The first thing I did when meeting Adrian Asher was to try and work out his age. It's not often in this business that you meet someone who not only looks shockingly young, but actually is. It turns out that the global head of security at online gaming hub Betfair is a mere 29 years old, which means he doesn't know a world without PCs, multi-channel TV or indeed, online betting. He can probably recall the days before the internet, but only just.
Asher has been with Betfair for some four years now, having started out in applications security. He was employee number 400, he says of his place in the company, which now boasts three times that number of employees globally. Betfair.com operates in 17 languages and continues in its quest to have a presence wherever it is legal for people to bet online.
Asher is soft-spoken and comes across as rather shy. I get the impression he feels slightly uncomfortable being the centre of attention. But once he gets going it's clear that he has plenty to say. And he gets to the big picture fairly quickly.
"One thing I've noticed in the past three or four years is that senior directors, even CEOs and CTOs, are beginning to understand and use risk management much more as a tool," he starts. "The big change is that the business people have a better understanding of risk management and the technical people have got to grips with the business side of things much more. To get that communication going has been encouraging."
And Asher knows how to present his case. "I always refer to what we do as information security, mainly because when you go to PR or marketing people, for example, and you say IT security, they think about a server or device," he explains. "By calling it information security, you get into their heads that it's about the data, our core business asset."
This is probably more relevant in a business such as Betfair, which relies on real-time events and data for its revenue. If its sites are knocked over just before a major horse race or football match, it's in big trouble. It simply can't afford to go down and the threat never ceases, as Asher goes on to explain.
"There's always a level of background noise. Every day, we get people scanning us, knocking on the door. There have been a number of big distributed denial-of-service (DDoS) attacks over the past few years, but the type of attacks are changing. Specific, low-generation systems are being targeted," he says.
"Attackers will try and hit a specific page, like logon, or 'market view' in our case, to see whether or not they can make you do lots and lots of database calls or CPU-intensive processes. It may only be one request, but that request might take a couple of seconds to honour, and then they start sending thousands of them. Because we execute tens of thousands of transactions a second, it's very hard to differentiate between an attacker trying to overwhelm you and one of our bigger users that's trying to get the market prices as quickly as they can. But a lot of the stuff that would cripple other companies we don't even notice because it's just part of the background noise."
Asher explains that being able to keep attacks to the equivalent of internet chatter is largely due to the resources he has at his disposal and the importance that senior management now place on security. And, he points out, in the gaming industry - never "gambling", by the way - customer confidence is paramount. Betfair recently became the first online gaming outfit to gain an ISO/IEC 27001:2005 standard for information security management systems. "I'm expecting that our customers will seek solace in the fact that we have got a proven trust mark we can display to the world, saying we value security and have a world-class system," he enthuses.
Whatever your views on gambling, there is no doubt that Betfair is a UK success story, and one that turns over some big numbers. Asher, who came from security at investment banking houses, is quick to point out the comparisons to the trading world.
"The London Stock Exchange (LSE) is not as big as us. We do more transactions per second, we do it in real-time settlement, and we do transactions 24 hours a day," he says, with some pride. "The LSE has the luxury of end-of-day trading. It can back up, maintain, and upgrade its systems. We're a 24/7 operation, so for us to have an hour to be able to just stop the world while we upgrade would be a luxury."
The responsibility of maintaining total security on what is, in effect, a global system of trading bets is certainly a large one. Asher has the demeanour of a man who would never press the panic button - no doubt one of the reasons why he was hired - but are there times when he lies awake at night worrying? Surprisingly, the answer is yes.
"It's going to keep me awake next week, because we've got the ISO 27001 audit in Australia, so my deputy and I are going down to help it go through. Our team is well dispersed, though, and responsibilities are duly shared. I like interesting problems, and the fact that we've been growing at double the bandwidth every year for the past four years is a great problem to have," he says.
"We've put a lot of investment into our systems over the years, and we're very proud of them. We're doing huge amounts of bandwidth through the front end, huge amounts of connections per second. Betfair has invested in that technology, so if we want to deploy a new file or a load balancer, we put it in our lab, where we'll throw three or four gigabytes of traffic at it or 100,000 http requests. We'll know the breaking point of each one of the devices within our infrastructure," he explains.
By now you may be thinking that this sounds like the perfect employer for information security professionals. A management that not only understands risk, but also invests in the people and technology needed to maintain a world-class security infrastructure. But your potential boss has some requirements.
"First and foremost, I only recruit security professionals. There have been people who started out as developers and want to get into security, and we will help them understand what security is, but we need to have subject matter experts in the team," Asher insists. "I do like people who come from other trading experience like banking. But it's also the personality that affects who I recruit, their technical skills are a factor, but they also need a positive attitude, need to be driven and believe in security - they're not just doing it for a job. That means that we're proud as a team, we gel very well."
"Plus," he adds quickly, "we're the only team in engineering to soon be comprised of 30 per cent women". That's engineering, however. The percentage within the security department is a little less impressive, showing that, despite Asher's youth and the dotcom appeal of an internet business, there's still a lack of female interest typical of information security in general. Asher only has one woman working for him at the moment, in the area of compliance and PCI.
Nevertheless, he truly believes that what he and his team are doing at Betfair is leading the industry and that other businesses and vendors can learn from their methods. He sees it almost in terms of a real-world laboratory, pushing back the frontiers of the science of information risk and security. He gives an example:
"A few years ago, we found there were very few vendors that had models to allow you to completely horizontally scale all of their security infrastructure. So when we implemented that here, we didn't accept the maximum amount of horizontal scalability we could have or the number of firewalls the vendor let us put in the cluster. We deployed them as standalone units and then load-balanced across them.
"There's a lot of learning we've given back to the vendors we've worked with, and we've helped them develop their products. That has then gone on to allow them to be market leaders in other sectors as well," he claims.
But vendors still need to be more responsive. Asher maintains that manageability and reporting are usually among the last things to be considered when a product comes to market. Security professionals, he says, need to be able to provide evidence of their effectiveness with much more management information, including the trend of attacks coming in.
"Cable & Wireless now have a DDoS managed service and give us quarterly reports on what the industry, as they see it, is getting in the way of attacks. So, not only am I now seeing what types of attacks banks are getting, I'm able to compare them against the type of attacks we're getting. The reporting and management has improved, but it still has a way to go," he says.
"In an ever-changing market, you can't just have a standard solution. You have to be innovative and adaptable. A lot of vendors have said to me: 'Our solution is compliant with Sarbanes-Oxley,' and I replied: 'Firstly, we don't need to comply with that, and, secondly, how is your solution actually compliant with that?'" he says. "Because, actually it is all about audit ability, transparency and a lot of devices don't deliver any of that, so all vendors are doing is jumping on the compliance bandwagon".
Still, compliance is an issue and there is already a head of steam building behind demands for California-style disclosure laws to be introduced in the UK. Asher concedes that there are hidden benefits to the bad publicity surrounding lost laptops and other data breaches.
"NatWest had that happen recently to an encrypted laptop. I like the fact that the news came out, because it taught the public about encryption, and it began to educate consumers about risk management. We're not going to stop every laptop from being stolen, but we can make sure there's no data on it and, if there has to be data, we'll make sure that nobody can get at it," he says.
"The real problem is that that takes a while to update the public's belief system. Phishing is still a hugely viable industry because consumers aren't educated enough to understand the dangers," Asher adds. "Businesses are to blame for a large amount of that by not having a proper email policy in place. The banks got hit first and over time they've evolved, but there are other people out there that need to update their game. When we send out emails here, we've already written a style guide, so that when the marketing team sends out a mass mailing they cannot be mistaken for anything other than genuine emails, and we have an awareness campaign for our customers."
Could Asher be the prototype CISO of the future? The one we all increasingly talk about, who understands the business, can boss the vendors about and get what he wants, because he believes in the business and wants it to compete. His final remarks would have you believe this could well be the case.
"It's not just about security delivering what the business requires in a secure fashion, it's not about having IT wagging the dog or driving the agenda. Security can also help in anticipation of future business goals," he says. "ISO 27001 certification was a great example. We went for it not knowing whether or not the UK regulator for the gaming environment would adopt it, we just wanted to do it. So when the regulator did adopt those standards we had an immediate return on investment. There will be more opportunities like that, where security can help the competitive differentiation between companies. Let's face it, it's harder to see the difference these days between one poker company or one bank and another," he adds, suddenly finding a harder voice.
Was that luck or cool-headed planning on Asher's part? Probably a bit of both, but it was unlikely to be a punt, as Asher is no gambler. He doesn't bet. He doesn't use the services his employers so successfully offer to those who think they can second-guess events. But he does have one weakness.
"I like playing poker," he admits. "We have poker evenings here, but the bits of Betfair I enjoy are all technology. The fact that it's a sports-betting business is important to the company, but not to me". Twenty-nine years old. What's that saying about old heads and young shoulders?
THE NUMBERS GAME
- Betfair matches more than 5 million transactions a day and serves over 4 billion page requests per week;
- The company does 15 times as many transactions as the London Stock Exchange per day, processesing up to 1,000 transactions per second. Unlike the LSE, settlement is immediate;
- Betfair has more than 1,000,000 registered customers, and £2,000 a minute is deposited on to the site;
- Nearly half of page impressions to online gaming sites worldwide come to Betfair.
Interview: Betfair's 29 year-old global head of security, Adrian Asher
By Paul Fisher on Nov 20, 2007 11:21AM