Please tell us a bit about yourself, your background and your journey of becoming a CISO
I am a Computer Science Engineer by qualification with over 16 years of experience across various cybersecurity domains and industries. The first half of my professional journey was dominated by technical and IT security where I worked across Security Services Providers and Security Operations centers managing/administrating Security Devices and architectures, and analyzing security logs.
It piqued my interest in time, to understand the factors driving these complex security implementations and how decisions around them are made. I spent the next few years working on Security Governance, Auditing, Cybersecurity Risk Management and Compliance Management deciphering the languages and realizing, that though these defined the requirements of the security program they did not really answer the question of how businesses can decide which security model or framework to adopt.
My short stint in consulting exposed me to business leaders and their expectations from a security program, their major security concerns, and the perspective they had. Over a decade (and a half) of these experiences and perspectives significantly contribute to being able to take up the office of the CISO at Amagi Media Labs to design and align security strategies to business strategies and build secure products.
Tell us about what your business is and what differentiates your solution from others in the market?
Amagi is a next-generation media technology company that provides cloud broadcast and targeted advertising solutions to broadcast TV and streaming TV platforms. Amagi enables content owners to launch, distribute and monetize live linear channels on Free-Ad-Supported TV and video services platforms. Amagi also offers 24×7 cloud-managed services bringing simplicity, advanced automation, and transparency to the entire broadcast operations. Overall, Amagi supports 650+ content brands, 800+ playout chains, and over 2000 channel deliveries on its platform in over 40 countries. Amagi has a presence in New York, Los Angeles, Toronto, London, Paris, Singapore, broadcast operations in New Delhi, and an innovation center in Bangalore.
When it comes to content and video, what are the top 3 cyber risks that companies face nowadays and why?
From a business perspective, the availability of services is a top risk area for content streaming and OTT industries. Since they are running 24×7 live linear channels, the resilience and continuity of the infrastructure become a top priority, and attacks like DDoS (Distributed Denial-of-Service) could cause substantial damage to reputation and revenue.
With ad-supported TV and video services, protection of data including (but not limited to) user behavior and viewership analytics is crucial to effectively monetize video streams. Piracy is also a fringe cybersecurity risk, especially with Video-On-Demand platforms. Fundamentally digital rights management is a crucial aspect of managing content and its streaming.
How do you deal with 3rd party risks and what do you think about the future 3rd party risk management?
3rd Party risk management is continually garnering more importance from a security risk governance perspective owing to the explosion of use-case-specific SaaS ecosystem. Every IT driven company today (especially the next-gen companies) heavily relies on a huge portfolio of SaaS applications to support businesses.
Enterprise SaaS applications allow businesses to grow vertically and horizontally while effectively managing costs and not requiring to manage licensing, patching, and maintenance of infrastructure; while that makes a lot of business sense it could be a potential security nightmare if the application vendors are not evaluated before adoption.
A single application breach could lead to an organization-wide security breach depending on the app interconnections (web or API) across the company’s data and infrastructure. Continual vendor cyber security risk management is a crucial part of any security program, now more than ever.
What is something surprising you’ve learned this year that our readers would benefit from knowing?
There is something about jargons that seems to fascinate our industry folks to a point where sometimes redundant acronyms are intentionally a part of sales pitches to make tools and technologies seem more ‘modern’ or ‘contemporary’.
It seems like the number of acronyms and jargons a product can be associated with, is perceived as a better/more new-age product. Sometimes it is just silly. Overuse of acronyms like AI and ML tend to make products fancier. While AI and ML are revolutionizing our industry in more ways than we can imagine, the claimed use of AI/ML seems more prevalent than its actual use.
My suggestion to security professionals specifically, is to not get carried away by acronyms, to stick to the basics of what a product is intended to do, and validate if it is aligned with the security strategy and the requirements of the business.