Riot Games is perhaps best known for its popular game League of Legends. With about 100 million monthly players worldwide, the security team faces its own set of unique challenges when it comes to preventing fraud.
Recently, Riot Games’ Chris Hymes appeared on “The New CISO” podcast to discuss the company’s security measures, as well as his own thoughts on building a safe infrastructure. Hymes has a long history in the field, having served as head of information security at Hulu before joining Riot Games as CISO.
DDoS and gaming
In the gaming industry, cybersecurity analysts constantly strive to protect the user experience. If one player experiences latency due to a DDoS attack, that player will understandably be frustrated. To keep those issues at a minimum, Riot Games built its own fiber backbone called Riot Direct.
In addition to cyberattacks, Riot Games also has to be able to detect and prevent cheating. The process is similar to the threat-hunting techniques used in other environments.
“The anti-cheat team is actually part of security. You need people who deeply understand adversaries’ tactics. So in order to know how someone is cheating in the game, you need to deeply understand how players play the game and think about it, just like you need to understand how an adversary is going to move from workstation to workstation.” — Chris Hymes, CISO, Riot Games
Advice for aspiring anti-cheat professionals
Some cybersecurity analysts may have an interest in getting into the gaming industry. While there’s some crossover, Hymes stresses that anti-cheat analysis is closer to the skills required to reverse engineer malware.
“What I would say is for someone who’s really interested, I would first start kind of doing some investigation into why people cheat,” Hymes says. “You need to understand the deep technical aspects of how a computer works.”
Advice to his younger self
On each episode of our podcast, we like to ask the guest for words of advice to their younger selves. Interestingly, Hymes had advice unrelated to the security industry itself. He said he’d simply advise his younger version to slow down and enjoy life a little more.
“I would say that for a large chunk of my life, and even occasionally I fall back into this trap, I sometimes think that everything is critical,” Hymes says. “Everything needs to be solved immediately. Everything is just super important. And a lot of the times if you take a step back and you look at the bigger picture, you’ll realize that some of the things you think are critical and that you’re going to kill yourself over, possibly kill other people over, just aren’t that big of a deal. And if you’re able to step back and look at things with a calm perspective, especially in the security space or when you’re a leader in a company, that is a strength that other people will learn from, and as well as really appreciate.”
Looking to the future
In 2019, Zoom dealt with a security issue that had Mac users seeing their webcams compromised. Hymes points to that as an example of the importance of having a CISO on the leadership team. Often CISOs are seen as a hindrance to progress since the job, by definition, is to always proceed with caution.
“Imagine a world where startups said, hey, you know what? We believe fundamentally that security and feature development can live in harmony so we don’t end up in a place like this. Part of my founding board of executives is going to be a security person.” — Chris Hymes, CISO, Riot Games
Leading the next generation
Hymes believes in the importance of thinking long-term when building a security team. This, to him, means surrounding yourself with the right people and equipping those people to take over when you someday retire or leave. In fact, he feels like if he leaves and the team collapses, it’s a huge failure on his part.
“To me, a good CSO has the goal to be a calming voice in the organization, to build the strongest possible security team for what the company needs, to empower the people, to be a customer service person to the other executives at the company, to be a voice for my team and people and to build a sustaining team that’ll way outlast me at the company,” Hymes says. Building that team and empowering and growing the next generation of leaders in the team is one of his top priorities. He’s sad to see people leave but proud when they become CSO somewhere else. Again, Hymes, “I’m proud that they are now leading a security team at another company. And, and that is the type of thing I take more pride in that than I do fixing a security vulnerability in all honestly.”
As the head of security for one of the top companies in the gaming industry, Hymes has valuable insights into the challenges the industry faces. To hear the full episode, check out episode 25 of “The New CISO” podcast, Determining Risk Tolerance for a 100-Million-User per Month Organization.