The sheer amount of content being created today isn’t just putting stress on content creators, it’s also pushing the vendors servicing that content to their limits. And that means content companies are often looking for more vendors to help with the work.
But this proliferation of third-party vendors handling pre-release content has created the need for a more-consistent group of security standards, as well the means to assess workflows, facilities and processes involved with handling the content.
That’s where the Trusted Partner Network (TPN) has become one of the more important pieces of the Hollywood content puzzle, according to speakers April 25 at a Society of Motion Picture and Television Engineers (SMPTE) event in Hollywood, Calif.
TPN is an industrywide content protection initiative, created by the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA), and supported by nearly 30 media and entertainment companies. It establishes a benchmark of minimum-security preparedness for all vendors, by providing assessments of production, post and distribution operations.
Hollywood is now fully looking at TPN to not only help vendors protect its assets and supply chains, but also establish a worldwide security community, one that shares best practices, stays on top of the latest threats, and lifts the cyberthreat awareness of the entire industry.
Janice Pearson, VP of global content protection at security consultancy firm Convergent Risks, said her company has already helped several vendors navigate the TPN assessment process, and she’s already seeing patterns emerge.
“One trend that we’re seeing with typical remediation that needs to be completed, is that due to the fact there’s so much content being created now, many of the vendor relationships the studios had for a number of years are over capacity, and can’t take their work,” she said. “So studios have to find new vendors, and those that handled lower-value content, that have never handled a security assessment, are now looking at the TPN and having to go through that process, undergo an assessment and be compliant with MPAA best practices.”
During the onboarding process, as vendors fill out initial questionnaires, Pearson added: “They’ll realize, ‘Oh, we don’t do this, we don’t do that, I don’t even know how I would remediate that,’ and they know they’re getting pressure from a content company to do this as soon as possible.” That means Convergent has seen a crop of vendors “where we’re having to give guidance on the basics, not properly segmenting the networks, regular governance on the policy side, business and disaster recovery plans.”
“Heaven forbid if an attack happens, whether it’s internal, which tends to be the biggest attack threat, or digital, they wouldn’t know how to respond in those situations,” she said. “If you don’t have a plan, you’re going to mishandle evidence, and may not be able to hold an individual accountable.”
A TPN assessment allows vendors to know exactly what they need to do next. And for content companies, the visibility of assessments via a central database that shows who’s meeting qualifications, has already begun to prove invaluable. “I wouldn’t be surprised that the vendors who went through the process get more work as a result,” Pearson said.
Juan Reyes, senior director of home entertainment and technology at Convergent Risks, is also one of the first TPN Qualified Assessors, and has been involved with the development, testing and security of numerous entertainment technologies over his career. Bringing that background — understanding the workflow, IT and security guidelines around both physical and digital media — has allowed him to better understand what’s needed by vendors looking to be assessed under the TPN.
He’s done 40-50 assessments to date, covering everything from a one-person operation to a facility with 700 employees. “It’s fun to see how different organizations build out their infrastructure, how they’ve grown organically,” Reyes said. “The nice thing about the TPN program, is that it’s not about going in and saying, ‘This is what you’re doing wrong, this is where you’re not meeting the requirement.’ It’s about ‘These are ways you can make adjustments to your configurations and workflows to remediate the problem. This is how you can become better.’”
Rick Soto, VP of global IT infrastructure and security at localization and distribution services firm Pixelogic Media, said TPN has made the security assessment process work more streamlined than what was available before, and that every vendor servicing content companies would be wise to undergo an assessment, sooner rather than later.
“Working closely with the CDSA, the MPAA, and now TPN, has given us the framework to set that up, and develop an infrastructure … that lets us sleep somewhat at night,” he said. “Knowledge and training. For us it’s about our employees getting to know what security is really all about.”
Ramón Bretón, CTO with quality control specialists 3rd I QC, said his company is about to go through a TPN assessment, and sees the endeavor as crucial for the overall security health of the industry.
“What I’m looking forward to, going through this process, is having more support, being involved in this larger organization with this common goal of security, and leaning on the tools the TPN provides, not looking at them as the police we need to go through,” he said. “They’re going to help us get more secure.”
John Kronick, regional director of risk management and compliance at information assurance firm NCC Group, praised the idea behind TPN, and said Hollywood’s vendor community should treat an assessment as a learning process, not a once-off endeavor.
“Any organized approach to addressing risk is good, and one thing we caution companies going assessments in any industry … is that this is a snapshot in time. You may good today, but not tomorrow. You have to be aware that if things change, you need to self-assess. TPN is a great step, and you have to be ever-diligent,” he said.