Due to rapid technology advancements and the evolution of platforms, security in the media industry has taken on new sense of urgency. Media organizations reported more than 2,700 breaches, according to Verizon’s Data Breach Investigations Report in 2016. Whether it’s attackers accessing a network through phishing, user credentials put at risk due to a third-party breach, or hackers gaining control of smart electronics, media organizations across the board are feeling the pains of security breaches.
The Major Media Security Summit Purpose
To get the big picture of today’s security landscape and best serve users, our strongest defense is to share our resources by discussing best practices and exploring the latest issues collectively. Due to rapid technology advancements and the evolution of platforms, security in the media industry has taken on new sense of urgency. Media organizations reported more than 2,700 breaches, according to Verizon’s Data Breach Investigations Report in 2016. Whether it’s attackers accessing a network through phishing, user credentials put at risk due to a third-party breach, or hackers gaining control of smart electronics, media organizations across the board are feeling the pains of security breaches
We set out to put together an intimate event where top security leaders and practitioners could candidly share challenges and wins across the media industry. At the summit, prominent security leaders from more than 20 of the largest broadcast and media brands were represented.
Please note that this was a private event and we adhered to The Chatham House Rule.
The State of Security in Media
Our keynote speaker kicked off the day by diving into the current state of security within high profile media companies. He wanted restate to our attendees the following points:
- Security conditions are still sub-optimal. In security, often times, conditions are non-optimal; teams are understaffed and budgets are tight. While it’s impossible to reach complete security, he stated “as long as we are closing the gap between the fix and perfection, we are doing well.”
- It’s still easier to attack than defend. There’s a misconception that hackers are more clever than those who build security systems, but as our keynote laughed, “A four year old knows it’s easier to kick down a Lego castle than to build one.”
While acknowledging that it’s not an easy time to be in security, he pointed toward exciting technology shaping security’s next steps, including machine learning and the expansion of real-time information sharing.
In security, often times, conditions are non-optimal; teams are understaffed and budgets are tight. While it’s impossible to reach complete security, he stated “as long as we are closing the gap between the fix and perfection, we are doing well.”
Session 1: The Challenges Security Engineering Teams Face in Defending High Volume Websites
Our first panel focused on securing high volume websites. Panelists from large broadcast and streaming media companies discussed approaching application security at scale.
- Automation and prioritization. Team resources are often limited. A panelist emphasized, “Automation is the heart of the appsec program,” and added, “Risk management is huge, you must find your high value targets and protect those first.”
All three panelists agreed that deploying technology that has a high false-positive rate is a non-starter, because teams have pressure to produce, and that security needs to be an enabler rather than an obstacle.
Session 2: A CISO’s Eye View in the Media World
Our second panel shifted the conversation toward security from a CISO’s perspective. CISOs from major broadcast and studio media brands talked about the following challenges and priorities their larger organizations face daily:
- Top down management. CISOs need company wide buy-in and it’s still a major challenge for the majority CISOs across any industry.
- Big data. There’s still a ton of uncertainty with Big Data. For example, how is it being used and how is it being protected?
The media world is evolving, yet the industry also has a long tail of old technology, and this wide range in types of content and ways to access it makes security more difficult. Gaining and maintaining visibility into security was the overarching theme of this discussion.
Session 3: Incident Response in Major Media and Financial Services
In panel three, information security VPs in both major broadcast media and financial services covered threat intel and incident response across those two industries.
- Risk-ranking. “You have to say no to things in order to get to the important things,” which requires strong communication skills.
All panelists thought embedding application security into the entire IT organizational structure and culture is important to creating an effective security organization.
Session 4: Securing Major Film Productions
The day was rounded out with the fourth panel, which took a look at securing major film productions, and panelists centered in on their biggest challenges and developments.
- Reeling in security in an environment where there are just so many components. Variables that need securing include BYOD policies, migration to cloud, third party vendors, and production staff.
- Improvements in security awareness and education. Security awareness and end user training are key components to a strong film security program.
- Expanding security. It was also addressed that while guidelines for film security are usually around protecting content, other areas like PII and healthcare are now stepping into the spotlight.
We hope the conversations at Major Media Security Summit brought value to you and your organizations, and we appreciate the open dialogue the community created.
A big thanks to the security leaders that participated in the Major Media Security Summit, sponsored by Signal Sciences, Duo and Bugcrowd, and hosted by Turner.
If you are interested in learning more about how Signal Sciences can help your organization tackle the application security challenges highlighted in the Summit around defending high volume websites at scale, getting better threat intel, eliminating false positives, all while expanding your use of the cloud with faster and faster moving DevOps teams, let’s get in touch!
Signal Sciences is the industry’s first Web Protection Platform (WPP) providing both Next Generation WAF and RASP technologies. Signal Sciences WPP was built in response to our own frustrations of trying to use legacy application security approaches while enabling business initiatives like DevOps, cloud adoption, and CI/CD.