In this exclusive interview straight from Las Vegas, theCUBE’s Dave Vellante and Rebecca Knight sit down with Stephen Harrison, CISO of MGM Resorts International, to unpack what it really takes to secure a city-sized resort on the Strip. Harrison explains why each property functions like its own municipality and how that scale drives a radically larger attack surface across IOT, ICS, loyalty, retail and sports entertainment. He details MGM’s centralized cybersecurity model, governed visibility and architectural standards across jurisdictions, and why non-gaming operations now rival gaming in business impact.
The conversation zeroes in on identity, segmentation and limiting blast radius as core design principles that keep guest experience seamless while protecting critical operations. Harrison shares why a centralized security core reduces policy drift and how modules like CrowdStrike Identity and Container Security help enforce controls, override misconfigurations and secure modern dev pipelines. He reacts to George Kurtz’s Security AGI vision, calling out AI’s double-edged nature and the need to automate away commoditized pain points so teams can focus on mission-critical work. He highlights open-source momentum with Meta and CrowdStrike’s CyberSecEval as a community benchmark for evaluating AI in security operations. From agentic AI identity risks to real-world tool consolidation strategies, this session maps directly to how organizations are embedding AI across the stack to stay ahead of adversaries in real time.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For CrowdStrike Fal.Con 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for CrowdStrike Fal.Con 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to CrowdStrike Fal.Con 2025
Please sign in with LinkedIn to continue to CrowdStrike Fal.Con 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Stephen Harrison, MGM Resorts
In this exclusive interview straight from Las Vegas, theCUBE’s Dave Vellante and Rebecca Knight sit down with Stephen Harrison, CISO of MGM Resorts International, to unpack what it really takes to secure a city-sized resort on the Strip. Harrison explains why each property functions like its own municipality and how that scale drives a radically larger attack surface across IOT, ICS, loyalty, retail and sports entertainment. He details MGM’s centralized cybersecurity model, governed visibility and architectural standards across jurisdictions, and why non-gaming operations now rival gaming in business impact.
The conversation zeroes in on identity, segmentation and limiting blast radius as core design principles that keep guest experience seamless while protecting critical operations. Harrison shares why a centralized security core reduces policy drift and how modules like CrowdStrike Identity and Container Security help enforce controls, override misconfigurations and secure modern dev pipelines. He reacts to George Kurtz’s Security AGI vision, calling out AI’s double-edged nature and the need to automate away commoditized pain points so teams can focus on mission-critical work. He highlights open-source momentum with Meta and CrowdStrike’s CyberSecEval as a community benchmark for evaluating AI in security operations. From agentic AI identity risks to real-world tool consolidation strategies, this session maps directly to how organizations are embedding AI across the stack to stay ahead of adversaries in real time.
In this exclusive interview straight from Las Vegas, theCUBE’s Dave Vellante and Rebecca Knight sit down with Stephen Harrison, CISO of MGM Resorts International, to unpack what it really takes to secure a city-sized resort on the Strip. Harrison explains why each property functions like its own municipality and how that scale drives a radically larger attack surface across IOT, ICS, loyalty, retail and sports entertainment. He details MGM’s centralized cybersecurity model, governed visibility and architectural standards across jurisdictions, and why non-gami...Read more
exploreKeep Exploring
What are the differences between working in hospitality and securing a casino compared to other industries like manufacturing and healthcare?add
What are the complexities and operational aspects of managing large resorts like Bellagio in Las Vegas?add
What factors contribute to the complexity and scale of tax services in the hospitality industry compared to traditional companies?add
What is the importance of centralizing cybersecurity and maintaining architectural adherence in a global company's operations?add
How does one balance digital security with guest experience in the hospitality industry?add
>> Hello everyone and welcome back to theCUBE's live coverage of Fal.Con 2025 here at the MGM. I'm your host, Rebecca Knight, sitting alongside Dave Vellante. I would like to welcome Stephen Harrison, who is the CISO of MGM Resorts to the show. Welcome, Stephen.
Stephen Harrison
>> Yeah. Thank you both for having me.
Dave Vellante
>> Sure.
Rebecca Knight
>> We are here in your kingdom.
Stephen Harrison
>> It is a kingdom.
Rebecca Knight
>> Thank you for having us, I should say.
Stephen Harrison
>> We do have a castle, Excalibur.
Dave Vellante
>> Yeah, we do.
Rebecca Knight
>> Indeed, indeed. So let's get into it because you have a really interesting job and you, you've been in this industry for a long time. You've worked in manufacturing, healthcare, and now obviously hospitality. Why don't you begin by painting a picture for our viewers a little bit about how working in hospitality and securing a casino is so vastly different from these other industries that are also really important and highly regulated. And talk a little bit about what you do.
Stephen Harrison
>> I would think about every resort, and we own probably about two miles of the Las Vegas Strip. We also have international operations. But when you think about the complexity, I think it's good to bring into context the resort size. Bellagio is one of ours. It's named after town Italy.
Dave Vellante
>> Been there.
Stephen Harrison
>> It's a beautiful town and I think the town has somewhere around 3000 to 4,000 citizens that live in it. Almost 8,000 people work out of Bellagio in Vegas here. And when each of these resorts are sort of a city under themselves, they have power, sewage, maintenance, and then we have food and beverage, dining, sports arenas in some of these locations. We have obviously the casino and entertainment industry there. Shows, golf courses. And then everything that goes behind the scenes to protect these, from a cyber side, there's just so many challenges when you think about IOT, ICS, you think about the digital footprint and that's before we were even talking about customer data or consumerism and the retail and all of those wonderful challenges.
Dave Vellante
>> Yeah. So those digital footprints are vast in hospitality and entertainment. You're obviously a high-value target. You're facing unique cyber threats, much different than you would think in a regulated industry like healthcare or financial services. So how do you see your sector, your current sector, compared to some of those other ones?
Stephen Harrison
>> It's very regulated, I would say, from the casino operator model. And where you might have the FTC or the SEC, or if you're in healthcare, you might have different manufacturing requirements for drug development and for HIPAA and these things, we have different gaming jurisdictions that we collaborate and report to and we fall under their jurisdiction for those operating models. And those vary from country to country and then also across the U.S. obviously where gaming is at by the state level. So we might have a dozen different jurisdictions across the U.S. with different requirements and challenges and ways that they would like us to operate.
Dave Vellante
>> I mean it's all hard, but what's the really unique sort of hard part? Is it securing that edge? Is it again, that vast digital footprint that you have? Where do you see the gaps generally in the industry? Irrespective of MGM specifically?
Stephen Harrison
>> I would say because there are so many different offerings in the portfolio that your tax service is larger than it is at a traditional company. And if you think about retail, your B2B, B2C, and that's sort of your footprint and you're managing the customer identity. Manufacturing, it's about production and out the door and your channel supplies. And when you think about something like MGM Resorts, hospitality in general, if it's us, Hilton, Marriott, you have so many different avenues for attempts at digital fraud, attempts where an incident can take down operations in so many different ways. And that's compounded by the digital footprint with sports betting and development and everything and our loyalty program. And
Dave Vellante
>> So just not have another question. My kid goes to UMass Amherst and sometimes we stay at the MGM in Springfield.
Stephen Harrison
>> Okay.
Dave Vellante
>> And so I would imagine that the clientele at the MGM in Springfield, Mass is different than the clientele here. People come to Vegas because it's Vegas, right? People around Springfield, they might attract them with, "Hey, we got some giveaways today," whatever it is, some swag. So my question is how much autonomy is there with respect to setting up infrastructure, making choices about cybersecurity tools? Because that presumably would make it harder the greater the degree of decentralization, more tools, tools creep, automation. Or are you able to have a command and control, at least as it relates to cybersecurity?
Stephen Harrison
>> We are. We have, I would say, an appropriate amount of autonomy with centralized operations. Obviously we're a global company, but cyber coming under one roof and then having a seat with the audit committee and the board and then working hand-to-hand with our CTO and our technical operations. We are in a really good spot, I think for that. When you look at the landscape across the portfolio, obviously different customers across regional versus sports betting. And when you think about Vegas, everyone thinks about gaming, but the reality is non-gaming revenue is as profitable or more in some cases. When you think about seeing Lady Gaga, Bruno Mars, you think about going to Raider Stadium by our Mandalay Bay properties or the Golden Knights at T-Mobile Arena, which we operate all of these. It's important to have centralized visibility to enforce architectural adherence and standards. And so that when you're protecting an asset and identity a system that there's no loss in translation from one entity to another and what success looks like,
Dave Vellante
>> The AAs are going to explode that Rebecca, right?
Stephen Harrison
>> We hoping.
Dave Vellante
>> We're right across the street.
Rebecca Knight
>> Indeed, indeed. So how do you balance that? Because as you said, you are really at the intersection of the physical world and digital security, and also thinking about the guests who are experiencing it all. So how do you balance that in terms of thinking about the hospitality industry that you're in and how guests experience it?
Stephen Harrison
>> A very pragmatic approach. I think it's not unique. I think in cyber, we have all these flavors or blueprints and they all really work. As long as you stick to one and follow it. If you think about NIST, CSF, ISOs, CES controls, you can... It's not overly complicated on its face, but it's delivering those controls and mapping them in a way that you're not inhibiting growth and business operations. And so you want to be a partner with the business and how you handle that. And so for us, it's really, we focus a lot around identity and segmentation, limiting footprints. We want systems to be centrally managed but disparate in their ability to impact other operations. And so that's sort of our architectural approach there so that we can empower growth and digital and mergers and acquisitions, whatever it is. And really the strategy has to be around centralized controls and a strong architectural adherence enforced across the enterprise. If that's a development pipeline and making sure we're running, let's say CrowdStrike, container security or something like that across all of our cloud, or we want identity protections, we use the module there for CrowdStrike, and having visibility in one location regardless if that's Entra or Okta or a SailPoint automations or disparate one-off identity services, having a central place where we can manage and enforce controls and checks and balances there, that's what really empowers us for success.
Dave Vellante
>> How about this notion of AI as a double-edged sword? You've got the attackers, the adversary is highly capable, very sophisticated. Many feel like security is now even more of a do-over because of AI. As a CISO, how do you think about that? Do you feel as though you're better armed because of AI, or do you feel like wake up, you're fighting AI now?
Stephen Harrison
>> I guess it's both. You think about technology in general and through our history every seven-ish years, there's some sort of innovative changing evolution to tech that changes how we work. But AI is sort of all of those things compounded. Obviously there's the adversarial side where AI can essentially turn any script kitty into now an advanced persistent threat. And so that means what they used to have to do research and reconnaissance on, they'd have to have some level of understanding into introducing threats into companies. That barrier for the threat actor has been all but removed with AI. They can leverage it for their attacks, they can automate tasks with it. And so it's important for us as practitioners that we do the same. And I mean it's over set I think where people say, AI is not going to replace you. Someone who uses AI is, and it's sort of tongue-in-cheek, but it's also real. Imagine only using half the tools at your disposal to work on any project or task. And when they can not necessarily replace people, but they can accelerate the work we do. And I think that's really where AI is going to help us. I think it's automations, I think it's the customer support side. And then I think it's insights and analytics. These are probably, across tech, the top three real AI use cases in my opinion, that are going to drive value. And it's interesting when we talk about AI, everyone has their own AI. Everyone wants to run their own their own, have their own data models and things like that. And it's important that we still give back to the community in some way. And so I saw this article yesterday, I want to call it out briefly. I feel like I'm plugging something here, but it's an open source project that Meta and CrowdStrike announced yesterday or the day before. The CyberSOCEval. I can't say enough how important it is that companies, practitioners, developers, our OEM partners around the globe give something back to the community and open source because that just shows that you're not just here to get a buck, sell a product, take home a paycheck, grow your company, but you're actually delivering open source tools that enable teams to evaluate their AI, have a benchmark to score it against, see what it looks like against the security operations landscape and sort of assess yourself. That's what the CyberSOCEval is really about. And I think having it as an open source partnership between two very different companies, Meta and CrowdStrike, it really speaks to both of their commitments. I mean, maybe people would disagree, but both of their commitments towards driving ethical and sort of agnostic solutions that improve the community as a whole.
Rebecca Knight
>> Exactly.
Dave Vellante
>> Well, I mean Meta gets a lot of heat for a lot of things, Facebook, but they contributed heavily to OCP along with Microsoft, to set data center standards, big open source PyTorch, and they've always been a big contributor to open... React is another example.
Stephen Harrison
>> Oh, yeah. Yeah.
Dave Vellante
>> That came out of Meta. But something you said, Stephen, is really interesting, I think of the software industry and how much people talk about software bloat. I think it's just Excel. I used to be an Excel expert. It's like way surpassed my capabilities. But if AI, for instance could help me take more advantage of the features, you're saying there's a similar dynamic in security tooling where, and we always hear there's a lack of skill sets and you've got a real maturity model or a bell curve of skills. AI potentially can help individuals or SOCs take advantage of more of those features that they can't necessarily exploit today.
Stephen Harrison
>> Exactly. The team recently did a CTF, I won't talk too much about it, but one of my team members used AI and they came home with third place in this capture the flag event. They recognized there were skill shortages that they had knowledge gaps, and they said, okay, well I'm not going to be able to consume an API reference documentation around this challenge in a realistic amount of time to work on this, but I can use AI to sort of enable me to as a tool to solve it. Think about it like the hammer versus the nail gun. If you have your roof being replaced, you want someone coming in showing up a big crew and all they have is hammers and not a nail gun in sight? They're going to be there for like four days, five days, just pounding on your roof all day. No, you want to use the tools available that have been created to innovate and drive real results. And so I mean, I'm all about that.
Rebecca Knight
>> So how hands-on do you stay? Because you have really come up through the ranks in this industry. You've done penetration testing and digital forensics in your career, and now you are in the C-suite, the person making the decisions and the leader. Do you miss being in the weeds or how do you stay connected?
Stephen Harrison
>> I do miss, I'm a tinkerer. I help with some open-source projects. I contribute to, I like to develop in my free time. But it's a cultural thing that Tilak Mandadi, he's at CVS is one of the tech leaders there. He had this beautiful phrase that I love and it was, you don't want to micromanage your teams, but you do want to be micro-informed. And so you want to be able to understand the problems that they're working towards. So then that doesn't get lost. Those challenges can get bubbled up to your leadership team and you can make strategic choices because you know, not necessarily every minute detail, but you have a conceptual understanding of what they're working toward. And so I just strive for that being micro-informed into what their day-to-day operations, the challenges they're facing, how are those play into our roadmap and strategy. I guess I'm hoping that served me.
Rebecca Knight
>> That's a good leadership mantra.
Dave Vellante
>> Some questions around CrowdStrike, if I may-
Stephen Harrison
>> Yeah.
Dave Vellante
>> You've had partnership with them. I'm interested in, let me start at the North Star. George Kurtz laid out, I don't know if you saw the keynote this morning.
Stephen Harrison
>> Yeah.
Dave Vellante
>> Security AGI. I was like, mm, interesting. Went out there and he use the full self-driving cars as an analogy. Did that resonate with you? Do you think that is achievable?
Stephen Harrison
>> I think it's achievable. It's really where I see a lot of companies focusing right now where I'm hoping they focus is because the reality is if you go that approach, a lot of your commoditized pain points can be removed. I mean, AI can help solve, automate, deliver, and it frees up your team to get out of phishing emails and little malware PUP and PUA alerts to actually go focus on what's important to their mission, which is facilitating growth and delivery for whatever your company's goal is here. Here at MGM Resorts, our goal is to entertain the human race. What a fantastic goal. What a mission statement. I've never heard the like. And when you think about that, my team should be focused on security challenges that take away from that mission. And so if they're spending all their time responding to a phishing email or going through some small piece of potentially unwanted software installed somewhere or a rogue anomaly, and if we can rule that out as a false positive faster, they can focus on their project delivery, sort of tightening the screws on the ship and making sure that where we want to be as an organization. And that's when I heard George talk about the AGI offer and the vision there, that's what resonated with me is...
Dave Vellante
>> So presumably part of that is being able to consolidate tooling. George did say not one company can do it all. And we certainly see the partnerships that these guys have with the likes of Zscaler and Okta and others. What are your on tools consolidation? Are you able to reduce the number of tools in your stack or even slow the growth of those tools?
Stephen Harrison
>> Yeah. Well, as you deploy tools or you bring on products, the big win with sort of a centralized core, everyone should have some sort of centralized core. There's obviously solutions and all these partners around here that can deliver different use cases and drive value. But I think a centralized core is important, because that lets you address policy drift as you buy new companies, sell new companies, have new business initiatives, bring on new marketing firms, different campaigns. There's little adjustments that technology has to make to facilitate those things. And the more tooling you have out there, the more places you have to go to adjust the policies from a security prevention side, like a policy enforcement side, the harder it is. And so policy drift is a real thing. There's obviously companies out there that are focused on it. And when you think about the centralized security stack for CrowdStrike, that's one of the big advantages of it, is being able to address policy drift at its core inside the platform.
Dave Vellante
>> Thoughts on identity, specifically in the context of agents, how are you thinking about identity and agents?
Stephen Harrison
>> So with agentic AI, the identity issue becomes compounded. And so something like having a way to manage all of these identities in a centralized way. I mean just like you would with your IDP, if it's Entra, Okta, Ping, whatever it is, you need a tool for enforcement of those policies. And also as a fail-safe, which is probably... I mean, I talk about the identity module probably too much. Maybe it's why George or Mike were like, "Oh, let's get Steven up there to talk," because I think it's an underutilized module, but it has fail safes in place. So if a tool has a misconfiguration, you can implement a policy in the CrowdStrike identity module that supersedes that misconfiguration prompts someone for another multi-factor check where maybe they weren't checked for whatever reason or restricted or reset a password or block the login completely. And so when you think about those responsive actions, you need to be able to apply all of those across your agentic AI, especially when you see it growing into a threat for adversaries. And you're starting to see ransomware leveraging agentic AI through different pipelines across development, like usually directed development pipelines and also Model Context Protocol, MCP servers. They're poisoning those for agentic AI to grab instructions and then go execute on those and maybe harm your environment. And understanding the access scope permissions, the identity side is top of mind for everything. And it was for the human side, the non-human side. And now with AI, it's just as important, if not more.
Rebecca Knight
>> That's a fantastic note to end on. Stephen, thank you so much for coming on theCUBE. A pleasure.
Stephen Harrison
>> Great.
Dave Vellante
>> Thank you.
Stephen Harrison
>> Thank you very much for having me.
Dave Vellante
>> Thank you.
Stephen Harrison
>> Yeah.
Rebecca Knight
>> I'm Rebecca Knight for Dave Vellante. Stay tuned for more of theCUBE's live coverage of Fal.Con '25. You're watching theCUBE, the leader in enterprise tech news and analysis.
Rebecca Knight
Dave Vellante