Interview: Melody Hildebrandt, 21st Century Fox

In many ways, Melody Hildebrandt is at the centre of a global storm at the moment. As Global Chief Information Security Officer at 21st Century Fox (21CF) she finds herself somewhat inevitably caught up in the massive potential movements of capital and existing movements of information as both Comcast and Disney battle to buy the company.

“On the one hand it is business as usual,” she says from her New York office. “We still have a business to run and a business to protect, so we still need to keep our eye on the ball and need to keep executing. On the other side of things, during this time of M&A there are a lot more external pressures and there’s a lot more interest in the firm. There is also a lot of sensitive information that is being passed between the various parties that are involved, and that leads us to having to be more vigilant than normal.”

Vigilance though is at the core of what Hildebrandt does. And while tales from CISOs at other companies often speak of the difficulty of achieve buy-in from boards reluctant to allocate resources to another cost-centre in the company, she reports a culture at 21CF that sounds significantly more enlightened.

“I think no one has their head in the sand right now. Everyone is very aware that we are in a heightened risk environment and we need to be over-investing in the area.”

Wargames and Risk
Hilderbandt’s route to her current position has been an interesting one. Having studied at the American University in Paris, she ‘stumbled’ (her own words) into an opportunity with US-based government services company Booz Allen Hamilton to design military and strategy wargames.

“I was really lucky to get the war gaming opportunity which I fell into because I was a very passionate amateur board gamer,” she explains. “I was the most junior person in the room at all times, able to be a fly on the wall for some of the more interesting military decisions that were happening around how to prepare for future threat areas.

“The fun part of it was in designing scenarios and designing the game mechanics to enable the participants, in this case generals and admirals and commanders, to be able to talk through the real issues and not get distorted by the mechanics.”

Cloud migration will solve entire classes of problems that people are focussed on today, so I hope in five years we’re having a fundamentally different conversation about network security’

The work for BAH led her to understand that the average government employee is hardly working with state of the art technology. So when she came across Palo Alto-based Palantir Technologies, she was instantly attracted to their idea of trying to bring Silicon Valley tech into government departments. She joined as employee number 200 in 2010 (it currently has somewhere north of 2000 employees) where she followed a path that essentially involved tracking bad guys. It saw her looking into first money laundering and rogue trading before she then got drawn into the world of cyber security.

“That’s where Fox found me,” she says. “I pitched Fox on Palantir’s products and a few years later the CTO offered me a job.”

Interestingly, one of the first things she did in her new job was to hark back to the days of designing wargames. Wargaming, she says, is a way of thinking about a problem; of questioning your plans and the assumptions they are built on and testing them under duress.

“So one of the early things I did here was see how we would perform under the conditions where an event was underway. How do we actually react to it. Do we have the data we think we have? How long does it take for us to come to decisions? Do we have the right tools to work through the problems? I was passionate about bringing that mindset here.

“When you’re working in a highly complex environment, which Fox is because it’s so diverse, the risk surface is complex but so are the internal dynamics. Wargaming is a good way to learn to deal with threats that you’re not dealing with on a day to day basis. You have to fake opportunities because otherwise when a real one comes it will be the first time you’re going after it.”

Global defences
As Global CISO, Hildebrandt is responsible for the cyber security posture of a lot of diverse businesses in a lot of different areas, including 20th Century Fox Film, Fox Networks Group, National Geographic Partners, Fox News, Star India and others.

She joined from Palantir in June last year, right in the wake of the high-profile content hacks against Netflix and HBO and in the fallout of the global WannaCry, Petya and NotPetya ransomware crisis.

“The defences against ransomware have really matured,” she says of the year since. “Meanwhile, with some of the other things that have emerged, particularly around our news business and the rest of our live operations — the World Cup, the India Premier League — I’ve grown a new appreciation for the threats surrounding delivering live content. I think I’d under-appreciated the fact that the underlying technology around delivering live broadcast is much less mature from a security perspective.

While live remains a potential Achilles heel in operations, the past year has also seen an industry-wide raising of the bar when it comes to dealing with risk, one that applies to all elements in the production chain.

“Without question there has been a levelling up of abilities. A third-party underinvesting in security is not allowed now. I don’t think any major content party is working anymore with third parties that don’t have a proper security programme. Of course, from a third-party perspective there is still lot of work to do, but the bar on expectations has been raised.”

Collaboration is one of the ways that Hildebrandt sees that bar being raised further as well, not only externally but also internally within the company. As she says, it makes no sense for a LA-based team to be making technical decisions about the security surrounding the IPL underway in India

“We have a fairly decentralised operation by design, so I think of my role as setting out the vision of where the bar is for 21CF globally and then aligning all of our individual businesses to that vision. There are some things that I mandate, such as end-point protection, and there will be more global decisions like that in the future. But more important is being able to align the teams to the reality of the threat we are facing and give local ability to execute in a way that makes the most sense for their business.”

One thing that any observer of cyber security issues quickly learns is that everything is fluid, and when you add an evolving business strategy into the mix, that fluidity can flow rapidly. Apps have seen 21CF move into the direct to consumer space, and given some of the rights that its divisions have — Fox has the World Cup football in the USA, HotStar has the IPL in India — that is something of a priority.

“I am very focussed on product security that relates to our customer data,” says Hildebrandt. “The Fox Sports app has been downloaded a huge amount of times because people want to watch the World Cup in the USA, and HotStar and the IPL had more than 10 million concurrent people on the application recently. Application security and product security needs to be at the absolute top level.”

Evolving scenario
The long-telegraphed rollout of the GDPR actually worked well for 21CF as it was moving into the consumer field at the time. Thus is could shape itself a compliance strategy from the ground up rather than having to tear everything down and build it again.

Hildebrandt says that the senior exec team is very focussed on data protection. “The first day I started I was given very, very clear guidance right from the top that protecting consumer data was extremely important. The Chief Privacy Officer here is a very empowered role. We sit right next to each other, actually, and it’s one of my tightest collaborations in the company.”

‘I’ve grown a new appreciation for the threats surrounding delivering live content’

Elsewhere the focus — and she uses the word a lot — is on ensuring 21CF has an understanding of all the changing risk surfaces for all the company’s business units. That means having the right processes and investments in place to ensure a high level of data quality and understanding of threat. She also sees investment in the appropriate hardware, especially when it comes to everyday tools used by employees, as a way of dramatically reducing risk exposure.

“I hope there are going to be some classes of issues that will be removed as problems; issues that are right now huge that will be solved,” she says of the next five years. “Cloud migration will solve entire classes of problems that people are focussed on today, so I hope in five years we’re having a fundamentally different conversation about network security.

“Meanwhile, many organisations are trying to figure out how they have a direct resonance to their customer base, and if you want that direct access you then need to take onboard the security aspect. That will be a huge focus for media: giving fundamentally secure products to consumers to interact with.”

M&A activity and the future ownership of 21CF aside, it looks like the future will be a busy time for Hildebrandt and her team. The 10.3 million concurrent viewers that watched the final of the IPL on May 27 was a new World record and the second one HotStar set this season, breaking the six-year old 8 million mark set by Felix Baumgartner’s live skydive from the edge of space. Couple the growing scale of online streaming with the growing nature of the attack surfaces large media companies present, and you have a job best described as a challenge at best.

If so, it’s one she’s ready for. Arcing back to her early days, she reveals her favourite tabletop game is a WWI strategy game called ‘Imperial’.

“The game mechanics are so good there is no concept of luck,” she says. “I like games that have no dice.”