- Security should be considered from outset of production
- Production cycles and environments can make security difficult to implement
- HBO’s Marc Zorn said should be considered in pre-production
SMPTE 2019: Security is a key concern for the media industry but security needs to be integrated into production cycles from the start, according to HBO’s Marc Zorn.
Zorn, who is head of production security at HBO, explained that while cyber security for distribution and post-production is often well-established, it can be overlooked in the main production cycle.
“Traditional infosec works well across most industries, with security professionals generally well-trained people who know what they are doing,” he said during SMPTE’s security track on the third day of the LA conference.
“It’s easy to think this would apply to any industry but it doesn’t always apply one-to-one to an industry as dynamic as media and broadcast.”
The rapidity of production cycles, especially on shoots that span multiple locations and temporary sets, means setting up secure enterprise networks is often an afterthought. Yet that same need for speed during a shoot means there is little time to set up additional security, said Zorn.
“One thing I hear over and over again is that ‘data is data’ and content is just another form of data,” he said. “But it’s more complex than that.”
Traditional infosec requires things like central storage, applications that are secure and tested, and strict compliance codes.
“But this doesn’t apply to a lot of what our industry does because we’re always moving. The technology is constantly being updated. The applications that we use have updates all the time, with new standards being agreed upon.”
Media and entertainment also spans such a wide range of creative content, he said, such as TV and film, esports, live sports production, CDNs, OTTs and more.
“We also don’t have static business models. Every production has a different contract, different needs and requirements,” he added. “That means we don’t have typical production processes.”
This raises the question of where the industry sets a baseline for security, given the rapidly changing technology and processes involved in production.
“We scope out a venue, move in and shoot,” he said, but this means setting up temporary local networks. “We then need to secure the data transfer.”
Productions are also reluctant to install security that is costly or slows down production. “Once a production is shooting, once the trucks are rolling and the cameras are rolling, they don’t want to be interrupted at all.
“So, you can’t show up and say you want to audit them mid-shoot – they won’t want to talk to you and won’t even pick up the phone.”
The solution is to take a different perspective, explained Zorn, by engaging in discussions around security from the pre-production stage at the latest.
This could include rules which classify assets and establish handling procedures; assuming a “minimum necessary philosophy”; and thinking ahead, about both metadata and information about productions.
Security also goes beyond cyber concerns, with policies needed for information about the production, verification of identities and access, and communication with outside bodies.
“We want to think ahead,” he concluded. “Make it a point to build a relationship with the infosec people from the off. Find a trusted security partner that you know is good at what you do, but also at security. Some companies may be good at infosec, but they may not understand how production works. Find partners who do.”