Information security should not solely be considered as a technology issue, it should feature at every level of operation for a business.
That was a key message shared by Diane Abela, Director of Information Security at Gaming Innovation Group (GiG), in conversation with SBC News about how the company is delivering the most comprehensive security measures for its partners.
Just last month, GiG demonstrated its commitment to the most stringent of security measures by collecting the ISO 27001 certification for two of its frontend development products.
The certification, Abela explained, acts as a testament to the effective underlying processes and approaches to information security that are in place at GiG. “ISO 27001 is a bit different to what usual audits are in that it is not a ‘point in time’ kind of audit,” she said.
“Usually, most auditors come in and assess your security controls – i.e. what it is that you are doing to protect your data at that point in time. There is then a report and certification based on the results.
“However, ISO 27001 goes a step above and beyond in that it assesses your underlying processes and approaches to security. I would say that it exemplifies a state of mind. It assesses whether, as a company, you put security at your very core.”
“It takes into consideration whether you are continuously assessing your controls, not just at that point in time but also in the near future. It looks at whether as a company you are looking to see if your controls are still effective, whether they still work.”
In addition to its front-end development products, GiG has also received the ISO 27001 certification for its core platform product as well as GiG Data. But why is receiving this accreditation so important? The answer, said Abela, lies in ‘emerging risks’.
She continued: “The reason why the framework behind the ISO 27001 standards is important and why we went for this type of certification is because a continuous reflection of your controls is fundamental”.
“Risk is constantly being introduced in our organisation – whether it’s because you’ve changed your business processes or you’ve decided that as a gaming company you’re going to enter a new market, or even if it’s because a bad actor comes up with new malware. So, security measures that work today might not work tomorrow.”
“That is why it’s so important that you are continuously measuring whether your controls are still mitigating your risk. ISO 27001 certifies that you are doing just that. It certifies that you have those processes and that mentality in mind.”
Throughout its whole business model, security is paramount for GiG and its partners. Forming part of the company’s strategic priorities, Abela shared that information security runs throughout every core process – from day-to-day activities to training.
To ensure that clients benefit from the security measures in place, GiG takes a collaborative approach to creating new products – drawing upon the expertise of multiple teams.
“If we were to add a new feature to our product such as a new regulatory requirement that our clients need,” said Abela. “It’s not just the compliance and tech teams which are involved in creating this feature. It’s also the security team.
“We’re there from the start to make sure that when this feature is designed, it has security in mind from the start rather than leaving it until later. New kinds of vulnerabilities are being introduced on a daily basis and attacks are occurring round the clock.
“To combat this, we are constantly testing our products to make sure they are not susceptible to these kinds of threats. We’re also monitoring our products so that if we’re under attack and that someone is trying to compromise our systems, we are monitoring so that we can respond.”
In essence then, security is a core part of the GiG culture. But when it comes to the specific security issues that operators may face, challenges may arise when gaming companies try to emulate the land-based experience online – which Abela acknowledged can require an investment when it comes to creating a secure player experience.
“The way I see it, it is part of an operator’s responsibility to also secure that player experience. It comes down to the operator to ensure that when a player is providing them with their identification data, that that data is secure,” she said.
“They also need to ensure that there is no tampering when a player makes their deposit or when they are playing games online. Operators need to make sure that the player experience is secure. This entails quite a lot of work and investment to ensure that you have the controls in place to secure and monitor the player experience.
“I think this is where GiG comes in. GiG is a great partner for our operators because when making use of our products and services, we do a lot of this for them. Our security team is constantly working to add ways to enhance and support player security. We have a team monitoring for threats and attacks, so that if a security attack occurs we capture it as early as possible, to have a little impact as possible.”
When pressed on what her top tips would be for organisations looking to improve their security capabilities when developing new products, Abela’s number one recommendation was that security becomes a core part of the company strategy.
Information security, she explained, should act as a balance between risk and reward when looking to achieve new business goals, and become a supporting feature when collaborating with new stakeholders.
She concluded: “Invest in information security – don’t treat security as a tech issue. You can have the most secure tech in the world, but if your processes are not secured and your employees are not trained in security then there is no point in having that ultra-secure technology. Security needs to be present in every tier of your business.”
You can watch the full interview above or by clicking HERE.