CDSA

There is a significant connection between leadership, management and business decisions that technology companies can leverage to strengthen their security strategies, according to the Content Delivery & Security Association (CDSA).

“I clearly have this philosophy that we’re all in this together and I look for other leaders that have similar philosophies,” Richard Atkinson, CDSA executive board member and treasurer, said Dec. 16 at the Content Protection Summit (CPS) event, during the session “Building Leadership Across Our Technology Communities.”

Noting that he reached out to Microsoft about 18 years ago, Atkinson said he wound up meeting fellow session speaker James Dunkelberger, CDSA chairman emeritus and senior director, product release and security services at Microsoft.

“From probably the initial conversation, we knew we were on the same page from a leadership standpoint,” recalled Atkinson. “Even though we were in two very different companies doing different things, we both immediately started just sharing” what each one’s team was working on, he said.

That sharing “ultimately was super valuable because they were tackling things that were really advancing the way we were addressing things, and we were filling in gaps in the way they were doing things,” Atkinson told attendees.

Noting that the two of them recently spoke about the CDSA’s strategy and opportunities, Atkinson said: “It was clear to both of us that, within CDSA and the framework we have, we have kind of a golden opportunity because we have great leaders within the organisation and within the kind of the next ring… that all of us can draw on and… we should work to bring some of that leadership, that experience, to this community in ways that we can all learn from.”

“Shocked, Stunned, Amazed and Delighted”

At the time they met, Dunkelberger recalled he was in charge of anti-counterfeiting and anti-pirating technology at Microsoft, largely focused on the physical supply chain.

Dunkelberger was doubtful initially that he could learn anything from Disney, he conceded. But “I was shocked, stunned, amazed and delighted – I think in that order – with how much we had in common and how many of the common challenges that we had,” he recalled.

The companies used different tactics as part of their content protection initiatives but their “strategies were entirely leverageable,” Dunkelberger said. “In fact, one of my most impactful strategies in terms of changing the mindset of execs that I was working with, was trying to shut down grey market piracy and implement some kind of sales programme controls, came directly from Richard.”

It has been “probably the single most fruitful industry relationship I’ve had,” Dunkelberger went on to say. “Every time we have a conversation, there’s always something new that I take away.”

“Follow the Money”

One leadership theme that Dunkelberger said he learned: “Follow the money” when it comes to understanding the piracy behaviour and what might drive consumer behaviour to protect content from pirates.

Microsoft developed a leakage prevention number to gauge the level of piracy and estimate the potential loss of revenue from it, Dunkelberger pointed out.

But there can’t be too much security that customers have to deal with, Dunkelberger warned, explaining: “If you make something super, super secure, it would never get in the hands of your customers. There’s only so much you can do and there’s kind of an acceptable level or tolerance” for security initiatives. As an organisation, you want to make sure the “friction” level isn’t “insurmountable” for customers, he added.

Knowing the value of security controls has been very effective for Microsoft, Dunkelberger also said.

“Fifteen years later, we still use that measure of leakage prevention to score every programme across the company in the way that we sell to our customers,” he added.

So that strategy that he learned from Atkinson, at the first CPS, “kind of changed how we approach our leadership of the services that we’re trying to provide and the controls that we’re trying to put in place at the company,” according to Dunkelberger. “It changed everything,” he said.

Going further into depth on the strategy, Dunkelberger  said: “The approach is you look at what the risk is of any particular target audience you’re trying to reach and the controls that are going to be in front of them accessing the content you want, at the price that you want to give it to them, and we kind of right-size the controls based on that risk.”

He added: “It works so that those programmes are the ones that fund the controls that need to be in place in order to safely deliver the product and/or service to our customers.… It is part of doing business. It is the way you do business securely and maintain customer trust.”

The Importance of Trust

What it all comes down to, Dunkelberger said, is: “We recognise that a major security incident can change buying behaviour for years to come. And it’s in our best interest, both financially near-term and long-term, to do everything that we can to protect our customers from any sort of service attack and to keep the data safe and to stand for trust in the industry.”

During his 26 years at Microsoft, he said: “The cultural shift that I’ve seen at Microsoft, particularly over the last seven or eight years… is just absolutely consistent across the entire company. Microsoft runs on trust. Period. And so every single decision that people make in the trenches [is] based on: Does this engender trust? Does this back up the trust promise for our customers or not? And, if it doesn’t – if we’re about ready to take a step that might be a short-term business gain or something along those lines but doesn’t support that overall goal of Microsoft runs on trust – it doesn’t happen…. Years ago, that wasn’t the case.”

He went on to tell attendees that “it’s never been easier to be in security at Microsoft than now.”

After all, he explained: “A lot of stuff is getting done that we’ve always viewed as, ‘Boy, if we had no limits, what would we do and how would we make sure that we’re secure not only today but 20 years from now?’ We’re laying the foundation for security for the industry and the entire computing ecosystem for the next 20 years. And so now I get to work on those sorts of things rather than [play] whack-a-mole in terms of piracy…. I’m super proud of the work I get to do every day.”

CDSA Leadership Forum Planned

“As we think about putting leadership more directly right into CDSA, we’re trying to do a couple of things,” Atkinson told attendees.

One of those plans: “We’re going to try to have what we call a leadership forum going forward,” he pointed out.

The goal is to have consistent, scheduled sessions that are probably going to be virtual, at least initially, with speakers who have done something relevant of note in an “ask me anything”-type format, he added.

A Future Challenge

Asked an online question on what Microsoft’s strategy is for quantum computing defence, Dunkelberger told attendees: “It’s multi-fold. But the key to everything that we’re doing is based on crypto agility.”

With that in mind, he explained: “We recognise quantum computing is going to have some impact on cryptographic security around the world. We don’t know exactly what it’s going to do. There are obviously lots and lots of guesses, lots of estimates of how long cryptographic algorithms will last in a quantum computing world, etc. etc. There’s a lot of talk about quantum resistance algorithms so that you make sure that you’re using the very best in algorithmic protection.”

To that end, he said, Microsoft is “investing in all of those things but what we’re really looking at is a concept called trust resilience so, if we have a breach of some kind from a cryptographic standpoint,” the company is prepared to handle it.

He added: “What we’re trying to do is build a redundant set of algorithms and a redundant set of cryptographic secure keys so that we can very rapidly switch from one to the other if need be. And so we’re developing this concept and building it into the compute platform across the entire company to make sure that we are as resilient as we can be and also very fast in response in the event of – and I think the eventual, absolute certainty of – a cryptographic compromise based on quantum computing. I don’t know exactly when it’s going to happen but I know it will. And so, we’re trying to get ahead of it as far as we can by building as much redundancy as we can and as much resiliency as we can across every stage of it.”

To view the full presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.