www.scmagazine.com/uk/news/article/741231/interview-adr -
[Cached Version]
Published on: 10/1/2000
Last Visited: 11/2/2007
Interview: Adrian Asher | full story
...
You are here: SC Magazine UK > News > Interview: Adrian Asher
...
Interview: Adrian Asher
...
The first thing I did when meeting Adrian Asher was to try and work out his age.It's not often in this business that you meet someone who not only looks shockingly young, but actually is.It turns out that the global head of security at online gaming hub Betfair is a mere 29 years old, which means he doesn't know a world without PCs, multi-channel TV or indeed, online betting.He can probably recall the days before the internet, but only just.
Asher has been with Betfair for some four years now, having started out in applications security.He was employee number 400, he says of his place in the company, which now boasts three times that number of employees globally.Betfair.com operates in 17 languages and continues in its quest to have a presence wherever it is legal for people to bet online.
Asher is soft-spoken and comes across as rather shy.I get the impression he feels slightly uncomfortable being the centre of attention.But once he gets going it's clear that he has plenty to say.And he gets to the big picture fairly quickly.
"One thing I've noticed in the past three or four years is that senior directors, even CEOs and CTOs, are beginning to understand and use risk management much more as a tool," he starts.
...
It simply can't afford to go down and the threat never ceases, as Asher goes on to explain.
"There's always a level of background noise.Every day, we get people scanning us, knocking on the door.There have been a number of big distributed denial-of-service (DDoS) attacks over the past few years, but the type of attacks are changing.Specific, low-generation systems are being targeted," he says.
"Attackers will try and hit a specific page, like logon, or 'market view' in our case, to see whether or not they can make you do lots and lots of database calls or CPU-intensive processes.It may only be one request, but that request might take a couple of seconds to honour, and then they start sending thousands of them.Because we execute tens of thousands of transactions a second, it's very hard to differentiate between an attacker trying to overwhelm you and one of our bigger users that's trying to get the market prices as quickly as they can.But a lot of the stuff that would cripple other companies we don't even notice because it's just part of the background noise."
Asher explains that being able to keep attacks to the equivalent of internet chatter is largely due to the resources he has at his disposal and the importance that senior management now place on security.And, he points out, in the gaming industry - never "gambling", by the way - customer confidence is paramount.Betfair recently became the first online gaming outfit to gain an ISO/IEC 27001:2005 standard for information security management systems."I'm expecting that our customers will seek solace in the fact that we have got a proven trust mark we can display to the world, saying we value security and have a world-class system," he enthuses.
Whatever your views on gambling, there is no doubt that Betfair is a UK success story, and one that turns over some big numbers.Asher, who came from security at investment banking houses, is quick to point out the comparisons to the trading world.
"The London Stock Exchange (LSE) is not as big as us.We do more transactions per second, we do it in real-time settlement, and we do transactions 24 hours a day," he says, with some pride."The LSE has the luxury of end-of-day trading.It can back up, maintain, and upgrade its systems.We're a 24/7 operation, so for us to have an hour to be able to just stop the world while we upgrade would be a luxury."
The responsibility of maintaining total security on what is, in effect, a global system of trading bets is certainly a large one.Asher has the demeanour of a man who would never press the panic button - no doubt one of the reasons why he was hired - but are there times when he lies awake at night worrying?
...
There have been people who started out as developers and want to get into security, and we will help them understand what security is, but we need to have subject matter experts in the team," Asher insists.
...
Asher only has one woman working for him at the moment, in the area of compliance and PCI.
Nevertheless, he truly believes that what he and his team are doing at Betfair is leading the industry and that other businesses and vendors can learn from their methods.He sees it almost in terms of a real-world laboratory, pushing back the frontiers of the science of information risk and security.He gives an example:
...
Asher maintains that manageability and reporting are usually among the last things to be considered when a product comes to market.Security professionals, he says, need to be able to provide evidence of their effectiveness with much more management information, including the trend of attacks coming in.
"Cable & Wireless now have a DDoS managed service and give us quarterly reports on what the industry, as they see it, is getting in the way of attacks.So, not only am I now seeing what types of attacks banks are getting, I'm able to compare them against the type of attacks we're getting.The reporting and management has improved, but it still has a way to go," he says.
"In an ever-changing market, you can't just have a standard solution.You have to be innovative and adaptable.A lot of vendors have said to me: 'Our solution is compliant with Sarbanes-Oxley,' and I replied: 'Firstly, we don't need to comply with that, and, secondly, how is your solution actually compliant with that?'" he says."Because, actually it is all about audit ability, transparency and a lot of devices don't deliver any of that, so all vendors are doing is jumping on the compliance bandwagon".
Still, compliance is an issue and there is already a head of steam building behind demands for California-style disclosure laws to be introduced in the UK.Asher concedes that there are hidden benefits to the bad publicity surrounding lost laptops and other data breaches.
"NatWest had that happen recently to an encrypted laptop.I like the fact that the news came out, because it taught the public about encryption, and it began to educate consumers about risk management.We're not going to stop every laptop from being stolen, but we can make sure there's no data on it and, if there has to be data, we'll make sure that nobody can get at it," he says.
"The real problem is that that takes a while to update the public's belief system.Phishing is still a hugely viable industry because consumers aren't educated enough to understand the dangers," Asher adds."Businesses are to blame for a large amount of that by not having a proper email policy in place.The banks got hit first and over time they've evolved, but there are other people out there that need to update their game.When we send out emails here, we've already written a style guide, so that when the marketing team sends out a mass mailing they cannot be mistaken for anything other than genuine emails, and we have an awareness campaign for our customers."
Could Asher be the prototype CISO of the future?The one we all increasingly talk about, who understands the business, can boss the vendors about and get what he wants, because he believes in the business and wants it to compete.His final remarks would have you believe this could well be the case.
"It's not just about security delivering what the business requires in a secure fashion, it's not about having IT wagging the dog or driving the agenda.Security can also help in anticipation of future business goals," he says.
...
Probably a bit of both, but it was unlikely to be a punt, as Asher is no gambler.He doesn't bet.He doesn't use the services his employers so successfully offer to those who think they can second-guess events.But he does have one weakness.
"I like playing poker," he admits.
22 online sources [ view sources ]
Profile is not claimed [ claim profile ]
