Four questions for a casino InfoSec director

Recent cyberattacks at MGM Resorts and Caesars Entertainment have put the spotlight on cybersecurity practices at casinos – and the importance of educating employees on social engineering tactics.

With the CSO50 Conference + Awards coming to the We-Ko-Pa Casino Resort in Fort McDowell, Arizona, October 2-4, we asked Bill Tsoukatos, Information Technology Director at Fort McDowell Enterprises, which owns the resort, to tell us what it’s like to manage IT security at a casino property. Read on for his thoughts on AI, zero trust, and more.

How has the job of a casino security leader changed as games have become digitalized?

Interconnectivity of gaming systems have physically transitioned from serial-based connectivity to Ethernet-based standards over the years, allowing potential hackers easier access to the gaming and/or corporate network. Physical security of the Ethernet/fiber cabling, along with the switch hardware interconnecting today’s casino floors, has become a much bigger focus of IT security teams as direct physical access can often be the starting point for unauthorized access. At the same time, gaming systems have become built around large player databases requiring layers of network and application security to prevent data breaches or loss.

What’s on your data dashboard as the most important metrics?

From an IT security perspective, dashboards of the past were traditionally used to indicate metrics like system status (i.e., online, offline) or uptime; however, the most important metrics today are those that indicate abnormal trends or indications of compromise. Today’s networks are often evaluated for baseline trends and performance, typical traffic patterns and flows, and similar metrics defining “normal” behavior. IT security teams want to be notified of any abnormal behavior to evaluate and potentially mitigate any potential threats or attacks as quickly as possible.

How do you defend the casino against attacks such as breaches, ransomware, or insider threats?

It really takes a layered or multi-tiered approach to IT security to protect against cyberattacks from the use of traditional tools like firewalls, endpoint protection, patch management, web filtering, and backups to more advanced tools like two-factor authentication, point-in-time disaster recovery applications, and air gap/immutable backup solutions. As learned from recent cyberattacks, user education has become a critical component to protecting against these threats as well. Educating end users on how to detect a phishing scam or social engineering tactics may be the most important element in mitigating most cybersecurity events.

What emerging technologies are you most excited about?

From a gaming perspective, I am most excited about some of the cashless gaming solutions I’ve seen. For example, being able to move from slot machine to slot machine using a digital wallet stored on your phone. From an IT security perspective, I am most excited about the zero trust framework and how the concepts behind it are helping technology professionals worldwide build a more secure network and application infrastructure. From a general IT perspective, I am most excited about the emerging use of AI and how it may be leveraged to automate certain tasks, increase productivity, and improve service to our guests. It’s already pretty good at helping with math homework.

Don’t miss out – register now for the CSO50 Conference + Awards, happening October 2-4.