UNIVERSAL CITY, Calif. — Martin Mazor, chief information security officer for Entertainment Partners, spent roughly two decades in various security roles in different industries, most recently in defense, before coming into entertainment last year. And he has a sobering message for the media and entertainment sector.
“Security may be a fact of life for us, but there is some real fear here, and the fear is real,” he said, speaking May 25 at the HITS: Spring 2017 event. “Hollywood … the industry itself is a little bit behind. You see a lot of compromises, you see a lot of breaches.”
His presentation — “Feeling Insecure? Get Smart on Security” — looked at what media and entertainment firms are doing wrong and right when it comes to the various tools available today to combat the wide range of cybersecurity threats they’re facing.
“There are tons and tons of tools, tons of vendors who will sell you this wonderful new product that may or may not work, that you may or may not implement, the value proposition looks good on paper, but it doesn’t do much, this is the stuff we see,” he said. “It’s not simple. You can’t just deploy any one of these tools to fix [a problem], the answer isn’t to buy a tool, deploy it, and say ‘check, we fixed it.’”
Entertainment Partners’ recommended strategy for securing your company assets starts with the people and processes, with technology coming next, Mazor said. Pick what’s important and what’s not, define your adversaries, apply appropriate threat models to who may attack you, “build a strategy and don’t overthink it.” Define your focus, bring in the right cybersecurity talent, embed a culture of compliance into your organization, know you’re going to be breached, prevent as much as you can, and be ready to respond when something does happen, Mazor said. Because it will.
“What are you trying to accomplish, what are you trying to protect? That’s the ideal strategy,” he said. “You can’t protect everything, there will be compromise, and if you know that going in, that you won’t be 100% protected,”
Meanwhile, during the presentation “No Country for Old Security,” Joel Sloss, senior program manager for Microsoft Azure, offered insights into the standards available today to protect productions and intellectual property, including the Content Delivery & Security Association’s (CDSA) Content Protection and Security (CPS) standard, the MPAA’s best-practices guidance, and the Cloud Security Alliance’s Cloud Controls Matrix 3.0.1 (CSA CCM 3.0.1).
Each can help play a part in fighting various threats out there today, Sloss said, but media and entertainment companies need more than standards to protect themselves, they need a plan. “There are a lot of organizations out there today that, unfortunately, are learning the hard way, how important it is to have security processes, resiliency processes, and fundamental IT architecture. To a certain extent, you have to plan for failure.”
Auditing, focusing on compliance, and planning ahead are all must-haves in today’s cybersecurity reality, Sloss said, so that when disaster does strike, your company is in a position to recover, and quickly.
“It’s a fallacy to think you haven’t been breached,” he added, pointing out that at Microsoft, the company is always under attack, and knows it. “You just may not be aware of it yet.”
Media and entertainment faces a number of cybersecurity issues, from ransomware and stolen content being held ransom, threats against production information, malware that’s been sitting in systems for years, attacks on storage archives, social engineering threats, and more. “On the defense side, we have to be right every time,” Sloss said. “[The attackers] only have to be right once.”
He said running a secure organization leads to compliance with security standards, and vice versa, and in media part of running a secure organization comes down to looking across the organization, and seeing that compliance isn’t limited to industry specific standards: credit card transactions, health care, and other non-entertainment standards must be addressed as well.
For cloud usage specifically, the benefits are obvious — scalability, worldwide collaboration, lower costs and overhead — but making sure it’s secure also means making sure who’s responsible for what. Where does the cloud provider’s responsibility end and where does your company’s begin? Determining that correct security mix is more crucial than ever, Sloss said.
HITS: Spring is the largest gathering of the L.A. entertainment community’s most senior IT executives and technologists. More than 500 people attended HITS: Spring on May 25 at the Sheraton Universal Hotel in Los Angeles. Produced by the Media & Entertainment Services Alliance (MESA), in partnership with the Hollywood IT Society (HITS), the Content Delivery & Security Association (CDSA), and the Smart Content Council, HITS: Spring is presented by Entertainment Partners, with sponsorship by Box, TiVo, Avanade, Amazon Web Services, Expert System, IBM, MarkLogic, MediaSilo, Microsoft Azure, Composite Apps, Deluxe, EIDR, HGST, SAS, Sohonet, Sony DADC NMS, Zaszou IT Consulting and Ooyala.
For more information visit HollywoodITSummit.com.