CDSA: Crafting the Right Production Security Guidelines Crucial for M&E Companies


Creating a set of production security guidelines is enormously helpful for media and entertainment organizations, but one size doesn’t fit all, according to the Content Delivery & Security Association (CDSA).

Systems utilized during production are becoming increasingly connected and collaborative. Each piece of this complex ecosystem of platforms, applications and facilities are vulnerable and protecting each pose unique challenges for creatives, executives and engineers. Therefore, your strategy and approach to security is critical as this ecosystem is distributed across multiple facilities, some controlled by a production company itself and others by a third-party solution provider.

In a “pure corporate environment,” you can write a policy and release 25-30 pages on it that “everybody will read,” then demand a meeting with the senior executives and attend some staff meetings to discuss it, Cyril Rickelton-Abdi, co-chair of CDSA’s Production Security Working Group, said July 25, during a panel session called “Production Security: Strategies and Best Practices” at the Content Protection Summit East event.

But “that doesn’t really work on the production side,” where there aren’t even any staff meetings typically, and so “we have to look at a totally different approach,” he said during the session, which was part of the Media & Entertainment (M&E) Day at the Microsoft Conference Center.

He and moderator Lulu Zezza, chair of CDSA’s Production Security Working Group, discussed best practices for analysis, integration and adoption of tools, technologies and culture.

A few years ago, Zezza was a studio physical production executive who had nothing to do with IT and security, she pointed out at the start of the session. But she said: “Slowly but surely, as our work processes were moving into the cloud, and our crew were bringing more and more sophisticated devices, we just realized that we had no idea where our IP was ending up. Crew were going home at the end of shows and taking all our IP with them.”

At New Regency Productions, she spent five years focused on how to “wrangle and get control of our IP,” and that eventually evolved into overall cybersecurity for its productions, she said, noting that’s how she became involved with CDSA.

Before his current position as director of IP protection at Disney, Rickelton-Abdi worked for a broadcaster that was in a “race” to create “more and more content,” he told attendees. While it was making progress with anti-piracy enforcement and rights management, “we had almost nothing around” security for its productions despite hearing an increased amount of “scary stories” around production security, he said. So, they turned to CDSA for guidelines on how the organization could build its own production security “program in a box,” he said.

The first version of a production security policy that wound up being created turned out to be an extensive one that didn’t have a “one size fits all” approach, he said. It was also important to create “dedicated guidelines for each of the roles within a production,” he noted.

CDSA’s production security guidelines have been “out in the field for eight months,” Zezza told attendees. She learned that, as of late July, there were “six studios actively using them … which is fantastic, but what we also learned is that they’re … still too long and too complicated for a production crew,” she conceded.

Therefore, “version 2 that we’re just embarking on will be actually about creating prescriptive digests, [where] if you have this situation, here is the one pager [to] just do it and if they want to know why they can go to the ‘bible’ and look at the long version and have it explained to them,” she said. But she added: “The feedback has been that the filmmakers don’t want to know the why. They just want to be told … how to move forward.”

Studios using them are creating those digests themselves and the hope is that “we’re going to pull those together and create a unified set of recommendations,” she told attendees.

“I would love more feedback from the industry” on what areas may have been left out, she said, noting there was just recently a meeting to discuss “areas we need to bolster,” such as how to deal with drones flying over sets, she said.

“One can’t shoot a drone,” Rickelton-Abdi pointed out. “And we can’t block their transmissions either,” Zezza added.

At Regency, Zezza said, she always met early on with key people on a production’s team to go over guidelines and then add annotations with issues specific to each production. That “definitely helped engage the filmmakers in acceptance of the guidelines and policies…and then they really didn’t also have an excuse to say ‘we’re special and we’re different’” because that had already been acknowledged and factored into the guidelines, she said.

“Our intention is once the best practices are issued… we will be analyzing them and bringing them down to the customer — our production level,” she went on to say, adding: “That will be in version three of the guidelines.”

The 2019 M&E Day, which also included Smart Content Summit East conference tracks, was produced by the Media & Entertainment Services Alliance (MESA), in association with CDSA, the Hollywood IT Society (HITS) and the Smart Content Council, and was presented by Microsoft, with sponsorship by Akamai, BTI Studios, Independent Security Evaluators, LiveTiles, MarkLogic, RSG Media, ThinkAnalytics, Amazon Web Services, the Entertainment ID Registry (EIDR), the Trusted Partner Network (TPN) and Richey May Technology Solutions.