David Ritsher spends a lot of time thinking about content security, but it’s not technical, financial, or theft concerns that sit at the top of his list — it’s subpoenas. As senior supervising editor at Reveal, a nonprofit, nonpartisan investigative unit at the Center for Investigative Reporting, confidential sources are vital to Ritsher and his team’s public mission and trust. Ensuring promised anonymity is both a matter of principle and a logistical concern.
“For investigative journalists, our ability to protect sources is a paramount security concern. We want any subpoenas to have to come to us so we can assert reporters’ privilege and keep sensitive sources safe,” Ritsher explains.
At the same time, Reveal’s workflow model has changed, and with it, the way the organization handles security.
“We used to have most of our staff in-house here in California. Now I’d say nearly 50% of our staff is distributed around the country, and many people work from their homes. Because the workplace is changing, that really puts new stresses on some of the old forms of controlling the information,” he continues.
Ritsher’s need to protect sources and utilize modern tools is not much different than anyone else in the industry. But as part of a nonprofit news group, he has to always weigh his options and make tough choices on how to achieve that balance.
Signiant partnered with Broadcast Beat to discuss this balancing act during The Battle Between Efficiency and Security, a roundtable webinar on production security and the challenges for content creators.
Hosted by Ryan Salazer, Broadcast Beat’s editor-in-chief, and Signiant, the webinar featured the experience and perspective of Ritsher; Renard Jenkins, vice president of operations, engineering and distribution at PBS; and Adam Morton, the head of technical operations at Platform Post.
Production security is not a new topic in the Media & Entertainment industry but one that seems to be more of an everyday consideration than 10 years ago. File-based workflows, cloud services, and internet speed combine to open a new way of working… and new risks. While feeling a bit like the Wild West at the start, production security has matured, but still remains a challenge for M&E professionals no matter what size company.
“[Awareness has] definitely improved in the last few years. In a period running 2016-2019 it was important for the industry to keep saying, ‘Security’s an issue we must take it seriously.’ And it feels like we’ve now passed through that,” explains Mark Harrison, Digital Production Partnership (DPP) managing director. “But in the production domain, it’s a much more complicated picture.”
The DPP, and other organizations such as the Motion Picture Association (MPA) and the Content Delivery & Security Association (CDSA), have collaborated to create best practices and certifications to guide production specialists and media technology organizations toward responsible security practices.
Harrison acknowledges that sometimes security necessities clash with production realities.
“Creative people are much more aware of the risks and the range of risks. But while awareness has improved there’s still remarkably little trust in IT-led solutions,” Harrison says.
That’s not to say IT isn’t doing their part. “Security teams, particularly in large organizations, have come to understand their obligation is to understand how their creative counterparts are working, what it is they are trying to achieve,” he argues.
And Harrison isn’t the only one who has noticed this conflict.
“Coming from the post-production side of the world, for me, it was ‘Don’t touch me. Let me do whatever I want to do’,” shares Jenkins.
Now Jenkins is in a different place. He and his team are responsible for PBS’ entire media supply chain where they acquire content from over 100 member stations and hundreds of independent producers, process it, and make it available to multiple platforms.
While his security philosophies have changed, Jenkins still recognizes the critical tension between security and efficiency. “We have to balance production freedom, flexibility and also the ability to make sure that we’re not tying ourselves into a situation that’s going to cause us problems down the road.”
“I think the challenge facing the industry is that it seems like every production is slightly different,” says Harrison. “That’s where one needs far better communication between those who are security specialists and those who are actually carrying out the project.”
This communication holds true for Ritsher who is on the other end of the production pipeline. He thinks about it from the user end as well as the security end. He wants tools that work for both.
“If things become too much of a roadblock for people who are trying to get a production done, then they will find workarounds. We had a VPN set up as our main mode for people to supply us with footage from the field,” Ritsher explains. “And that became, for new partners, something that was a bit of a hurdle for them, and pushed us more towards other cloud services that didn’t seem as intimidating. For us, it’s finding the sweet spot between something that has ease of use and can give us the security we need.”
“Access, functionality and security are all important,” Ritsher continues. “You can’t just pick two of those. For us, there’s certainly the technical side, but there’s also a big social side. Getting everyone on the same page and working together is a big first step, and that’s where we start the process.”
“It’s important to understand that the security protocols that you put in place shouldn’t hinder productivity,” agrees Morton of Platform Post, a London-based post-production facility.
Morton admits it can have an impact on some workflows and timelines and is a necessity now. “That kind of instigation needs to happen so that everything is secure, because if something goes wrong and it has a massive domino effect across the board. It’s really our responsibility when material comes into our infrastructure that it’s dealt with in a proper manner and it’s secure. The clients are confident that whatever they’re sending us is going to be secure, protected and there’s not gonna be any kind of unforeseen problems.”
Across the industry’s best practices advice is a common theme — make a plan. Establishing a plan requires comprehensive consideration of the organization, and must begin with departments and teams asking questions about risk, delegation, and keeping every member of the enterprise on the same page.
Risk is often a good place to start: ‘What is the data I don’t want accessed by someone else, how likely is it to be accessed, what is the impact of losing that data?’
For Ritsher, this has been a crucial part of planning and establishing clear communication, “We’re trying to introduce the idea of data classification and getting people understanding what level of security different types of data and different types of communication require.”
“The variety in approaches and risk appetite throughout the M&E industry continues to be significant as different organizations have different approaches and sensitivity of content,” one industry insider tells us.
“Risk is in the eye of the beholder,” Salazer says. “Disney’s risk is perhaps different than a local advertising agency. And, not all risk is financial.”
The value of the content is likely different, so a company like Disney may have more security around access than the local advertising agency. However, both groups may suffer embarrassment and loss of customer confidence if their production chain is breached. In this, they share the same kind of risk. Often we think of the worst breeches, such as personal information of customers, shutting down a facility with ransomware, or stealing credit card numbers, but there are many others that are just as critical.
“For us, risk is huge with the amount of content that we have happening simultaneously,” Jenkins says. “All of our member stations can actually be content providers, and then we have hundreds of independent providers. So wherever they are, and whenever they need to get things to us, we make ourselves available to try and work through work flows and processes to get them in. That, of course, does bring about security risk.”
Even with the best risk mitigation you have to remain vigilant. “The real risk is having someone who doesn’t realize that they have something in their media or in their metadata that’s going to be harmful. They followed all the rules. They think that they’ve done everything that needs to be done. And then they push a file forward that they may have downloaded onto a drive that was already infected. Something as simple as that can wreak havoc. So that’s where it comes back to making sure that everything that comes in has the same protocol and the same expectations of cleanliness throughout the security process,” Jenkins advises. “You really do [have to] pay attention to who has access and to what do they have access.”
Ritsher explains, “We think about a lot of subpoena risk. As journalists we want to have as much control of our material, because we can assert reporter’s privilege to protect our sources if we have full control of our media. Because if someone else is holding the keys, it’s possible that someone could subpoena information we wouldn’t know. Us not knowing that they’ve been subpoenaed would not give us a chance to assert the privilege that we need to assert. That is tricky for us.”
Harrison agrees that cloud security apprehension is in conflict with cloud adoption, “In a survey we did in 2018, we found that fewer than a third of the 57 production companies we interviewed trusted the cloud. Having said that, we’re also seeing the very opposite. There are a number of companies who are working with the most premium content that actually see cloud-based and virtualized production as the only way to ensure that their content is safe. So you’ve got this amazing polarization of attitudes and behaviors going on within this very complex range of production types.”
Production security may not have been on upper management’s mind ten years ago, but after several high-profile attacks such as those on Sony, HBO and KQED, the need for planning, resources, and support are now seen as vital for a successful security plan and implementation — at any size of company.
Jenkins has noticed the evolution in upper management. “[PBS] put in place a team that really focuses on security from top to bottom…where they’re looking at how we’re dealing with cloud, or at what we’re dealing with for internal media systems. There’s a representative from every group within the company that sits on that board.” For Jenkins, whatever tools are going to be deployed, it is essential that the top tier team members from every given department are on board.
All three panelists agree on the importance of education: of themselves, of their clients, of their coworkers and of management.
“Once you educate the customers and the clients, and the content providers, then you’re pretty much in a safer place,” Jenkins says. “The other part that was really important for us was that you had to put a change management process in place. Because it was about changing the culture and changing the way that people operated, because everyone has access to the internet at home, they have access to do a lot more.”
Ritsher agrees that upper management support is vital, but in his production world, training is just as vital. “[You have to] bring your team along to understand the importance of using these tools and getting them to find the right level of extra work that they’re willing to do in order to provide the security that will help the entire team in the entire production process.”
“I think security…is a team sport. Getting everyone on the same page and working together is a big first step, and I think that that’s where we start the process,” Ritsher continues.
“It is a team sport,” Jenkins agrees. “You need to make sure that the clients, the customers as well as all of your technicians and editors and managers are all on the same page and on the same team. Security is a part of what we have to do and the more that we actually participate in the cloud, we’re going to have to really think very hard about how secure we have to be in order to stay safe.”
“[Our freelancers] are already trained to our security checks before they come into the building,” Morton responds, which allows for repeatable education. Platform Post utilizes a vetting agency for their freelancers who are trained in their security philosophies and workflows. Morton also acknowledges that his organization rarely works with freelancers — but if they do, they’re usually familiar faces with low turnover.
In addition to his staff and freelancers, Morton pushes his security philosophy onto his clients. “It’s also about educating clients…before any kind of production starts, so they’re aware of what has to happen for their content to safely be in our building, on our servers.”
However well intended, when it comes to the balance between security and efficiency, for the majority of M&E businesses it is difficult to avoid compromise in weighing the risks of their decisions. While the priorities of various team members or departments may differ, everyone ultimately wants the same thing: successful workflows, an efficient team and a thriving enterprise.
“You have to make sure that you provide your content providers and your production teams with flexibility,” Jenkins suggests.
He emphasizes that this applies to every department of an organization and doesn’t just mean turning everyone loose to do their own thing. Flexibility of vision and priorities is an evolving element, and balance is needed between this flexibility and the previously discussed firmness. Content production and security need to be designed to adapt to and support one another.
Understanding where it’s important to be flexible and where it’s important to be stringent sits at the heart of a good working relationship between IT, operations and production. If production can understand when they need to be willing to bend to some security protocols that they might consider restrictive, operations and IT can offer them the opportunity to work on their own terms in scenarios where that’s what’s best for a supply chain.
“It’s important to understand that the security protocols that you put in place shouldn’t hinder productivity. [But] it’s really our responsibility when material comes in our infrastructure that it’s dealt with in a proper manner and secure. The clients are confident that whatever they’re sending us is going to be secure, protected, and that there aren’t gonna be any kind of unforeseen problems,” Morton says.
Every member of a team has responsibilities to fulfill requirements, both to collaborators and to clients. In order to achieve the best and most secure results, compromise is inevitable.
It’s a complex topic, with evangelists on both sides. Jenkins admits to being on both sides of the conversation at one time or another. As he explains, from the creative-making side, “Let us have as much freedom as we need to do, to create the artwork that we’re trying to.”
Certainly, production teams and operations specialists are likely to continue the debate over their necessary and vital missions, but with the right technology and the right mindset, both can ultimately find satisfying options and fulfilling strategies.
“One of the things that I tell my team is that you have to make sure that you double down on roles and responsibilities because IP is not IT. It’s a different approach. It’s a different discipline. It’s a different environment,” Jenkins advises. “You have to get them to remember that the common goal is to distribute content, and that you have to create their content, and make it work. So you gotta put teams together that collaborate well. But there is a lot of learning on both sides.”
So is there really even a “battle” between security and efficiency?
Maybe it’s not that dramatic. But there certainly are internal conflicts when companies are faced with both security necessities and production realities. When it comes to media production, there’s a great deal of responsibility, risk and potential to consider. As such, how different organizations balance these factors is critical to their success, integrity and trust within the industry. Establishing that balance differs from business to business, but transparency and flexibility remain essential.
The panelists agree that the way forward is not always clear, but emphasize planning, education, training and adopting the right solutions with a comprehensive and communicative attitude is the best path toward enjoying the benefits of both optimized efficiency and robust security.
Signiant Update: Since this webinar and article were created, Renard Jenkins has left PBS and is now an independent supply chain engineer and technologist.