RuneScape creator Jagex has 112 million accounts, 400 staff - and only one infosec officer. Frequent training and a mandatory security-awareness programme are the keys.

Jagex, the company behind – the world's biggest free multiplayer online game – has always been at the sharp end of developments in identify theft. Top-performing avatars are a hot commodity. The proprietary technology that supports the game is also a closely guarded asset. Not surprising, then, that the Jagex CTO, Mark Gerhard, a CISSP-certified security professional, joined the company on the strength of his security background – or that he moved on to become CEO in January 2009.

Winning the arms race against malicious hacking, and preserving the integrity of systems is a daily concern – yet there is only one dedicated security officer on the team.

“Our approach is to arm everyone with the knowledge to anticipate and manage risk,” explains Gerhard. “This is a creative company. The traditional approach of setting policy and process is resisted.”

Jagex has a team of 400, of which almost 250 are focused on development. RuneScape will have up to 250,000 live players online at any given time, and it manages 112 million unique accounts.

The HR team has a dedicated security trainer, while courses in applied hacking are commonplace for all technical and support staff. The Jagex security-awareness programme is mandatory for all and is based on its PCI compliance efforts, which produced a detailed framework for how data should be handled, and competencies required. “We always work on the basis that people will make mistakes,” says Gerhard. “So we'll ask someone to share their password under the guise of needing help, or stage a social engineering attempt. We are not looking to sanction, but it does make people realise what they should be doing.”

The company has established an internal Jagex University. Its teachers, the employees themselves, share their expertise in seminars and mentor for content writing, design, security and the like.

When employees attend external courses, they return to become key witnesses to these programmes. Gerhard says the investment is significant, but so are the returns.

“We have a highly committed team and very low turnover. In my core technology team, no one has left since 2001.”