more valuable to the hacker.”
|There are two types of CISO, he tells me: “Those that have been attacked, and those who don’t know they’ve been attacked”
In these situations, it would be straightforward and logical, Mott details, to collaborate with the rest of the industry: “We [could do] a search and match and [if] we found the same consumer name and password [used for a different account], we could advise the consumer to change their password and user name to protect their account.”
It’s clear that as Mott talks about this, the Sony PlayStation breach from April 2011 is at the forefront of his mind. “It didn’t just hurt Sony, it hurt the whole industry”, he says, confirming my suspicion. “And it continues to do so – that was the first time that the gaming industry had the wake-up call.”
It shouldn’t have come as a surprise though, Mott laments. Gaming companies have moved from producing software to effectively becoming online banks. “There’s the e-commerce component, providing the payment method. We’re also managing consumer accounts, so there’s lots of personal information that’s being stored and processed, in addition to people’s social identities”. It is for these reasons, admits Mott, that EA has become as large a target as a bank or defense company.
On the topic of industry collaboration, I ask Mott whether espionage is a big threat in gaming. Considering the importance of intellectual property, one would assume that it would be. “I’ve never seen any evidence that we face an espionage threat from rival companies”, he responds. “I work fairly regularly with my peers, which we consider our competition, and I don’t see any sort of inference of any risk around that.”
While the threat of espionage might not be a primary concern for Mott, the insider threat – however – very much is a source of anxiety. “Eighty percent of staff [at EA] work in product development, and are, by definition, technical”, he observes. “They therefore have a very good understanding of what the risk is because they’re developing the code line by line”.
While that’s advantageous for those who have good intentions, it could work against EA in the cases of those who don’t. “We do get the odd case where we’ve got someone who thinks it’s acceptable to take something that’s proprietary to EA away with them and start their own business – that happens in every business. You always get bad apples, right?”
Mott explains that a good proportion of EA’s threat comes from their supply chains, but agrees that the insider threat “is the hardest thing to factor against. Your first assumption has to be trust. Everything after that is incident-based”.
How He Rolls
Every CISO has their own ideas about how best to secure their organization. Mott is very clear about what he doesn’t believe in: security policies and classroom security education. He later expands on this, explaining that he isn’t totally against security policies, more that he doesn’t believe they achieve a great deal on their own. “I think there are a lot of other things that you want to be doing before you start drafting policies”, he clarifies. “Producing hundreds of policies just dilutes the whole effort. People become numb and the complexity [of multiple or lengthy policies] kills the intent.”
The most crucial part of policy making, explains Mott, is ensuring that it addresses the real – as opposed to the perceived – threat. “You need to be able to explain how a policy will generate revenue, make jobs easier, and the environment a little bit more pleasant and safe. If you can’t do that”, Mott says honestly, “then it’s a policy that’s never going to work.”
After the Sony breach, Mott analyzed the EA information security policy for relevance. “The very next day [after the news of the Sony breach hit] I was called to see the CEO.” It was only the third time Mott had met him. “He’s now definitely on my back in a good way, as he should be. He wanted to know what had happened [at Sony], and critically, could it happen at EA, and what were we doing to make ourselves secure against that type of attack?”
As it so happened, Riccitiello had a right to voice his concern. In June 2011, EA suffered the same fate as Sony and fell victim to an attack that exposed nine million customer accounts. Mott volunteered this information to me before I had a chance to ask, which – in my opinion – is a sign of strength. “I’m not a CISO with a clean bill of health”, he admits. “It was not a pleasant experience, but any CISO should go through it to understand what it feels like.”
There are two types of CISO, he tells me: “Those that have been attacked, and those who don’t know they’ve been attacked”.
EA had the detection controls in place to know that an incident had occurred, and the team was able to look at what happened to the asset that was stolen – in this case, it was a financial attack.
“Like any breach, it could have been protected against”, he admits. “It would be unforgivable to get caught on a basic vulnerability, like a SQL injection attack, or if you’ve got core assets, data, or intellectual property that you’ve exposed to the public internet because you didn’t upgrade your software – nowadays that is unforgivable.”
The attack that EA faced, however, was “particularly sophisticated”. Even with hindsight, Mott is not convinced that he could have prevented it, but says that lessons have been taken from that incident.
The Breach Before the Storm
Within two weeks of the Sony breach hitting the headlines, information security was the first item on the agenda at the EA board of directors’ meeting. The board, says Mott, sit in Silicon Valley and are “technology people”. For that reason, “they completely get security risks. Our CEO has a very deep understanding too”. Mott remembers their meeting immediately after the Sony PlayStation breach. “Either he read up on [information security] very quickly, or he always had a technical understanding of the risks. “I wouldn’t be working here if I didn’t think that our CEO and the company took [information security] seriously”. Mott hopes that this reflects the company’s recognition that the information security program is relevant to what EA is trying to achieve from a business perspective.
Talking about information security in business language is essential to the company’s buy-in, Mott explains. “What we’re doing has to support revenue generation, business services and our employees in their day-to-day job. [If it does this] it becomes a pretty easy discussion.” At the executive level, talking about revenue and reputational risk is a pretty straightforward conversation, asserts Mott, who prefers this tactic to that of scaremongering.
He takes a similar approach with educating EA staff. “We have a roadshow event which goes around all of our big product development sites. We set up an internet café in the restaurant area – people can bring their laptops, get them checked out, get a virus taken off, or something like that. We call it a security café, and we serve coffee and cake and discuss with employees what we could be doing better.”
Mott believes that creativity is one skill that all CISOs should have on their resume. “The more innovative, creative and adaptable you are, the more successful you’re going to be”, he declares. “Today’s security café works for us, but tomorrow it might not work, so we’ve just got to re-evaluate what’s the best way of doing it.”
Putting it into Perspective
Mott is responsible for the security of one of the world’s most successful gaming companies, in an industry that only nine months ago suffered one of the most notorious security breaches to date. This must be a man with a good portion of the weight of the world on his shoulders? “Nothing keeps me awake at night”, Mott laughs. The reason? “In my job, I don’t save lives. I work for a gaming company, and of course, security is important to the business, but in the grand scheme of things – and the world order – it’s not important.” Having said all that, Mott admits that he does worry about things, and at the top of that worry list is complexity.
“It’s organizational complexity, threat landscape complexity, the numerous different attack vectors that we face now”, Mott says. “Whether it’s cyber threat, advanced persistent threat, insider threat, disaster recovery, threats to your supply chains – what you now have to have in your skill set is just so big and so complex that there’s no individual person that can do it.”
Back to that worry list. After complexity, Mott’s next biggest concern is ubiquitous connectivity. “By that, I mean connectivity that you can and can’t see. Unless you know who’s connecting to your network, or who’s engaging with the business, our biggest threat has often come from things that we don’t know about, or haven’t seen.
His risk management agenda isn’t based on his worry list however. Instead, he chooses to allocate his budget based on four things:
- Industry standards and business requirements
- Regulatory requirements
- Risk assessments
- Security threats and breaches
“It is around these four things that I take my pool of money, assign resources, responsibilities, roles and technologies – everything I need to support that allocation of funds”, he reveals.
Every CISO, Mott insists, should know what the benchmark funding is. “Take a rationalization of how much ground you’re expected to cover as CISO, and then either tune up or tune down that benchmark. The benchmark needs to be a combination of the different authoritative sources; for example, x% of global IT spend, or x% of the company revenue, should be spent on risk management.”
Mott Against Threat
Mott brings to our meeting a list of what he considers to be the 22 most challenging threats that he is up against. I ask him for his top three. Number one, he tells me, is unquestionably cybercrime. “More specifically, the sophistication we’re seeing in online threats and advanced attacks”, he adds.
Second on the list is consumer information protection. “Consumers are very sensitive to their own personal information leaking now, so you’ve got to treat it the same way you do payment card information”.
Third, he lists the protection of intellectual property. “It’s no secret that we’re seeing a lot of attacks on our intellectual property from China”, he says.
|"We need to find ways of attracting more people into the business….we’ve got hundreds of thousands of people who know how to hack, and only a handful of people who know how to protect"
Mott can’t resist listing one more threat, which in the long-term may just prove to be the most damaging of all. “Talent within the security industry is becoming increasingly difficult to find, particularly deep technical talent. As an industry, we need to find ways of attracting more people into the business. So many thousands of young people are taking certified ethical hacker courses, but we don’t generate any interest in doing courses teaching students how to protect your system. So we’ve got hundreds of thousands of people who know how to hack, and only a handful of people who know how to protect.” This is a very real and startling threat to the industry.
Man on the Move
When Mott and I meet, he has been living back in the UK for just over a month. He’s British, but has spent time living and working in California and Zurich, Switzerland, during his tenure at EA. “It’s very important to get international experience and spend time at HQ. To be able to wander over to your C-level officer’s desk and have a casual discussion about something, or get their buy-in, is very beneficial.
“You also get to see how the business runs in different cultures and different regulatory environments, which is very important for the CISO role”, he explains.
“On a personal basis, I find it very fulfilling”, he says of his experience living in different countries. “My travel schedule is pretty hectic – I spend 60% of my time travelling. You need a very good support network at home to be successful”, he says with a smile.
A lot of his travel takes him to Bucharest, Romania, where 60% of his information security team reside. In 2009, Mott set up a security operations team to deliver all of the traditional central security services. The decision to set this up in Romania, he says, was an easy one. “It’s cost-effective, but from a talent perspective, we can hire some very, very good security talent in Romania”.
This team is responsible for all level-one response and everyday repeatable tasks, freeing up Mott’s subject matter experts to concentrate on the specialist tasks. “It was an opportunity to get very dedicated staff – people that really value their job. Of course, Romania is cheaper than hiring in the UK, but that wasn’t the major thing. The major thing was the talent.”
Mott reports into the CFO, and has four directors report into him. The four directors head up the four security pillars in the business: intellectual property protection; governance risk and compliance; corporate security; and program ‘Aphelion’ – a code name for EA’s response to cyber threats. The Romanian security operations team then sits as a horizontal beneath those vertical pillars.
In fact, it’s the launch of the Romanian security operations team that Mott considers his biggest achievement at EA. “That was a game-changer for us”, he says. “It allowed all my specialists to focus on their specialization, and the talent development is really satisfying.”
Coming a close second in his achievement hierarchy is the program EA runs in North America called ‘year up’. The program gives disadvantaged young people work experience for three to six months. “Being involved in that program is probably the best thing we ever did for society. I think any CISO should have a bigger goal around what they do. It might be at a community level, it might be at an industry level – it might be even as high as a society level.”
With such admirable achievements under his belt, I ask Mott whether it’s time to move on to a new role with new challenges. “The minute I think my work is done here and the succession plan is in place, it will be time to hand over the reins”, he reveals. “Maybe one day I’ll wake up and just feel a little bit de-motivated. That’s when it will be time to go.”
Mott assures me that he doesn’t feel like leaving at the moment, “but, you never know, tomorrow might be that day”, he answers honestly. “There’s still a great deal to do in a very dynamic threat environment. We haven’t finished our work by any means, not that we ever will finish it”, he considers.
When the day does come to check out of EA, Mott predicts it will be a start-up that will lure him. His entrepreneurial ambition would remain in the realm of the information security industry he tells me, insisting, “I’m not going to make fairy cakes or anything.”
He also allows his ambitions of teaching or writing to be spoken aloud. “I don’t know how I’m going to get the time, but that would be something I’d like to end up doing.” I have no doubt that with his experience, intelligence, and easy-going and kind nature, Mott would make a wonderful teacher. In the ninety minutes I spent with him, I sure learned quite a bit. Until then, EA can consider its Jedi’s and battlefield heroes safe in the hands of a dedicated and experienced CISO.
MOTT'S SEVEN RULES OF A SECURITY PROGRAM
- Accept, act and tone: “Management need to make a conscious decision to do something tangible. They should live and breathe as if it’s important to them”.
- Invest time and money
- Human resources: “Find a really strong leadership team to manage the security program”.
- Strategy: “The key is to have a plan that is different from everyone else’s plan. Many CISOs will pick up a traditional security framework and apply it – hackers know these frameworks too. You also need to separate out the hygiene stuff from the true progress. Make sure the IT department is getting it right. An IT department can make a security group look, quite frankly, bloody awful.”
- Execution: “You’ve got to really nail that strategy.”
- Persistence: “Be dogmatic and persistent”.
- Adaptability: “Don’t become too rigid – adapt and change so you don’t become predictable”.