Why Effective Leadership is a Key Enabler of Transformation | Speaking with Square Enix’s Ben Trethowan

This interview explores how the pandemic acts as the catalyst for many organisations to undergo technological transformation. This transformation can be seen as a means to support a hybrid workforce, the development of digital channels, or the implementation of services and solutions to future-proof businesses. Whilst advancement is both positive and of necessity, the security threat to these channels and their organisations has increased.

This interview will explore navigating the current landscape and what essential ingredients are required to develop and implement a security strategy for an increasingly digital world.

Hi Ben! First things first…You have recently been promoted to Director of Technical Security at Square Enix – Congratulations! Can you tell us a bit more about what is involved in your role?

Many thanks! Sure, I’m responsible for establishing and driving our technical security strategy, which aims to ensure that we protect appropriately our players, employees, games, systems and data, etc. This involves leading and supporting our technical security team, which provides services across multiple security domains.

All of the work we do seeks to continuously grow and mature our Cyber Security posture, as well as reduce security risk. The main focus of my role is providing technical security expertise/advice to our business and establishing trusted relationships with our senior stakeholders.

EVERYTHING is digital these days – What has that meant for you and your business? (Developing strategy, implementation of new tech., new risks, etc.?)

As a video game developer and publisher, we’re effectively a ‘pure play’ digital business, so our strategy and projects have long been built around how we continuously improve the security of our players and preserve their enjoyment of the gaming experience. This means focussing upon the basics of how our players engage with us; protecting their data, detecting and responding to cheats and pirates and working to identify and prevent toxicity in our player communities.

In addition to this, we also work to foster and support innovation within our games. At a basic level, this could be supporting the compliance/monitoring but we’ve also supported the use of Machine Learning (e.g. for “NPC” training) and Augmented Reality. In the future, we’ll be supporting our businesses aspirations to engage more in the use of blockchain technology (e.g. the use of “Non-Fungible Tokens” or “NFTs” to potentially drive in-game economies, etc.) and the use of the metaverse as an enabler for user-generated content, etc.

Of course, we can’t ignore how our workplaces have transformed in the past 2 years – How have you tried to implement a security-conscious culture at Square Enix – and what worked?

Our security culture and awareness activities have always been focused around supporting our employees to be more secure as individuals, not just in a corporate context, but also in support of their home lives and families. We find that this approach connects with them more and instils longer-lasting behaviours that then benefit both their personal and professional lives.

For example, our awareness work on phishing has resulted in more employees correctly identifying phishing e-mails at work, but also in them telling us proudly about phishing e-mails they (or their families) have received and correctly identified at home. The same applies to concepts like password reuse and we’re also seeing our employees becoming more conscious and wary of personal data exposure through social media, etc.

We’re all finding our feet again with further changes in 2022 to the COVID landscape – what are your main priorities this year?

I’m looking forward to being able to collaborate more in person again, whether that be through networking with industry peers or participating in sector-specific groups to share experiences and best practices, etc. I feel some of the conduits we used to have to share information, like threat intelligence, have suffered a little during the pandemic and I’m eager to restore those when we can.

From a practical perspective, my team will be focussing heavily upon improving the visibility and control of our public / private Cloud environments through our upcoming ‘Cloud & Container Security Project’, as well as seeking to mature yet simplify the security of our employee/partner remote access services.

Finally – What do you feel are the key ingredients required when developing an effective security strategy for an increasingly digital world?

I have for some time had a couple of security ‘mottos’ that have kept me grounded (and in some cases sane) throughout various parts of my professional career and I think they’re even more relevant in an increasingly digital world. The first of those is “Walk, don’t run.” – try not to get lost in tackling a seemingly insurmountable volume of security problems or missing controls, etc. Rely upon basic principles to create a solid foundational strategy that’ll be effective, but perhaps not ‘shiny’.

The second is “Don’t lose sight of the basics.” – it’s easy to jump quickly into appealing yet complex technical solutions that may not be the most important thing to tackle right now or even the right thing for your business at all. Ensure the fundamentals like asset inventory, password complexity/rotation, minimisation of privileges and awareness, etc. are all being dealt with, as well as the more advanced areas like extended detection and response and orchestration and automation, etc.