Philadelphia Security Operations 2011

CISO EXECUTIVE NETWORK

Philadelphia Security Operations Breakfast Series

Thursday, April 28, 2011

8:00 am - 12:00 noon

ReedSmith

Speakers

Paul Bond  ReedSmith

Patrick Kenny Bit9

Anthony Costa  INTTRA - on behalf of Tripwire

Don Gray  Solutionary

Member Discussion Leader

Ron Schlecht  Penn National Gaming

Member Ron Schlecht Discusses Security Operations

At Penn National Gaming, security operations are split between Ron Schlecht, corporate information security, and the Director of corporate IT infrastructure. “Both of us are direct reports to the CIO,” Ron explains.

One of the challenges Penn National Gaming faces in regards to security operations is that each of the multiple company-related sites not only have to adhere to common security standards and audit standards, but also to jurisdictional gaming regulations. He also has to coordinate security operations with all of the IT directors at the major sites, which would be the casinos Penn National Gaming operates. “Responsibility is pretty well spread out between myself and those people out in the field,” Ron says. “Obviously, their goal is to run the organization and operational IT functions. Where I come into play is that I do all of the assessment work and the baseline guidance to follow.”

Monitoring is outsourced through a managed service. “Every one of the sites needs to have monitoring as part of their security arsenal. It is negotiated so we have a baseline standard for what must be monitored and how it must be monitored. Then we work with the vendor to implement the standard.”

Detection is the same methodology as monitoring, only using more diverse tools.

Response and remediation are approached a bit differently. “We don’t have a large response function because we don’t see as many issues as you might think as a casino operation,” Ron explains. Response is a centralized function, taking a team approach with representatives on site who are available if something happens. “I take on the high-level stuff and deal with it as necessary, but mostly I wait in the wings, waiting until my office is needed.”

When it comes to making the security operations more efficient and relevant to business operations, Ron says it is difficult to do. “We’re very much focused on the bottom line, being a subset of the entertainment industry. What we’d consider a loss or a major risk is set very high because of the volume money we deal with,” he says. But dealing with the business drivers is more difficult, because, as Ron says, a gambler isn’t going to be concerned with how secure our networks are.

But Ron does have concerns about security and the network, particularly issues involving PCI and other compliance matters. “We need to be able to show how structuring our security operations and creating an efficient framework takes away from how much we’re spending on audit activities.”

His advice to approaching security operations?  Be realistic, he says. “Know the business you are in and which business necessities that need to be taken care of.”

Ronald Schlecht handles corporate information security for Penn National Gaming.