Test, QC & Monitoring Global Viewpoint – November 2019

As I understand, IT security is about risk management. Is it possible to make an IT infrastructure 100% secure? Or can we guarantee a hostile actor will never corrupt or steal our data? Probably not.

However, I think it is possible to make IT systems virtually 100% secure. We can take our data, copy it to a hard disk drive, drill a hole one mile deep into the earth, reinforce it with concrete, cap the hole with granite rock, and then remove any signposts or instructions on where to find our data. The challenge with this system is that we cannot retrieve our information.

So, it’s not data storage that causes us issues with security but instead our need to retrieve information. Of course, data storage is irrelevant if we can’t retrieve data in the first place, but for us to have any appreciation of how cybercriminals think then we must understand how and why we access data.

There lies our next challenge, to understand how cybercriminals access our data we must think like criminals. This is abhorrent to most civilized people and I would suggest the majority of us cannot not think in this way. Some can and are skilled at this; they are called Security Consultants. To put this into context, I worked in a playout center a number of years ago where the control room used a retina scanner to guarantee controlled access. As well as checking my unique “eye-print”, the scanner also checked to see if blood was flowing in my eye.

We do have one major advantage over cybercriminals and that’s our ability to collaborate and form communities. That is, not only should we insist each vendor does everything they possibly can to make sure their equipment is secure, but we should all work together to guarantee we are doing everything we can to make the whole system secure.

Security starts from the top of any organization. This is not a challenge broadcast and IT engineers can solve in isolation but is instead one that the whole company is responsible for. Furthermore, every time access is given to data, whether that’s through REST API’s or user file rights, our risk to cybercrime is slightly increased.

The good news is that when we adopt this method of understanding we move from the mindset of naively assuming we can make a system 100% secure to knowing we can’t, even a very small risk is still a risk. I’m not casting aspersions on the validity of IP as I believe the benefits outweigh the risks, but I am saying we must be realistic about our expectations.

Knowing this, our thinking is instantly liberated, and we consider systems in terms of “what should I do to mitigate against a ransomware attack?” or “how do I stop theft of my block buster rushes?”. Both have solutions and their complexity and hence cost, is proportional to the amount of risk we’re willing to tolerate.

Risk management is nothing new and broadcasters have been doing this for many years. The difference now is engineers are no longer working in closed SDI networks but are instead working in highly accessible IT systems where greater collaboration and modified thinking is key.