Cloud Control: Q&A on Navigating Security and Compliance in Media with Simon Lamprell, CISO at EditShare

May 21, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Navigating Security and Compliance in Media with Simon Lamprell, CISO at EditShare

Hello Cloud Control Readers 👋

It's Ian here, excited to bring you this week’s conversation with a remarkable leader in the cybersecurity world, Simon Lamprell, the Chief Information Security Officer at EditShare. In our interview, Simon dives deep into the latest strategies and tools that are shaping the security landscape in the media and entertainment industry.

Simon and his team at EditShare are actively integrating AI to improve their security and ensure compliance across their platforms. From overcoming the challenges of integrating security post-merger to harnessing the power of Kubernetes for more robust and efficient infrastructure, Simon’s insights are a goldmine for anyone involved in tech and security.

As we navigate the complexities of protecting highly sensitive content, Simon’s approach to balancing rigorous security protocols with a seamless user experience is something we can all learn from. His leadership is a masterclass on how to align security with business objectives while fully adhering to compliance standards.

Enjoy the read, and as always, stay secure and stay connected!

Best,

Ian

P.S.. We're hosting a roundtable on June 4th as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

Question 1 💭

It’s great having you here Simon. Let’s start with what you’re doing at EditShare - what strategic initiatives are you currently leading? Are there any emerging technologies or methodologies in cybersecurity that you are actively monitoring for potential integration into your security program?

Answer 1 🎯

After the merger last year of Shift Media and EditShare our primary initiative was to review current security policies and processes across both organizations and establish and execute a plan to bring everything up to proper industry standards and maintain our SOC 2 Type 2 compliance. Once we started to wrap that up we turned our focus on implementing better privacy policies and practices to work towards CCPA compliance and other privacy frameworks. I believe the security and privacy of sensitive information is critical to any organization and should be the cornerstone of any security program.

We are currently working on predictive threat analysis of our infrastructure and applications using some of the emerging AI tool sets, as well as using AI to analyze user behavior patterns to alert on anomalies. These tools and technologies are still new and come with their own risks, but I do believe this is the direction things are heading and the results are impressive.

Question 2 💭

You mentioned building and implementing an industry-standard security program from scratch. Can you elaborate on the specifics of this? And, tell us a bit more about the challenges you faced, as I’m sure there were plenty.

When I first took over the security program it had been mostly responsive and grass roots. I needed to bring enterprise level security to the organization with a widely accepted framework. I decided to go with SOC 2 as it laid the necessary foundation and was simple to build on top of, plus it was accepted and well understood by our customers.

Answer 2 🎯

When I first took over the security program it had been mostly responsive and grass roots. I needed to bring enterprise level security to the organization with a widely accepted framework. I decided to go with SOC 2 as it laid the necessary foundation and was simple to build on top of, plus it was accepted and well understood by our customers. It was challenging to evolve and mature our process across every department. I got a lot of push back from employees at all levels. Many didn't understand the importance of the changes, and felt that it added steps or extra work to something that they felt was already working. Things like change control or segregation of duties slowed down engineering and caused frustration. I had two primary methods for dealing with these issues.

First was education, people were much more open to the changes once they understood their importance, and the risk they posed if we didn't do them. I spent a lot of time meeting with people in small groups or even one-on-one discussing the what and why of the changes giving people opportunities to ask questions and really deep dive into the topics.
My second method was working with each department to compromise how things were implemented. Hearing their concerns and frustrations, understanding their current workflows and tools. Making sure these changes impacted them as a little as possible, while also incorporating existing tools and workflows. Allowing them to participate and have a voice in the "how" made a big difference and made it feel that we were all in this together.

Question 3 💭

You also mentioned achieving the SOC 2 Type 2 report with no findings, which is quite impressive. Can you walk us through the strategies and methodologies you used to ensure compliance and security across the organization?

Answer 3 🎯

Thank you, it was not an easy journey. With our limited resources and team size it was difficult to implement and monitor compliance across such a large organization. We tried a few different approaches but in the end we found that automation was the key to success. I am an engineer at heart, I like well defined tasks and scopes. We ended up implementing a platform called Vanta to help us achieve SOC 2 compliance and maintain it. Vanta worked well for us because it laid out the problems that needed solutions in a well defined task list that made the engineer in me happy, while continuously monitoring our infrastructure and internal processes to ensure compliance. We have built on top of this over the years and added our own automations and monitoring in addition to what Vanta offers, without these automations SOC 2 would have been far more challenging.

Question 4 💭

With the merger of Shift Media and EditShare, you were promoted to CISO. How did you approach integrating security compliance from both organizations into the new EditShare structure? What were some key learnings from this experience?

Answer 4 🎯

We spent a lot of time examining what controls were currently in place, where things overlapped, where they were different, etc. EditShare was a more traditional software business with hardware sales and much longer release cycles, compared to Shift Media that was completely SaaS, with no hardware, and weekly releases. For me, coming from a long history of SaaS products, there was a large learning curve to the traditional hardware based approach. Security needs are different, customer expectations are different, workflows and processes are different, but deep diving and truly learning and understanding was the critical first step.

After that we devised a roadmap and strategy that would bring the organization to compliance, we had some quick wins where current processes were similar or overlapped, then we focused on the more critical integrations. The key strategy for us was keeping critical business processes of the traditional hardware products separate from the SaaS products. These two areas of our business needed to function in very different ways while both remained secure in their function. Keeping these separate in function allows for us to set different expectations and controls that allows both to be secure while being flexible in their specific needs.

Question 5 💭

As CISO, you oversee the security and compliance of EditShare's web-based platforms and applications. Could you share some insights into the unique security challenges faced by companies operating in the media and entertainment industry?

Answer 5 🎯

The media and entertainment industry makes their money from the content they create, which makes their content the most critical and sensitive asset they have. In a lot of ways their content is the equivalent of money, and being a company that manages and protects their content we are analogous with a bank. This means the security expectations and assessments are extremely high, we have to know what we are doing, and we have to be at the top of our game at all times.

The biggest challenge we have had with this industry is that while their security expectations are high, the people responsible for the security are not always the decision makers or directly involved with the content creators. This creates a level of distrust and disconnection between the groups making security choices and the ones impacted by them.

The biggest challenge we have had with this industry is that while their security expectations are high, the people responsible for the security are not always the decision makers or directly involved with the content creators. This creates a level of distrust and disconnection between the groups making security choices and the ones impacted by them. We often end up in the middle of these issues with conflicting requests. We have attempted to improve self managing controls to mitigate, but there is a certain level of diplomacy required.

Question 6 💭

In our earlier conversations you told me you migrated the company’s infrastructure to Kubernetes and container-based workflows. Why did you decide to make this big move? Has it impacted the security, efficiency, and reliability of EditShare's products and services?

Answer 6 🎯

The main driver for the move to Kubernetes was the ease of management and deployment of vast amounts of infrastructure, with limited resources. Kubernetes with proper CICD and deployment processes really simplified our infrastructure. Our platform became more stable and resilient, scaled more easily, was more cost effective, and was more unified between products and services which made managing and maintenance easier and more consistent.

Kubernetes does need to be implemented correctly to reduce security risks. Using proper VPCs and isolations, and the well hardened Bottlerocket container OS, we have actually increased the security of our overall platform compared to the more traditional server model.

Question 7 💭

Simon, at EditShare, collaboration and content creation are at the heart of what you do. How do you strike the right balance between tightening security and compliance, while keeping the user experience smooth and collaborative on your platforms?

Answer 7 🎯

For EditShares SaaS products, such as MediaSilo, security compliance in our internal workflows and infrastructure have little impact on the customer. This allows us to put very strict controls in place and not sacrifice the user experience. However security controls that we implement in the product can have a big impact on the customer.

We mitigate this impact in two ways, first we develop products for specific workflows. For example our Screeners.com product is designed to work with prerelease content, which is the most sensitive and restricted content. Because of this there are many security controls in the application, most of which can not be disabled or modified. The customer wants and expects this because of the type of content on that product.

The second way we mitigate is in products that should allow more options around security, we have many admin controls that allow them to customize the security and workflows in a way that meet their needs. In our product MediaSilo, customers have many workflows, ranging from prerelease content to marketing material that are public. In this product we have many security features that can be customized at the admin level to make sure their security needs are met, while impacting the user as little as possible.

Question 8 💭

Let's dive into trends and tech. What emerging developments have caught your eye lately, and what implications do they hold for the future of security practices in the industry?

Answer 8 🎯

There are two emerging technologies and developments that have caught my attention recently. The first is the automated infrastructure threat monitoring and analysis platforms such as Wiz and Deepfence. These tools can scan, monitor and detect bad configurations, exploitable systems, and even hacking attempts on our live production infrastructure. Tools like this are amazing as they can detect issues you didn't even realize you had, prevent bad configurations of systems, and even alert in real time when someone is snooping around or attempting to exploit a live system. This level of real time analysis and insight into your systems is a game changer.

The second is of course the one everyone is talking about, AI. That can mean a lot of things, and the technology is still in its infancy. This technology does come with its own risks and security concerns, but it can start to drive real power into security platforms and monitoring. Imagine having an AI algorithm that continuously scans and monitors your production application logs in real time, able to detect intrusion attempts and irregular user behavior patterns in real time. Imagine an AI algorithm that can detect a hacker attempting to exploit your system in realtime and deploy countermeasures while you're sleeping. This technology is coming, it's only a matter of time.

The first [challenge] relates to some of the emerging tech I mentioned before, such as AI. While these tools can be very helpful and create powerful solutions, they can also be used to create powerful and destructive tools. There are already phishing attempts that create fake videos of someone's family member with their voice, all created by these AI algorithms, making it harder than ever for a human to determine what is real and what isn't.

Question 9 💭

We’ve all had our fair share of challenges and successes throughout our careers. Looking ahead, what do you envision as the biggest challenges and opportunities for cybersecurity professionals in the coming years?

Answer 9 🎯

There are two big challenges I think cybersecurity professionals will face over the next decade. The first relates to some of the emerging tech I mentioned before, such as AI. While these tools can be very helpful and create powerful solutions, they can also be used to create powerful and destructive tools. There are already phishing attempts that create fake videos of someone's family member with their voice, all created by these AI algorithms, making it harder than ever for a human to determine what is real and what isn't. The smarter our systems get at defending the smarter the tools get at attacking. Cybersecurity professionals will need to stay on top of these emerging threats and tools, falling behind could be destructive for their business and the systems they protect.

The second challenge I think will be providing value to the key stakeholders of the business. Many companies treat cybersecurity as a nice to have, like insurance, always paying for it, never using it. Then the day comes when you need it and it's too late to implement it. How many companies have you seen have major hacks or data leaks and they suddenly have a great cybersecurity team, too little too late. Furthermore, the economy hasn't been great lately, and businesses are cutting back. It was reported that cybersecurity jobs are down 23%, because these stakeholders don't understand the value, and when times get tough they cut it. Part of your job as a leader in cybersecurity is proving to the business the value of information security, validating the effort and money spent. With more and more automated tools and complexity this can be hard to do, and I believe it will get harder as time goes on.

Question 10 💭

With cybersecurity becoming increasingly integral to business operations, it's essential to effectively communicate risks and mitigation strategies to stakeholders. How do you approach cybersecurity communication within your organization? How do you ensure alignment between security objectives and business goals?

Answer 10 🎯

As I mentioned in the previous question, communication to the stakeholders is critical to the success of any security program. There are two tactics I use to make sure everyone is well informed and that all objectives are aligned.

One of the most critical aspects is education. We take for granted how much we understand working in this field every day, most people don't get it, don't understand it. This starts at the higher levels of the organization, but has to trickle all the way down. We post weekly shorts about security topics like phishing, password management, etc to keep everyone informed and thinking about security. I update our board monthly about current topics and initiatives from the security program and we hold quarterly education sessions of various security topics for the whole company.

While education is important to make sure everyone understands what and why we do what we do, it's also important that key stakeholders understand the value and understand how we are aligned with their needs. I meet with the board monthly to discuss current initiatives and roadmap items, we discuss their issues and pain points, adjust objectives as needed to make sure priorities are aligned correctly. The more involved they are the better, and don't forget to update on progress often, really drive the momentum you have home.