Decisive Resources

Written by Mishaal Khan

23 Mar 2026

In September 2023, two of the most powerful casino brands in the world were breached within weeks of each other. MGM Resorts lost $100 million in a single quarter. Caesars Entertainment paid a $15 million ransom. The weapon in both cases? A phone call. No elaborate heist. Just social engineering and no one in a position of authority to stop it.

The Threat Is Real and Growing

The gaming industry generates $329 billion in annual U.S. economic activity. It handles financial transactions, government IDs, loyalty data, and hotel systems, all running on a web of slot machines, IoT devices, and mobile apps. The FBI has formally warned of rising ransomware attacks targeting casino servers. Cyberattacks on gaming more than doubled between Q1 and Q2 of 2023. The average data breach in hospitality now costs $3.82 million and that number has risen every single year since 2020.

What a CISO Actually Changes

A CISO isn’t a firewall. They’re the executive who translates cyber risk into business decisions boards can act on. Concretely, they:

• Stop social engineering: through training culture and access-control policy, the human element drives 68% of all breaches (Verizon DBIR 2024)
• Manage vendor risk: Caesars was breached through a third-party IT vendor; a 2025 CRM breach exposed customer data across 100+ iGaming operators
• Navigate regulation: the Nevada Gaming Commission now mandates cybersecurity compliance; SEC disclosure rules apply to public operators; non-compliance risks your license
• Shorten breach lifecycles: IBM’s 2025 research shows breaches go undetected for an average of 241 days without proper security leadership in place.

The Objection That No Longer Holds

“This is only a concern for mega-resorts.” The FBI disagrees, smaller tribal casinos are frequent targets precisely because they have weaker postures. For a regional operator, a $3.82M breach plus regulatory fines plus reputational damage can be existential. A virtual CISO (vCISO) provides strategic security leadership at a fraction of the cost.

The Bottom Line

The casino industry built an entire science around managing risk. Cybersecurity is no different, except the house doesn’t always win. The question isn’t whether an attack is coming. The question is whether someone in your organization has the authority and mandate to stop it before it becomes a headline.

Invest in a CISO before you need one or pay multiples of that cost after.