For years, Verodin has been working closely with customers representing the casino and gaming industry. Like in most industries, cybersecurity is a concern — especially in terms of its impact on the core business. The industry needs to protect sensitive data and mission-critical systems while thwarting fraud and related criminal activity.
With the gross gaming yield of the global casino market generating over $100 billion (and ever-growing) and over 1,000 casinos operating in the U.S. alone, it’s no wonder they're being targeted by nefarious actors leveraging cyber attacks. Attackers can target sensitive data such as confidential high-roller and rewards program databases, the integrity of gaming systems, and the availability of casino management systems such as those used for slot accounting, player tracking, marketing, customer service, mobile applications, IoT, and social media. From sensitive data theft to company downtime, cybersecurity issues can detrimentally impact brand, operations, and revenue.
In order to address brand, operational, and financial risks associated with cyber attacks, casinos have been making investments in cybersecurity tools and services, even going as far as forming cybersecurity alliances. The Retail Cyber Intelligence Sharing Center (R-CISC), for example, formed the Gaming and Hospitality Cybersecurity Alliance (GHCA) in 2018 to share information on intelligence for the mitigation of breaches, fraud, and related cyber attacks.
“Recognizing we are stronger acting against bad actors together, our goal for the GHCA community is to build trust and share information and actionable intelligence, which will strengthen not only each company but our industries,” says Scott Howitt, SVP and CISO, MGM Resorts International, R-CISC Board Member, GHCA co-chair.
Unfortunately, cybersecurity investments often don’t lead to reduced cyber risk and thus are not protecting the business effectively. This isn’t because we have invested in bad tools or our people aren’t well-trained; it’s because cybersecurity has had a long history of not being aligned with business operations or measured like other strategic business units.
The result is that we don’t really know what cybersecurity tools are adding value. We don’t know what can be retired or what investments should be prioritized. We continue to waste time, money, and resources for cybersecurity, but without a platform in place to prove where cybersecurity tools are actually adding value and where gaps exist, we’re basing decisions on assumptions and thus not effectively mitigating cyber risk or business risk.
David Tyburski, CISO for Wynn Resorts and its retail offerings, advises that you avoid talking to senior management and the board about “security.” “You need to relate everything to them in business terms,” he says.
The Verodin Security Instrumentation Platform (SIP) is a business platform for cybersecurity that enables you to manage, measure, improve, and communicate cybersecurity effectiveness based on data-driven evidence. Verodin SIP lets cybersecurity teams optimize and validate cybersecurity tools. SIP also up-levels the cybersecurity conversation to a business-level discussion so that non-technical and non-security business leaders, including boards, can consider the business-relevant aspects of cybersecurity and cyber risks in their decision-making process based on quantitative, evidence-based metrics.
Verodin SIP is an on-premise and/or cloud-based solution. Users safely operate SIP within the casino’s production environment to test endpoint, network, email, and cloud cybersecurity tools as well as test services such as MSSPs. SIP enables cybersecurity teams to:
- Measure the effectiveness of cybersecurity tools and their configurations, particularly those in production but also tools being evaluated
- Prescriptively optimize those cybersecurity tools
- Validate that the cybersecurity tool optimization had the desired outcome
- Automate environmental drift analysis to ensure that what was working stays working
- Communicate the state of cybersecurity effectiveness to leadership
Verodin SIP helps casino leadership understand the value the cybersecurity team is delivering using evidence. It highlights which security tools can be safely retired, points out where tuning is necessary, identify gaps, and shows how investments should be prioritized. Executive-level reporting helps make technically complex security metrics understandable from a business perspective so that decisions can be made more efficiently and effectively while arming cybersecurity analysts with the technical details needed to optimize the security stack.
Cybersecurity is a business imperative for casinos. SIP is about helping to make the right investments and gleaning continued value from cybersecurity tools that enable the business. By managing, measuring, improving, and communicating cybersecurity like we do with other strategic business units, we can better align cybersecurity with business imperatives. With a business-centric approach to cybersecurity, cyber risk will be reduced while also minimizing wasted resources. The result: financial, brand, and operational risk reduction.