CDSA

Work today happens faster than ever, and that makes the challenge of protecting sensitive data even more complex than in years past. For the media and entertainment industry, having a strong strategy to protect content is not an option —  it’s a must, according to executives at Box and Amblin Entertainment.

The average cost of a data breach worldwide is now $3.9 million and 90% of all cybersecurity claims stem from some form of human error or malicious behavior. As a company’s valuable data flows in and out of the organization — across teams, partners, vendors and customers — the old-school approach to information security just doesn’t get the job done anymore.

“Trust and transparency are two key pillars in the way we operate today, especially with trusted ecosystem partners Amblin… and the MESA community,” Lakshmi Hanspal, global chief security officer at Box, said Nov. 12 during the webinar “Security For The Way We Work Today.”

Important to consider, she said, are: “How are we building trusted products, maintaining and operating trusted environments — but, more importantly, advocacy of trust to customers, to partners and to our business stakeholders?”

Box has more than 100,00 customers across multiple industries, including M&E, but “there’s a common web – there’s a common fabric of trust across every ones of these verticals,” she told viewers.

“Dialing the knob may be different for each one of those verticals…[but] the common thread that can be weaved across all of this is currently each one of them recognizes that there is a new normal in play,” she noted, adding: “The future has fast forwarded in some way and how do we sustain the play mode right now?”

Life sciences clients approach Box now saying they have two top priorities: “Security and the vaccine” to COVID-19 – “and in that order,” she pointed out.

“What’s important is that communities like MESA are not afraid to make a change – not afraid to be the frontrunner, not afraid to be riding the edge of the wave in adoption, in challenging status quo in how you want to do it, and I think part of it is that… the future is on fast forward [or] has already fast forwarded and you are adapting and adopting solutions and platforms like Box that are [on] that journey with you for enabling more of that  transformation to happen,” she said.

Adopting the Cloud Early

Amblin Entertainment adopted the cloud early on, Shira Harrison, VP of information technology at the company and executive committee board member at the Content Delivery & Security Association (CDSA), noted.

“We partnered with Box a few years ago,” and it has proven to be “very helpful for production,” she said. That is especially the case now, after the entertainment industry was forced to go remote in recent months.

“We do a lot of remote” work at Amblin, she said, explaining: “Even before the remote became remote, we had movies on sets in different parts of the world. We have people who actually work remotely. We have an office in New York. We have people [who] work from all kinds of places. So we adopted it early on. So it’s actually made our work from home transition much simpler because we already had the infrastructure.”

Although security is important, it “should never compromise the functionality,” she went on to say, explaining: “I can’t tell somebody you can’t do it because of security. I have to make it work. And I think that this is exactly the ecosystem when I can make it work, without compromising anything.”

Is the Cloud Inherently Secure?

Asked by moderator Guy Finley, MESA president, if the cloud is inherently secure, Hanspal responded: “That question has to be taken at the point of time of being asked. Let’s say you asked me this question 10 years ago…. I would have said the cloud needed a lot of bring your own ‘blank’ – bring your own ‘X.’” And that “X” could have meant a firewall, as just one example. “And I would say, ‘yes, then we can make it secure.’”

However, “fast forward now – 10 years, a decade later – [and] the expectation on providers is that the cloud is inherently secure,” she noted.

“But the caveat is there’s still a model of shared responsibility… shared responsibility between consumer and providers… And understanding the boundaries of that shared responsibility is important,” she said, adding: “No one party can make it completely secure. It is a tango. It is an orchestration. And understanding what that looks like is that shared responsibility model. If we understand that, then, yes, it is inherently secure. It can inherently accelerate your transformation and decision-making and amplify the way you can deliver to your own customers.”

Harrison’s take, meanwhile, is “when it comes to security, nothing is bulletproof — nothing,” she said, adding: “The most dangerous element to any security is the people – the users – at the end of the day. So there is a human element…. It doesn’t matter what system you use – cloud or not cloud. It’s the users that need to be trained. The systems needs to be allowing for security…. Most of the clouds are allowing this right now. But you still have the element of the people and the users. So it’s not inherently secure.  But it could be. It could be if you take the rights steps and measures to make it happen.”

Hanspal agreed on the significance of the human element, saying: “I think that’s very important.” And it is also important to “be the best advocate for security around our content,” she said.

What she has seen in her 25 years in the field is that, when it comes to threats, “the percentage that is malicious is far less than the percentage that is legitimately ‘I was trying to do my job – I did not know there was a better way how,’” Hanspal said.

“Controls need to be innate to the platform” used for security – “built-in, not bolted on, because when it’s built-in, it takes into account user experience [and] user enablement and also the business risk tolerance,” she told viewers.

It should have the “right set of knobs that I can dial to the level of my risk tolerance” and provide  detection, as well as “just-in-time education” for when a user does something out of policy and/or not part of that person’s normal behavior, she noted.

Using Psychology

Using “some psychology” is helpful also because “what people want at the end of the day” when it comes to a security solution is something that is “accessible, that they understand” and not overly complicated, Harrison said.

At the same time, “what I want to know is something different: I want to know what they’re doing,” she noted, explaining: “I want to make sure it’s safe. I’m willing to watch it for them. But I don’t want to take away from them something that is easy for them. I don’t want to make” their work harder.

Therefore, a security solution should be a tool that makes peoples’ lives easier and, if that happens and a company gets more security, then “everybody wins here, he said.

The users want it to be fast and they want to be able to do everything remotely that they can at the office, she added.

One way to sell an organization’s staff on attending training sessions is giving them free food, she went on to say, noting her company holds pie days to make them more fun.

The Pandemic’s Impact

We are all trying to “reconfigure while we recover” and “there are habits of a lifetime that have atrophied during this lockdown,” Hanspal said.

“There are new habits” that have formed during the pandemic, including remote movie watching via Zoom, and “this is all paving the way for hunger for accelerating digitization,” she noted.

“The recipe in my mind for sustained, secure work – be it remote or be it in some hybrid form when we all emerge out of this in some reasonable time – is going to be [somewhat] back to basics,” she told viewers.

And that will include malware detection “for any data access, wherever the data may be” and “differentiated trust for devices” that allows people to use either their company devices or their personal ones to access data, she said.

Classification of content is also important, along with translation of corporate policies that “make it more actionable” and “just in time—make it more in context for what the user is trying to do,” she said.

Compliance is also important, Harrison said, noting that’s why there are audits conducted in the media and entertainment industry.

“This is what we have TPN for,” Harrison said, referring to the Trusted Partner Network joint venture between the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA) that audits M&E companies’ vendors.

“I think you have two types of users: People who love new changes and people who [say[ ‘don’t change anything because if you move one thing to the left I’m going to die.’ And there is a solution for both of them,” Harrison added.

Different industries, meanwhile, can learn from each other, Hanspal pointed out, noting: “Every industry is looking for frictionless security and compliance, workflow integration. So how can I make more of my content work for me?”

Also discussed during the webinar was the importance of zero trust security policies. Asked by her kids what the concept meant, she recalled that she explained it to them as: “In God we trust. Everyone else pays cash.”

However, she added: “We need to pivot from ‘In God we trust. Everyone else we verify’ as a model, which is what zero trust is, “to differentiated levels of assurance, and that’s where the trusted ecosystem, the trusted partnerships [and] trusted platforms come” into play.