Un/Cover

Policy Pandemonium: Documentation Uplift in the Esports Industry

The monumental meeting between the Olympic committee and esports representatives indicates, above all else, that esports is continuing its upward trajectory and is cementing itself within today’s sports and entertainment industry. Money is no longer an issue, teams now have fixed salaries, corporate partners and athletic sponsors. Further, it is predicted that approximately $622 Million dollars will be spent on esports branding during 2018. Still viewed by some as “nerds” enjoying a pastime, the opinion is quickly shifting with sports teams and brands realising the untapped potential. The growth in capital is gigantic, but organisations aren’t currently mature enough to keep up with this phenomenal growth and undertake the next chapter. Policies remain unwritten, misbehaviour unpunished and tournaments are plagued by technical difficulties and tactical mistakes. It’s time for esports organisations to get serious about industry best practices.

The challenge for esports is multifaceted: How do organisations achieve best practice, when best practice for the esports industry hasn’t been defined? Further, how does all of this uplift happen while avoiding the corporate ennui and maintaining the light-hearted, fun-loving tone that moulded esports to what it is today? With a multifaceted issue, the optimal solution begins by breaking down the question to individual parts. Re:Cover will address this head on and offer ideas as to what we believe is the right path forwards.

 

Best Practice isn’t Defined

Best practice is a term commonly used in professional settings to describe the ideal way of performing a function. This can take many forms; the optimal way of documenting an audit report to the most tactful way of handling a hostage negotiation situation. The premise: whoever is doing whatever it is you aim to do the best, adapt that method to your own organisation. Best practice is typically shaped by the leading organisations in each industry – The Googles, Apples and Microsofts of technology, HSBCs and JPMorgan Chase’s of banking, you get the idea. These global giants have sufficient financial and human resources to constantly innovate and rethink the best ways of working, so it is only natural they are leading the pack.

A trap smaller organisations fall into is simply mimicking the industries’ best practice at their own organisation – the “if it works at Google it will work for us” mindset. This is known as best practice for best practice’s sake, and is incredibly dangerous as it can create unnecessary overheads and increased employee stress. The principle recommended to smaller organisations (esports teams, for example), is the “Smart Follower Principle”. This ideology emphasises the importance of adaptability; watch what the giants are doing, and adopt the tried and tested parts for yourself if and only if they are relevant to your organisation and sufficiently address a business risk faced.

Governments around the world are now proactively providing guidance to both their own departments and agencies as well as privately owned business regarding best practice across multiple business areas. Cyber Security, currently one of the hottest topics, is an area that many businesses are struggling to address effectively. In Australia, the Australian Signals Directorate (ASD) has produced a list of eight controls known as the “Essential Eight”, which, if implemented, aim to reduce the majority of cyber threats. The ASD Essential Eight are direct and explanatory; the implementation of these controls is not difficult, and the reasoning is logical. As an example, one of the essential eight is to “Patch Applications”. Presented in a risk/control format, the ASD offer the following solution: patch all applications to the latest version available. The risk: “because vulnerabilities in outdated applications can lead to the installation and execution of malicious code.” The Australian government, amongst others, have committed to providing simple solutions to overlooked business security issues; it’s time for esports entities to follow suit.

…adopt the tried and tested parts for yourself if and only if they are relevant to your organisation…

As a result, the esports environment has ample material to leverage to define what shape best practice will take. Esports organisations and teams should initially look at the practices implemented by their peers and industry leaders, but the learning must not end there. League of Legends (LoL) judge, jury and executioner Riot Games have implemented much of what they have observed from the outside world. In a recent documentary produced by Netflix Explained , Chris “Riot Chopper” Hopper, the head of esports NA (North America) spoke about the creation of the current rule-set in place governing the LOL professional league: “The Role models we looked to were the other major sports in the world. So I actually downloaded the operating manuals or the rule-books for the top 50 sports in the world… and read them all”. New rules and changes to existing rules are shaped by what is happening in other sports, which underlines Riot’s adaptability in esports management. The professional leagues they have created have been incredibly successful, with franchising in North America occurring at the end of last year.

pexels-photo-269948.jpeg

Naturally, locally managed esports teams may look to companies like Riot for guidance, and in certain business areas this is sound advice. That being said, heavy emphasis needs to be placed on “certain areas”. Riot Games have come under fire for their alleged sexism in the workplace, as reported by Kotaku. The anecdotes presented in the article underline, at the very least, the importance of treating any company as a professional environment, and catering to people from all different backgrounds, values and beliefs. Regardless of the validity of the comments made, Riot Games has demonstrated poor employee and reputational management, and need to uplift their corporate culture and policy endorsement and enforcement. Frankly, no one in the current esports landscape has got it 100% correct.

Moving forwards, the entire business needs to be considered through a risk/control lens at the offset. The brand, reputation and decision making of the company should all be driven by well written policies and a strong corporate culture. Potential solutions for esports organisations should include:

  • Adoption of international policies and standards: Thankfully, esports is not the first industry to struggle with best practice; internal frameworks have already been defined and developed for each business process. For example, organisations could consider alignment to ISO27001 or NIST for Cyber and Information Security. While these frameworks are total overkill for your local Overwatch Team, aspects can be sampled using a risk based approach; you may not need a full security management suite complete with cryptography, but some basic information sharing controls wouldn’t hurt. Along the same lines, if your company is going to sell merchandise or allow for paid subscriptions, look at the controls in place under PCI/DSS to ensure a safe transaction.
  • Ongoing risk assessments: On an annual or as needed basis, organisations should understand what information they have, and what associated risks exist. This needs to be inclusive of all business areas; staff personal information is no less important than the product you are selling during this process. Apply appropriate controls to the value of information determined.
  • Internal & External Consultation: Constantly look for improvement opportunities, by both asking your own employees, and receiving unbiased third party advice. Having a different opinion about your operating model or HR practices will always lead to direct improvements, some that may not have been considered before asking.

The aforementioned solutions are just a brief synopsis of three potentially obvious improvement areas, but there is evidently significant work to be done in reaching maturity for the esports landscape across the board. Before we develop advanced analytical models and increase employee productivity tenfold, let’s start by getting the basics right; creating and maintaining strong documentation.

First Steps – Policy Uplift

In the consulting world every engagement (or piece of work) for our clients begins with a document request list. Whether this is an internal/external audit, performance improvement opportunity or cyber maturity assessment, there are always baseline documents companies are expected to have. Some of these include the following:

  • Corporate Risk Framework
  • Corporate Risk Policy
  • Governance Framework
  • Information Security Framework
  • Employee Code of Conduct & Acceptable Use Agreement

The aforementioned are just a small sample of what documentation a mature organisation should have in place. Naturally, based on the type of work performed by the professional services organisation, additional policies will be requested.

The creation and endorsement of these policies is directly related to the corporate risks faced. For example, Code of Conducts and Acceptable Use agreements are created to offset the risk of employee misbehaviour and equipment mismanagement. The refined risks to the organisation of employee misbehaviour and equipment mismanagement can be anything from direct financial loss as a result of employee fraud, to loss of sensitive information through phishing scams sent via email. Needless to say, the risks are widely dispersed and often not all risks can be addressed. The Solution? Perform a risk assessment on your organisation’s information to understand what needs to be protected.

A risk assessment is a very broad term, and can take many formats, assessing any process or information type in an organisation. The risk assessment that will be explored in this article focuses on all information at an organisational level; it may not contain the same level of detail as targeted assessments (An internal audit into disaster recovery, for example), but will underline the importance of risk-based thinking in esports.

In Victoria, Australia, the state government released new legislation in 2016 called the Victorian Protective Data Security Framework (VPDSF). The VPDSF requires Victorian government agencies to assess their organisation through an information security lens, focusing on information assets. Information assets can be thought of as a group of documents/assets that contains similar information and are handled in the same manner. For example. Human resources (HR)  information about employee health and safety (OHS) are typically grouped together. This subset includes employee names, workplace health incidents/safety incidents and personal details about the other parties involved; all of this information is stored in the same system and only select staff members have access. The VPDSF mandates the five steps involved in performing an initial assessment: Identify your information assets, Determine the value of this information. Identify any risks to this information, apply security measures to protect this information and finally manage the risks across the information life-cycle.

Esports companies might have an understanding of what information assets exist in their environment, but have not formalised a process for recording and valuing these assets, let alone identifying risks to each asset. According to the VPDSF, an information asset register should be created. The register should be populated by all areas of the business, each providing their own information types, descriptions, asset owners and any other relevant information. Once the asset register is populated, the assets need to be valued. Information assets are valued against a business impact levels (BIL) table. Under the VPDSF, a standardised set of BILs have been created and are be to used across the government sector, to enforce consistency. The esports industry won’t have standardised BILs at this stage, so it is up to each organisation to create their own.

BIL example
An extract from the Victorian Protective Data Security Framework’s (VPDSF) Business Impact Levels, specifically addressing reputational risk.

Business Impact levels acknowledge all business risks at a high level. Financial, reputational, service delivery and personal safety are all areas of consideration included in a BIL table. The BIL table created by each esports organisation should be customised to address all business areas, excluding redundant or irrelevant areas (Law enforcement under the VPDSF, for example). The valuation of the information assets against the BIL tables involves providing a numerical rating to an information asset in the areas of confidentiality, integrity and availability. Put simply, how bad would it be if this information became publicly available, how bad would it be if this information was inaccurate and how bad would it be if this information isn’t available. If this is contextualised within an esports organisation, information assets such as player performance results/data, payroll information and sensitive employee information would need to be individually valued against the core business objectives and strategic risks.

However, this is the esports industry, and we shouldn’t lose sight of the relaxed nature that lead to its original success.

Once all information has been accounted for and is prescribed a value, the creation of processes and policies can begin. Starting with the big-ticket items, the organisation now has a responsibility to protect their most important information assets (including employees!) to ensure not only that not information or privacy breaches occur, but also that the business operates smoothly. However, this is the esports industry, and we shouldn’t lose sight of the relaxed nature that lead to its original success. Policies don’t have to be boring – make them interesting, exciting and fun! Creating policies that are fun to read and free from corporate jargon will increase employee buy-in and interest in the policy objectives. While not policies per se, organisations can look to the Patch Notes released by Riot Games and Blizzard as prime examples of what we call “fun data”. These notes could easily be presented on an excel sheet format, with the numerical shifts in champion/hero values shown, and some basic reasoning as to why. Instead, these companies add flavor, and use community jokes and game lore to make the data tell a story.

 

Thinking outside the box – External Assessment

Once the basics are in place, including formalised policies and procedures, there is still opportunity for organisations to improve their security and business practices. Of course periodic review of practices should always occur, but esports organisations can look outside of their own sphere for guidance.

An opportunity that often receives good traction with management is a maturity assessment. Similar to the aforementioned risk assessment, the maturity assessment looks at any number of business processes or functions. However, maturity assessments make a comparison to industry peers and competitors, highlighting critical areas or practices that can be improved. Additionally, these assessments assist with strategic planning, as management can be consulted on their vision for the upcoming years, and appropriate suggestions and actions will be included as a result.

One unique maturity assessment Re:Cover is well versed in is Information Security Maturity Assessments. Looking at the information security framework in use at a company, security domains are created by grouping similar controls and information types. The domains are then assessed based on an intensive process, including interviews, evidence observation and system testing. An exhaustive questionnaire is reviewed with all relevant business areas to gain a comprehensive understanding of their maturity per domain. Once the process is complete, a numerical value is assigned to each security domain, highlighting areas of strength and weakness. The exact same security domains are then inquired about at all other organisations, creating an industry average score for each domain, which will act as the benchmark. Companies who have undergone this process will (gain clarity over their internal and external maturity), allowing for market advantages to be capitalised on, and areas of weakness to be efficiently remedied.

Below, Re:Cover have created an example of what an executive dashboard for the maturity assessment may look like at an esports organisation. Note that in a full assessment. each security domain is explained in detail, and rationale behind each rating is provided.

image002

The 12 domains are not comprehensive, and do not cover all areas of a business but intend to provide an idea of what shape the assessment would take. Each domain is associated with a “traffic light” colour which indicates to management which areas require the most focus. In determining each domains value, questions like the below are asked:

Awareness

  • Are all staff required to undertake awareness training upon joining the organisation? Is this for all employees, players, administration officers and otherwise? How is this tracked?

Physical Security

  • What kind of security parameters (eg. locked doors, fireproof safes) does the organisation use to protect areas that contain sensitive information (eg. server rooms, security rooms)?

Based on the answers provided, and through physical inspection of the facilities/network (if necessary), a numerical value (typically from one to five) is determined. Guidelines within the assessment provide indication over the appropriate value. Further, a spider graph comparing the target company with its industry peers is provided. This may look like the following:

Maturity Assessment

How does all of this help?

It should go without saying that a greater understanding of your own business and associated risks will improve your company’s overall health. Creation and endorsement of strong policies based on business criticality is just the first step in what should be a continuous improvement cycle. Esports organisations are still at the beginning of this journey – should they wish to push themselves into corporate maturity, the industry needs to start with the basics.

If you wish to receive further advice about risk and maturity assessments at your team or organisation, please reach out to recoveresports@gmail.com. We are more than happy to have a conversation with anyone looking for general risk, cyber and policy advice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s