In case you haven’t heard it before, CISO in an acronym for “Chief Information Security Officer.”
Glenn Wilson holds that title with the San Manuel Band of Mission Indians (who operate the Yaamava’ Resort &”¯Casino in Highland, CA, and the Palms in Las Vegas). However, Wilson introduced himself as a “hacker, a good one, but (still) a hacker.” That’s one of the many terms, along with ransomware and cyber warfare, that have casino management nervous these days.
Wilson used humor to make many of his points in his packed seminar, “Cyber/IT Audits,” at TribalNet 2022. He quipped, “When you hear someone say, ‘We’ve been the victim of a very sophisticated cyberattack,’ it really means that some fool clicked on an email they shouldn’t have.”
While everyone agrees that a perfect system is impossible, Wilson said organizations need to define three important points on the way to getting better at cyber security:
- What do I have of value?
- Who wants to steal it?
- How should I protect it?
He noted that the more formal terms for those three are asset valuation, risk identification, and risk treatment.
He pointed out that many organizations have little idea of the value of information. He showed a slide of an ocean, which he said represents the massive amount of data generated by casino systems each day. He emphasized that it is everyone’s responsibility of everyone in the operation, not just the IT team, to properly value that data. He emphasized that point saying, “The data owner is responsible for the value of the data.” And he quoted Fredrick the Great who said, “He who defends everything protects nothing.”
Wilson highly recommended a scoring method for assessing cyber risk and gave the attendees some checklists for continuous and accurate reporting.
When it comes to improving defenses, he said three departments are critical: IT, IS (Information Security), and Audit. He said none of these departments should report to one another.
In developing a plan for improvement, he cited five levels of preparedness: Initial, Developing, Defined, Managed, and Optimized. Most organizations should work toward the Developing and Defined states; the tech giants may achieve Managed, but those few that claim they’re Optimized are either lying or naïve, he explained.
Wilson’s summary slide had four points, First, Start with the crown jewels. Second, use a program approach and a common yardstick. Third, rather than “one and done,” cyber-security efforts should be continuous. And fourth, find a simple way to clearly communicate the good and the bad.
