Technology leaders in gaming and leisure need to adopt a framework for incorporating new technologies while maintaining desired security risk profiles. Furthermore, they need to adopt/build in the most effective way to avoid unnecessary complexity and overhead.

A SECURE FRAMEWORK FOR CHANGE

A recent analysis by MIT, “Technological Improvement Rate Predictions,” analyzed patent information across nearly 2,000 different domains. The study found that the average annual improvement rate for 80% of the domains was a rate of 25% improvement per year. Compare that average to the specific domain of enterprise information technology (which will ring true to IT leaders). The annual technological improvement rate for enterprise information technology was above 200% according to the MIT study. The pace of change in information technology was fast several years ago but it has continued to increase each and every year.

The complex set of tasks facing information technology leaders in the gaming and leisure industry include introducing technologies for new use cases on top of foundational infrastructure that itself is rooted in accelerated change. The adoption and implementation of mobile, geolocation tracking, data modeling, virtual reality, augmented reality, RFID, and facial recognition have spread broadly across our industry, and the use cases are expanding and deepening.

Technology leaders in gaming and leisure need to adopt a framework for incorporating new technologies while maintaining desired security risk profiles. Furthermore, they need to adopt/build in the most effective way to avoid unnecessary complexity and overhead.

In this editorial, I will present a Framework for Secure Change that has proven effective in dealing with these difficult and competing objectives. The framework begins with an organizational context. I will outline three components that will help align design and work streams with fundamental organizational requirements. Those three components that set the “context” will then provide direction to the three critical design elements. Finally, ongoing management of Risk of Obsolescence will be the governance wrapper for the framework.

Organizational Context

1. Business Imperatives
   
   The foundational requirement for full alignment and effective execution is to start with the business imperatives. We must fully understand how new technology capabilities will be used in the business, how they will enable the various business leaders, and clearly understand the desired business outcomes.

2. Capacity for Change
   
   Organizational Change Capacity is a subject of many books and good academic research and is certainly relevant. For the purposes of this framework, I am going to focus on just a few more specific dimensions that help increase success in technology adoption.

• • Identify the change agents who will be Critical to success
    • Verify availability of time and resources
    • Verify skills match for what needs to be Accomplished
  • Review stakeholders and end users
    • Verify full alignment with goals, requirements, and timeline
  • These dimensions help measure your organization’s ability to successfully implement and metabolize the changes to people, process, and technology.

3. Directional North Star
   
   Technology initiatives in our gaming and leisure industry will generally create new use cases, and possibly new users who will rely on the foundational set of infrastructure, network, and IT manpower capabilities. This effectively becomes an expansion to existing capabilities. With all the new technologies being introduced – the new use cases and the new users – there needs to be thoughtful planning for the Information Technology Future State. This is a future state of the reusable and extensible set of people, process, and technology resources that make up the company’s information technology capabilities.
   
   We want to avoid designing and building extensions that become single-purpose and not reusable. It is helpful to design a compelling and durable long-term ambition for the IT department that will serve as the directional north star for work going forward. In many cases that ambition may be to move IT capabilities to an IT as a Service (ITaaS) model where technology and processes are designed composable and reusable so that they can be built once and consumed anywhere across the organization. You can see in this ambition that it will be difficult, if not impossible, to ever truly reach that destination but from a navigational standpoint, the vision will help.

Critical Design Elements

1. Radical Simplicity
   
   Author Ken Allen wrote the following in his book “Radical Simplicity, “…the test of a leader’s performance should not be what they have achieved in the past, but the foundation that they have laid for the future.”
   
   It is this test that we should all be willing to take after completing a new technology implementation project. Typically, a new implementation will result in a new technology stack that will need to be managed, monitored, patched, and occasionally troubleshot. This has resulted in incrementally building resource requirements on technology and security staff. With the expansion of new technologies and the acceleration of change in existing technologies, this approach is no longer sustainable. The true success metric for new technology implementations today is how the project reduced the demand on IT resources (people, process, and technology).
   
   Radical simplicity will require the new design to consider all layers of the technology stack with the goal of standardization, improvement, consolidation, potential replacement, and reuse of the underlying technology components.
   
   
2. Force Multipliers
   
   We are at a time in enterprise information technology when design must include capabilities that will leverage and multiply existing resources. The key contributors to this design element are automation, orchestration, and composable design/reuse.
   
   Many of us are familiar with the quote by Warren Bennis on the factory of the future, “The factory of the future will have two employees: a man and a dog. The man is there to feed the dog and the dog is there to keep the man from touching the equipment.” It is this quote that I like to use as the vision for the Data Center of the Future. While relentlessly pursuing radical simplicity in the design phase of a new project, equal effort must be put into designing in force multipliers.
   
   
3. Security, Security, Security
   We need to evangelize that it is no longer a good idea to “build in” security after the fact. Security must be designed from the beginning of the architecture and capabilities discussions.
   
   It is also vital to create a fabric of security technologies that are reusable and extensible so that new technology projects can simply subscribe and consume already existing capabilities. That will not always work 100% for new technology initiatives but we need to make the exceptions the exceptions and build in security for proper risk management.
   
   When talking about security design I want to take a moment to discuss what I see as two dimensions to effectively managing an organization’s cyber security risk profile. There is an important design and practical distinction between cyber security and cyber resilience when working on new technology design. Consider two types of cyberattacks:
   
   • A data breach that exposes sensitive data.
   • Malicious activity that disrupts regular business operations (such as a ransomware attack or a denial-of-service attack.)

Cyber security is a strategy and set of capabilities that are designed to help prevent a data breach and reduce the likelihood of a malicious disruption to your business.

Cyber resiliency is a strategy and set of capabilities that will help mitigate the impact of a business disruption.

It is important that both of these dimensions are designed into new technology project implementations. I can use the NIST Core Functions Framework – identify, protect, detect, respond, recover – to clarify. The cyber security dimension includes all of the parts of your security program that relate to the identify, protect, detect, respond core NIST functions. The cyber resilience dimension includes some of the respond function, but more broadly the recover function.

Governance: Manage Risk Of Obsolescence

Professor David Harvey once said that, “planned obsolescence is only possible if the rate of technological change is contained.” This quote, along with today’s ever-increasing rate of change in enterprise information technology point out that proactively managing your company’s risk of obsolescence is vital to long-term success.

Not too long ago we made capital expenditures for technology and depreciated the amount over a planned lifespan and that was our way of financially managing risk of obsolescence. In today’s world we have many more complicating factors from cloud computing and software subscriptions to interoperability/compatibility issues. It has never been more difficult to plan out lifecycle management of IT assets. The first step is to make sure risk of obsolescence is a focus of the design of all new technology implementations. Even more important, that focus should not be exclusively on new acquisitions and implementations but rather as broad as possible to calibrate risk across the entire IT landscape with new technology introductions.

We are not going to be perfect in risk management or lifecycle planning, but we can be thoughtful and disciplined.

Importance Of A Framework For Secure Change

I will use one more quote to help frame this discussion. Keith Kitani, CEO of GuideSpark, and author may have captured my perspective the best, “Become a change-ready organization. This goes beyond being able to deploy a new tool or process – it means building a culture of communication structure that is ready, willing, and able to adapt to any change. After all, the rate of change and evolution in business and technology is only going to continue and even pick up speed.”

Much has been asked of IT leaders over the past two decades and even more was asked of them when the pandemic hit. There is a knee-jerk reaction to see work to be done and engage and execute on that work. I believe we are now at a point in time where IT leaders need to be the catalyst and change agent to help their organizations – people, process, and technology – reach a foundational state of agility through thoughtful and careful design and planning for extensibility, expansion, and reuse.

The pace of technological change is a complicating factor but the increase in cyber security risk and the growing need for well-structured and effective cyber resilience programs are the most pressing variables now in long-term IT architectural and capabilities planning. This approach will drive business value through security.

A secure framework for change that promotes repeatability is required today for new technology adoption initiatives.

Source: G&L Magazine Fall Edition 2022

John Wondolowski is the Chief Technology Officer for Solutions II. Solutions II is an Information Technology Services and Solutions Provider with an industry focus in Casino Gaming and Hospitality. John has been an Enterprise IT Executive for many years after earning degrees from the University of California at Berkeley, Haas School of Business, and California State University at Fullerton.