M+E Connections

If an organization’s staff is spending far too much time answering security questionnaires in requests for proposal (RFPs) and wondering if there’s an easier way to get this work done, the answer is yes, according to Chris Johnson, CEO and president of Convergent Risks.

“The problem that we’ve got with this subject is that it’s not a traditional subject” for the Hollywood Innovation and Transformation Summit (HITS), he said May 19 at the spring HITS, at the start of the session “The Challenges of Getting Your Solution Security Approved.”

But he was quick to add that it’s actually a “very relevant subject for HITS because HITS is all about technology,” which he pointed out is “emerging at break-neck speed.” There is “new emerging technology and innovation every day, [with] something different for us to look at,” he noted.

During the session, he and Janice Pearson, SVP, sales and strategy at startup XL8.ai, talked through the challenges vendors face and the different security assessment modules that organizations can undergo to provide their customers with assurance of their security postures. They included the new cloud and application security assessment module, personal data privacy compliance, threat assessment testing, ISO and SOC2 readiness.

When studios, content owners, supply chain partners, clients within that supply chain and third parties look to use technology, security for that technology becomes a larger part of the selection process, Johnson pointed out.

As a result, organizations are “getting a proliferation” of RFPs and they must fill out “extended questionnaires on a frequent basis,” he said, calling it a “time-consuming effort” made all the more challenging for small tech startups that “don’t necessarily have people” to deal specifically with this.

Convergent Risks has been active in the supply chain for trade associations and for companies to help organizations secure these technology products and also demonstrate the unique selling proposition that he said security can bring to content owners and their partners.

“I think we have to look at things from a cyber perspective but I think the biggest challenge we’ve had has been from an education perspective,” according to Pearson, a security expert who previously served as a VP at Convergent Risks.

On the distribution front, we’ve seen “incredible technological advances that weren’t possible previously,” she said. And now we also have low latency content delivery networks (CDNs) and “we’re able to do cloud compute at the edge, which opens up so many more opportunities for us … to bring content closer to the consumer,” she noted.

Therefore, we now have “all these advancements kind of within workflows using technology,” within production, post-production and in distribution, she said. However, often “what we don’t talk about is that place in the middle, which is our supply chain operations and also working with our vendor community,” she added.

“Right now, there’s so much pressure on the supply chain because there’s so much content being created,” she pointed out. We have got to “the point where the studios are having to outbid each other in order to get in the queue to get their work done,” she said.

A Major Challenge

One major challenge is that, amid this pressure to quickly reach the market with content, “our workflows haven’t really kept up” with all the advancements in technology on the distribution side, Pearson explained. As a result, organizations must balance speed and security, sometimes with a focus on one at the expense of the other, she added.

That is “where we have to start looking at new technologies,” and that is where her new company, XL8.ai, comes into play, she said, noting its uses machine learning and “true artificial intelligence” (AI) “to be able to help create better efficiencies within those localization workflows.”

She added: “Not only does it help with getting that speed to market, but also it allows more content to be localized that can be then seen in other territories where they wouldn’t necessarily have that opportunity because of the cost.”

But she told attendees: “The thing that concerns me most as an SVP is that security is very complex. And right now in our industry, we have so many people that are really on a learning curve. We’re still learning cloud to some degree. And now, when you start introducing new technologies like artificial intelligence, there’s not a lot of frameworks that could address that [and] protect the technology.”

While the industry is dealing with that complexity and increased competition,
“we’ve also got to balance the fact that cybersecurity attacks [are] not going to go away; they’re going to continue to happen,” Johnson said. Organizations must “deal with them and we’ve got to, if we can’t fix everything, which we can’t, we’ve got to be able to respond to them,” he said of cyberattacks. His recommendation is that when developing technology, “you should start your security early.”

Meanwhile, “there are a plethora of standards out there for you to choose from,” he noted, adding: “The industry itself often struggles to decide which one of those is best. But what we’re actually looking for and what you’re looking for is a common baseline. And we think we’ve come up with a way for that to work.”

Like a Car’s Seatbelt

Johnson compared data security to having a seatbelt in a car, saying: “You’ve got all of your safety measures in place but if you don’t put your seatbelt on and you have an accident, it’s going to be far worse and the same goes for security. You can put things in place but if you don’t then follow them [and] monitor them, then if something goes wrong and you can’t respond to it, it’s going to be a lot worse.”

And “one of the biggest areas of risk is misconfiguration,” he went on to say, adding: “One of the things that we can do as an industry and as a business is road-mapping you to the right place within the right security center to get the solution to configure it correctly, because it’s not easy. It’s very difficult. It’s complex to even get to the information that you need to do the secure configuration and the vulnerability scanning that you can do can actually help you simplify that as well.”

The Need for Trust

Despite the time and aggravation that security assessments sometimes involve, Pearson warned that if “you don’t have a strong security posture, your clients will not trust you, especially when you go through an RFP process, because at that point, you will get found out.” She also encouraged organizations to make sure their security postures “never be just a check the box.”

Johnson concluded the session by pointing to a new system that “will identify all of the component elements that you need for your assessment [and] also identify which standard is the best one for you to follow, and which controls are appropriate for your business workflow.”

The Trusted Partner Network is “running a pilot, [starting] imminently with a small number of vendors” who he said are “going to adopt this methodology and then evolve it over a period of time.”

He predicted that, “over the next two quarters, we should see an improvement in the way that we deliver this for our industry.”

Meanwhile, remediation management is a “crucial process, so we’re focusing very heavily on how we deliver that going forward” also, he added.

TPN is “looking at how the platform that they’ve got can manage that in a better way and give you access as vendors to more meaningful information that can help you carry out that remediation,” he said, adding: “In terms of timing, it’s about a 40-day process. But what I would say is it’s only as quick as the vendor completes the extended security questionnaire and that can take a while. And if you don’t have the necessary expertise in your business, you’ll probably need some assistance to get it done within that timeframe.”

The Hollywood Innovation and Transformation Summit event was produced by MESA in association with the Hollywood IT Society (HITS), Media & Entertainment Data Center Alliance (MEDCA), presented by ICVR and sponsored by Genpact, MicroStrategy, Whip Media, Convergent Risks, Perforce, Richey May Technology Solutions, Signiant, Softtek, Bluescape, Databricks, KeyCode Media, Metal Toad, Shift, Zendesk, EIDR, Fortinet, Arch Platform Technologies and Amazon Studios.