• Cloud Control
  • Posts
  • Navigating Security and Compliance in Media with Simon Lamprell, CISO at EditShare

Navigating Security and Compliance in Media with Simon Lamprell, CISO at EditShare

Navigating Security and Compliance in Media with Simon Lamprell, CISO at EditShare

Hello Cloud Control Readers 👋

It's Ian here, excited to bring you this week’s conversation with a remarkable leader in the cybersecurity world, Simon Lamprell, the Chief Information Security Officer at EditShare. In our interview, Simon dives deep into the latest strategies and tools that are shaping the security landscape in the media and entertainment industry.

Simon and his team at EditShare are actively integrating AI to improve their security and ensure compliance across their platforms. From overcoming the challenges of integrating security post-merger to harnessing the power of Kubernetes for more robust and efficient infrastructure, Simon’s insights are a goldmine for anyone involved in tech and security.

As we navigate the complexities of protecting highly sensitive content, Simon’s approach to balancing rigorous security protocols with a seamless user experience is something we can all learn from. His leadership is a masterclass on how to align security with business objectives while fully adhering to compliance standards.

Enjoy the read, and as always, stay secure and stay connected!

Best,

Ian

P.S.S. We're hosting a roundtable on June 4th as part of New York Tech Week. Myself and other cyber & cloud security founders will be discussing how growth-stage companies can harness AI to scale their organization securely. Expect an exciting roundtable, the opportunity to meet others in the space, and of course - drinks. Register here to save your spot.

Simon Lamprell, Chief Information Security Officer at EditShare

Question 1 💭

It’s great having you here Simon. Let’s start with what you’re doing at EditShare - what strategic initiatives are you currently leading? Are there any emerging technologies or methodologies in cybersecurity that you are actively monitoring for potential integration into your security program?

Answer 1 🎯

After the merger last year of Shift Media and EditShare our primary initiative was to review current security policies and processes across both organizations and establish and execute a plan to bring everything up to proper industry standards and maintain our SOC 2 Type 2 compliance.  Once we started to wrap that up we turned our focus on implementing better privacy policies and practices to work towards CCPA compliance and other privacy frameworks. I believe the security and privacy of sensitive information is critical to any organization and should be the cornerstone of any security program.

We are currently working on predictive threat analysis of our infrastructure and applications using some of the emerging AI tool sets, as well as using AI to analyze user behavior patterns to alert on anomalies. These tools and technologies are still new and come with their own risks, but I do believe this is the direction things are heading and the results are impressive.

Question 2 💭

You mentioned building and implementing an industry-standard security program from scratch. Can you elaborate on the specifics of this? And, tell us a bit more about the challenges you faced, as I’m sure there were plenty.

When I first took over the security program it had been mostly responsive and grass roots. I needed to bring enterprise level security to the organization with a widely accepted framework. I decided to go with SOC 2 as it laid the necessary foundation and was simple to build on top of, plus it was accepted and well understood by our customers.

Simon Lamprell

Answer 2 🎯

When I first took over the security program it had been mostly responsive and grass roots. I needed to bring enterprise level security to the organization with a widely accepted framework. I decided to go with SOC 2 as it laid the necessary foundation and was simple to build on top of, plus it was accepted and well understood by our customers. It was challenging to evolve and mature our process across every department. I got a lot of push back from employees at all levels. Many didn't understand the importance of the changes, and felt that it added steps or extra work to something that they felt was already working. Things like change control or segregation of duties slowed down engineering and caused frustration. I had two primary methods for dealing with these issues.

First was education, people were much more open to the changes once they understood their importance, and the risk they posed if we didn't do them. I spent a lot of time meeting with people in small groups or even one-on-one discussing the what and why of the changes giving people opportunities to ask questions and really deep dive into the topics.
My second method was working with each department to compromise how things were implemented. Hearing their concerns and frustrations, understanding their current workflows and tools. Making sure these changes impacted them as a little as possible, while also incorporating existing tools and workflows. Allowing them to participate and have a voice in the "how" made a big difference and made it feel that we were all in this together.

Question 3 💭

You also mentioned achieving the SOC 2 Type 2 report with no findings, which is quite impressive. Can you walk us through the strategies and methodologies you used to ensure compliance and security across the organization?

Answer 3 🎯

Thank you, it was not an easy journey. With our limited resources and team size it was difficult to implement and monitor compliance across such a large organization. We tried a few different approaches but in the end we found that automation was the key to success. I am an engineer at heart, I like well defined tasks and scopes. We ended up implementing a platform called Vanta to help us achieve SOC 2 compliance and maintain it. Vanta worked well for us because it laid out the problems that needed solutions in a well defined task list that made the engineer in me happy, while continuously monitoring our infrastructure and internal processes to ensure compliance. We have built on top of this over the years and added our own automations and monitoring in addition to what Vanta offers, without these automations SOC 2 would have been far more challenging.

Question 4 💭

With the merger of Shift Media and EditShare, you were promoted to CISO. How did you approach integrating security compliance from both organizations into the new EditShare structure? What were some key learnings from this experience?

Answer 4 🎯

We spent a lot of time examining what controls were currently in place, where things overlapped, where they were different, etc. EditShare was a more traditional software business with hardware sales and much longer release cycles, compared to Shift Media that was completely SaaS, with no hardware, and weekly releases. For me, coming from a long history of SaaS products, there was a large learning curve to the traditional hardware based approach. Security needs are different, customer expectations are different, workflows and processes are different, but deep diving and truly learning and understanding was the critical first step.

After that we devised a roadmap and strategy that would bring the organization to compliance, we had some quick wins where current processes were similar or overlapped, then we focused on the more critical integrations. The key strategy for us was keeping critical business processes of the traditional hardware products separate from the SaaS products. These two areas of our business needed to function in very different ways while both remained secure in their function. Keeping these separate in function allows for us to set different expectations and controls that allows both to be secure while being flexible in their specific needs.

Question 5 💭

As CISO, you oversee the security and compliance of EditShare's web-based platforms and applications. Could you share some insights into the unique security challenges faced by companies operating in the media and entertainment industry?

Answer 5 🎯

The media and entertainment industry makes their money from the content they create, which makes their content the most critical and sensitive asset they have. In a lot of ways their content is the equivalent of money, and being a company that manages and protects their content we are analogous with a bank. This means the security expectations and assessments are extremely high, we have to know what we are doing, and we have to be at the top of our game at all times.

The biggest challenge we have had with this industry is that while their security expectations are high, the people responsible for the security are not always the decision makers or directly involved with the content creators. This creates a level of distrust and disconnection between the groups making security choices and the ones impacted by them.

Simon Lamprell

The biggest challenge we have had with this industry is that while their security expectations are high, the people responsible for the security are not always the decision makers or directly involved with the content creators. This creates a level of distrust and disconnection between the groups making security choices and the ones impacted by them. We often end up in the middle of these issues with conflicting requests. We have attempted to improve self managing controls to mitigate, but there is a certain level of diplomacy required.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

Join Us at New York Tech Week for a Roundtable Discussion on Harnessing AI for Growth-Stage Organizations

New York City’s Tech Week is coming up and we’ll be there with an exclusive roundtable on how growth-stage organizations can harness AI to enhance their security posture.

We're bringing together top cybersecurity experts for an evening of open discussions and actionable insights. Here’s all that you need to know 👇

📅 Date: June 4th

🕡 Time: 6:30 PM

📍 Location: Secret (revealed upon registration)

Spots are filling up fast, secure your spot now & discover how AI can level up your cloud security strategy.

Latest AWS and Azure Updates You Don’t Want to Miss

Top Articles and Resources of the Week

Articles

Resources

  1. Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.

  2. The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.

  3. Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.

  4. 7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.

  5. Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.