For the last several years, media organizations have been targets of cyber attacks, making application security more important than ever for the this industry. According to a 2018 report by Akamai, SQL injections, DNS attacks, pirated content, and DDoS attacks were the most common cybersecurity incidents experienced by media organizations. The multitude of attacks to which organizations could be vulnerable, combined with the sheer amount of people, applications and devices involved in media production has put organizations in a place where there are more avenues than ever for hackers to infiltrate.
On top of this, the report notes that only 1% of media companies feel “very confident” in their cybersecurity. Juxtapose this with the DevSecOps Community Survey 2018, sponsored in part by Signal Sciences and Sonatype, which found that companies actively engaged in DevSecOps practices feel significantly more prepared than those using more legacy software development practices.
Media Security Summit
Last month, Turner, Duo, Datadog and Signal Sciences hosted the second annual Media Security Summit–this time in New York, one of the world’s media capitals.
70 industry leaders from over 50 media organizations’ security, cloud and DevOps teams were represented.
The security industry’s collaborative “we’re all in this together” mindset is one of its strongest defenses when it comes to protecting people, data and ultimately, money. With the Media Security Summit, we aimed to foster an environment where professionals would come together to openly share challenges, issues and best practices. Various topics were covered from technical security, to security awareness and culture, to the crossover to physical and journalist security.
Presentation: Fast Forward: Reflecting on a Life of Watching Movies and a Career in AppSec
Our first speaker shared his experience securing one of the major media streaming company’s cloud environments.
- Security needs to be simple for various teams (security, cloud, engineering) to participate in. Security can simplify the developer experience and these teams must be cross-functional.
- Promote self-service in security and measurable security actions. Promote transparency in controls and decision making.
Panel: CISOs: Defending Digital News & Content
The first panel focused on securing digital news. Panelists from major news organizations discussed what it takes to secure digital news and the newsrooms in which stories are created.
- The newsroom is very targetable due to the market moving content, and security professionals must look at business risk, as well as, cyber risk.
- Security professionals must loop security into the cloud where there may not be any, as businesses move to the cloud at rapid rates. Security solutions that deploy and scale in the cloud are ideal here.
Presentation: Building A Culture Of Security in the Newsroom
Our speaker focused on how she bridged the gap between security and journalists at a well-respected news organization.
- Security professionals at news organizations have unique challenges because they are not only defending applications, networks, and data, but also defending people. Therefore, it’s important for a strong relationship between security and journalists. At this organization, the security team sits right in the newsroom.
- With journalists, you are often building their security knowledge from scratch. It’s important to embed security into the culture to promote discussing, sharing and mentoring.
Panel: AppSec in the Cloud, in Containers, and with Growing DevOps Practices
This panel focused on securing applications in a world that is leaving legacy practices behind and adopting cloud, containers and DevOps.
- Compliance-driven security is a thing of the past. The business now demands security moves at a quick pace and leads with smart, practical security.
- A strong relationship with the development team is one of the best things security can do. By allowing dev teams participate in and use security tools, security becomes “baked in, not bolted on.”
Presentation: When Security DevOps Meet
Our speaker came from one of the largest streaming companies and shared the organization’s DevOps journey.
- Security is starting to be seen as part of the greater good of the company. Security practitioners must “build guardrails, not gates” that allow for business goals to be met.
- Security must be more of an engineering body than a compliance-based function.
Panel: Defending Reporters: A Discussion about Journalist Security in the Field
Our last panel shifted focus to a less technical topic, and participants shared how defending reporters fell under their job as security professionals.
- High-risk journalism is defined by any story that could put a journalist or the news outlet at risk. This can be determined by areas they are physically in, types of stories they cover, and who they talk to–any story could become high-risk due to public response.
- Journalists need to feel safe and backed by their organization, so that they can share boundary-pushing stories and not self-censor.
- Coverage is an editorial decision, not a security decision, but once that decision has been made, it is security’s job to keep the journalists and stories secure.
The Summit’s open dialogue shed light on several challenges and triumphs practitioners are facing, and we truly hope all attendees benefited from the sharing of information.
A big thanks to the security professionals that attended and participated in the Major Media Security Summit, sponsored by Signal Sciences, Duo and Datadog, and hosted by Turner. We look forward to next year’s event!
*Please note that this was a private, invitation only event and we adhered to The Chatham House Rule.
If you are interested in learning more about how Signal Sciences can help your organization tackle the application security challenges highlighted at the Summit, while helping you securely and seamlessly embrace DevOps and cloud, let’s get in touch.