For nearly two decades now Convergent Risks — a specialist consultancy focused on security, risk and compliance services — has been working with media and entertainment companies to keep infrastructure secure, in order to keep entertainment services online.
Chris Johnson. CEO and president of Convergent Risks, spoke with the Media & Entertainment Services Alliance (MESA) about the similarities in risk profiles for film, television and gaming supply chains, the importance of understanding the relationship between threat types and the impact of vulnerability, and why investing in tools and people to confront cybersecurity challenges is more important than ever.
MESA: Convergent Risk Group (CRG) charts its origins to 2001. How did the company first come about, and how has it changed over the years?
Johnson: The company was originally formed to mitigate the risk of criminality within physical global supply chains, manage information security breaches and investigate criminal offences and contractual breaches relating to music and video content. Our work ranged from investigating the redistribution of original music and video content through to large scale theft, copyright and trademark infringement and breaches of commercially sensitive information contained within contracts between content owners and their various licensees.
In the early years, we worked almost exclusively with major music label clients and their trade associations. However, we rapidly identified the importance of linking security with a detailed understanding of process and workflows. Our diversity stems from our experience in understanding the similarities in the risk profile for the film, television and gaming supply chains. Our ethos has always been one of prevention and assurance, coupled with a capability to respond. Although “cyber” has now become the more significant threat, delivering a service that focuses on breaches of security which are unauthorized and intentional, unintentional or accidental or due to system and operational failures remains paramount.
What really sets Convergent apart is our depth of industry knowledge and understanding of the specific technology applications and workflows — the DNA of and behaviors around risk are largely unchanged, but the environment we protect has evolved. As a consequence, Convergent has invested heavily in keeping pace with technological change. This means continually educating existing resources, hiring new staff skilled in cybersecurity and ensuring that Convergent stays in touch with the dynamically changing media workflows. Convergent remains a leading industry advocate and an essential resource to a much broader base of media and entertainment content owners.
MESA: Convergent’s very first client was a major media company. In the media and entertainment industry specifically, how much has digital changed how content companies approach security risk management?
Johnson: It is largely the environment that has changed, not the basis for a threat to exist. Whilst the extensive use of technology has resulted in many efficiencies such as scalability and speed of delivery, its adoption has also increased the potential for substantial impact when compromised. At an executive and C-suite level, the way in which content companies approach security risk has created the need for change. An acknowledgment and recognition of risk coupled with a greater understanding and awareness of the relationship between the type of threat and the impact of vulnerability not being properly addressed has identified the importance of introducing more substantive controls and assurance for digital workflows throughout the supply chain.
This is leading a cultural change within the industry whereby content owners are placing greater emphasis on a secure by design approach, from the point of creation to end point distribution. Improved structures for governance and assurance are shown in updated security standards such as the Trusted Partner Network (TPN), and more specifically within the forthcoming Application and Cloud Controls aimed at future-proofing digital content workflows.
This is further supported by initiatives such as the TPN Guardian program; studios have already invested heavily in skilled internal resources acting in an advisory and advocacy capacity to assist business units to implement proportionate security measures.
Clarity on the need for shared ownership of risk and assurance programs that supply chain partners understand and readily implement are essential to success. Access to a broader range of industry experienced skill sets such as Convergent Risks Professional Services, can provide project management and engineering expertise for system, network, infrastructure and application development to meet assurance requirements and in order to be better prepared for a security incident. Trade bodies such as the CDSA and MPAA continue to provide a platform to share and develop best practices when facing common issues and threats to content.
MESA: Like with any business, people can be both its biggest asset and its biggest risk. What are the greatest insider threats facing M&E companies today, and how can they mitigate them?
Johnson: The greatest threat facing M&E companies today remains human error, often as a result of naivety or a lack of awareness in the need for improved security, a lack of individual security competency and the threat posed by individuals who might infiltrate an organization’s physical or logical infrastructure for the purpose of exploit.
This risk can be mitigated by improving the security culture within an industry, at both an organizational and individual level. Awareness, education and the use of suitably qualified and experienced professionals will mitigate a large percentage of the risk.
For those who seek to proactively infiltrate an organization for the purpose of damage or gain, the best deterrent and control is implementing appropriate measures for pre-employment screening. For those who seek to ignore or purposefully circumvent security measures, it is important that contractual and human resource processes adopt a cause and consequence approach to any incident and subsequent investigation.
MESA: What changes have taken place at Convergent Risks in recent years?
Johnson: Up until 2017 our security assessment business for media and entertainment was called CDSA and to coincide with the launch of the TPN last year we rebranded this division with our corporate name, Convergent Risks. The real change however has been the investment in our skills and people. For example, joining our TPN assessment program in the last 18 months, have been security specialists from Disney, Deluxe, Motion Picture Solutions, and Amblin/DreamWorks.
Facilities often have complex network infrastructure and the more experience the assessor can bring, the smoother the TPN assessment will generally go especially with the new App & Cloud standard just around the corner. There are many advantages of being part of an experienced group of assessors, not least in terms of the knowledge base which is a distinct advantage.
Another development to meet client demand has been to expand into specialist professional services providing pen testing, pre-assessment, remediation, GDPR advice and policy development. Joining the Convergent Professional Services team have been security professionals from the MPAA, Warner Bros and other content security businesses. This much wider skill set, which is being well received by vendors and studios alike, has made a big difference and helps us engage at many more levels to provide a broader set of risk assessment services.