Today's digital entertainment ecosystem spans streaming platforms, mobile applications, gaming networks and content delivery systems—creating unprecedented opportunities and security challenges. Forward-thinking executives are working to balance seamless user experiences with robust security frameworks in an era where digital content is ubiquitous and consumers demand instant, secure access across every device. Tune in as experts discuss how the evolution of digital entertainment platforms is transforming security paradigms, creating new business models and why protecting the modern media value chain has become a C-suite priority that extends far beyond technical considerations.
Today's digital entertainment ecosystem spans streaming platforms, mobile applications, gaming networks and content delivery systems—creating unprecedented opportunities and security challenges. Forward-thinking leaders are working to balance seamless user experiences with robust security frameworks in an era where digital content is ubiquitous and consumers demand instant, secure access across every device.
Tune in as experts discuss how the evolution of digital entertainment platforms is transforming security paradigms, creating new business models and why protecting the modern media value chain has become a C-suite priority that extends far beyond technical considerations.
Featured experts
Tony Lauro, Senior Director of Security Strategy, Akamai Technologies
Tina Slivka, Vice President, Consult Lead for US Telecom, Media and Technology, Kyndryl
Tom Rourke 00:02
Hi, I'm Tom Rourke. I'm Vice President of Design, Insights and Innovation here at Kyndryl, and I'm delighted to welcome you to The Progress Report. When we think about information security, I suspect most of us begin with thinking of our bank accounts, access to money and so on. There's a really interesting set of developments in the space of our media consumption as we consume a wider range of media across a wider range of devices, there are entirely new areas of security throughout beginning to emerge. I'm delighted to be joined today by Tony Lauro, who's Senior Director of Security at Akamai Technologies, and Tina Slivka, Vice President and Consult Lead for US Telecom, Media and Technolgy at Kyndryl.
Tom Rourke 00:44
Tony, Tina, you're both very welcome to The Progress Report.
Tom Rourke 00:45
If I may just start, by way of setting a little bit of context for our listeners, I'd really be interested to know a little bit about your own journeys into this space of the intersection of technology and media, and really what motivates you and excites you about this space today. And maybe if I could start with you, Tony.
Tony Lauro 00:45
Thanks for having me.
Tina Slivka 00:45
Great to be here.
Tony Lauro 01:03
Sure, you know, I've been in information security, kind of focused on external threats before it was kind of a thing. Back in the late 90s, I worked for a US based telecom company, and I realized that as we're turning up circuits for these customers, who's watching against threats coming from the internet. Most recently, before Akamai, I ran the security group for a mobile payments company. A long kind of history of working with applications, working with consumer facing applications, and kind of understanding that anytime we're giving users access to make input or make a request into a system, that's always open area for abuse. And then the past 12 years at Akamai, initially part of a group that ran our new security services, and as we kind of delivered those to our customers, my team would work on finding those proof of values for the customer. And then for the past six years, I've been part of a CISO group that meets with CISOs and other security business leaders across a lot of different types of organizations to kind of get feedback. Make sure that as we're building new technology, are we going in the right direction? Are we solving the right problems for advanced or emerging threats?
Tina Slivka 02:18
Yeah, so I lead the telecommunications, media and high-tech area for Kyndryl and my journey started in telecommunications. My first clients ever were the telecoms. But over the years, I've watched people change and consume media in different ways. My clients soon became media companies and high-tech companies. And it's high-tech companies who are becoming media companies, telcos who are becoming media companies, and media companies who are becoming technology companies. And as these three integrate and merge, you watch how the consumers also go across all three companies in different ways. And now you have Netflix, which is it a technology company, or is it a media company? Well, they started making their own content, so maybe they're a media company. But they're still streaming platform, so are they a technology company? And so I'm looking at it from, how do we address their biggest problems of today? And their biggest problems of today are often security problems, because the security problems are driving what their architecture is and what their technology is and how customers perceive them. So I did some dirty work in information security. I worked for the CISOs office for a while. I headed up threat intelligence and incident response, so it's kind of like the ground layers of cybersecurity. So I have a good understanding of what are threats and what are attacks, and then you take that a few levels up and say, "Well, what are the architectures and what are the policies that we need to prevent these things?" Because they are real, and they are coming for the media platforms now, versus just the banks and where the money is.
Tom Rourke 03:49
And maybe you could just expand, Tony, about what is it that are the special challenges, either in how you solve those problems of security, or the types of threats that emerge in the context of this kind of media world that we're working in today?
Tony Lauro 04:03
I think one of the big challenges is that there's so many different types of media experiences for people to have, right? So there's second screen, there's apps that coordinate with the media broadcast in real time, and frankly, that the users are asking for these things. They're asking for these new innovations, and building upon that, you have the same problem you have with very simple, basic applications. Is the software development life cycle include security? Is security measured and able to be observed in real time to look for active threats or engagements? And then after the fact, are you able to respond during a broadcast, during kind of a pinnacle moment event, to say we have a problem? Are we resilient enough to continue the service that we're providing while under duress, while under fire, so we can kind of take the hits and keep on running? So that's some of the challenges. It's kind of the real-time nature of things. And even with things that are over the top and pre-recorded live events, things like that, you still have the same factor. There's engagements to all your other omnichannel applications that are being driven from these things. There's a lot of interoperability between the events themselves, and then also all the applications and everything that is supporting that media event is potentially a target.
Tina Slivka 05:29
Yeah, I think, and thinking long and hard about this, I think the most pressing security challenges today for media companies are two areas that the banks have been dealing with a long time. So not so not so much telcos, but the banks, because the banks had to get in front of this 25 years or so or more ago with credit card theft or credit card fraud, but they only had machine learning and people to work with this. So I think the two biggest security challenges are the threats of theft and then the threats of fraud, but now it's threats of theft around the content that they hold, and attackers getting the content and then leaking it or releasing it themselves so that the platform can't monetize that content anymore. And then when it comes to threats of fraud, it's this proliferation of deep fakes and synthetic media that's really trying to manipulate either what you're putting out there or your brand or your messaging or the content itself. And so this is a real threat today, especially for broadcast journalism, and people have to detect the real fakes, real time, in line, and then debunk them. And so, they're one step ahead right now. There are some technologies out there that are advancing in terms of deep fake detection, but right now, the deep fakes are better than that.
Tom Rourke 06:49
That's really interesting, because we have had a number of guests on this in different contexts in recent times about consumer research, and they will say that they have like, nanosecond time windows to try and detect whether somebody is who they say they are. And so the pace at which people need to make decisions about security threats or about something being fake just seems to be accelerating. Is there a sense that that actually creates opportunity for competitive advantage? You know, it's clear if you take in terms of the mobile device space, there are some people who are perceived as having a much more secure ecosystem, and you can see it in terms of their dominance of the business user market. Are there similar opportunities in the media space where people can differentiate, or should be thinking about how they might differentiate around the security experience?
Tony Lauro 07:41
Ultimately, when we when we look at the media space, it's that user journey that is so important. When you look at streamlining media delivery or media events, you want that to be as frictionless as possible. And delays in that and kind of delays in that process are typically seen as negative. But you look at some of these large platforms, and you look at all the transactions that are happening, there's money in all of this data being sent across, right? So the attackers are really focusing in where they know, for one, users may be potentially less educated. You know, if you're in financial services and you're doing a secured transaction, you'd expect to have this whole process, but if you're just kind of logging into an event, whatever kind of programming you're you're looking at, that model is typically lower down on the rung from a security perspective. So the attackers know that. They know that the users probably aren't as readily vigilant to look for malicious threats or phishing or fake landing pages, all these things which are kind of big deals. The other factor is the simple nature of if someone wants to stop your ability to deliver something on the internet, that they can get a botnet and launch an attack and hit you with more traffic than you'll actually see during that streaming event. I mean, what are you going to do? So there's kind of this challenge to maintain performance, user experience and security, on top of the fact that: Is this even going to run? This is really kind of a key factor that says there is a lot more to delivering to hundreds of millions of people at the same time than we might think. The internet is not made for us. We have to make it work for us. And all the inherent risk and uncertainty of how the Internet functions, we have to be able to figure out how that's going to work so that 100% of the time it will do what we need it to do.
Tina Slivka 09:43
Yeah. So I think overall trust becomes the differentiator, and that's part of the experience as well. So as consumers become increasingly privacy focused, companies are highlighting this, that they keep your private information private. That's Apple's whole campaign, and they use ethical AI. And they're seeing this as a competitive advantage. And then additionally, the fans and the users want to know that the platforms they connect their 10 devices on are secure, which includes identity verification and fraud prevention as part of their logins. And then this coincidentally, allows the platforms to have a new type of fan engagement and monetization as an upside.
Tom Rourke 10:22
So it's interesting you say about devices, although I will take a slight segway, Tina, is that I know 20 years ago, when teaching, there was always this thing, which said that at the end of the day, people will talk about privacy, but they'll always tend towards convenience. So that people make this trade off a lot of the time. But you mentioned something about multiple devices. Is there also some unique things here around the fact that we increasingly expect, we don't necessarily expect our banking to span across our TV or 20 year old laptop or all these other devices, but we do expect our entertainment platforms to do that and what are the unique challenges that come into play because of that just sheer diversity of devices that we just want to use? Does that create unique challenges or is it that we should we see them as opportunities?
Tina Slivka 11:07
Yeah, I think it does. I mean, there's just been an explosion of attack surfaces in cyber security parlance, and that instead of just your work computer and your home computer, it's that plus. Plus your mobile phone, plus your gaming council, plus your Smart TV, plus your Wi-Fi router, it's all of these things, and now they're all connected through your Netflix password. Well, guess who's now really at risk. It's Netflix. It's not only you. You expect it from your bank. When you log in and you're in a new location and you try and log into your bank's app, you get a two factor. "Hey, it looks like you're logging in from a new location. You're not on your couch. Why is that?" But now the media platform needs to be context aware as well, and it's not just your location, but it's also your device. "Hey, Tina, looks like you're logging in from your iPad. Is that right?" And you're like, "Well, yes, I am. Thank you very much." And then it's your behavior. "Hey, this is unknown from you. What are you doing?" That means that the platform needs to create a baseline of your behavior, of your devices, of your locations to know what's an anomaly. And that becomes and that means that the platform has to become really smart to do all that.
Tom Rourke 12:11
And given the ubiquity of those platforms, are there other opportunities for those platforms to begin to monetize that level of kind of awareness of your context, of your situation, of your behaviors, or is that one of those things that media companies are very wary of, because there's that little moment where you feel like they've begun to intrude into your life, so there'll be pushback? So Tony, any view on that?
Tony Lauro 12:33
The idea of all the different devices really feels naturally solvable when you think about devices that take security context well. I don't know if you've seen the old stats, but they're like iOS devices get updated within two weeks. All of them are up to date, versus Android, a little bit behind the curve now, but think about like a 10 year old Vizio Smart TV. The Smart TV that you sometimes have it connected to Wi-Fi, you sometimes maybe have another device, like an Apple TV plugged into it. But are you updating the firmware on that device? Are you updating the software for that Smart TV experience, which then in turn updates the app? Because the security from Netflix may be, "We're not going to allow our app to continue to run on too old of a version of a smart TV because of inherent risks and security posture that can't be mitigated." So all of that kind of comes into play. But I handle a ton of this in the mobile application banking world, which is, you've got different devices, then you have different flavors of the operating system being delivered by the different carriers, AT&T, Verizon, et cetera. You have that same type of issue and overlapping kind of security complexity in the media space.
Tom Rourke 13:53
And I can imagine the competitive stakes are higher, in a way, because as frustrated as I might get with my bank, if they kind of make my security a little bit heavier and tighter and cumbersome, I'm not going to ditch my bank and move to another bank. But with the proliferation streaming platforms, I might just make a decision towards Disney in a way from Netflix or vice versa, based on that experience, and just being persuaded it's more secure might not be enough. So, is there a little bit of an arms race in terms of trying to develop what I might describe as frictionless or low-friction security across these media companies?
Tina Slivka 14:31
Oh, I think so, for sure. It comes from the mobile experience, right? So it's what are things that you're seeing in the mobile experience that you want to translate over to other experiences? In a word, Face ID. People do want protection and, to your point, but not at the cost of their convenience, because we just want what we want when we want it. We're not demanding at all. And this has led to this rise in passwordless logins, biometric authentication and then this adaptive security. These platforms kind of have context and know what you're doing. And the goal I think, for some media companies that are doing it really well, is to have invisible security unless it needs to intervene.
Tom Rourke 15:07
Obviously, in banks and financial services now, there are CISO roles. There are board level responsibilities for information security. There's no question that in those sectors, it is an absolute board level and constant matter for board attention. You have this perception of creative-led industries where that's where the emphasis is. But does it get the level of attention and resourcing that you feel it necessitates?
Tony Lauro 15:33
If security is not its own pillar within an organization, if it's kind of a sub-pillar under the C suite, I think it's indicative of the nature of where security will be able to function across that environment. So kind of giving CISOs a direct seat at the table amongst the C-suite and not below them is very important. Tina, you mentioned earlier, AI and deep fakes. And we're seeing, not just CISOs, we're now seeing AI leaders being appointed at each of these organizations, because you bet your bottom dollar that these media companies are leveraging AI to understand the intention and the needs of their consumer base. So from a tooling perspective, they're using AI, and now that has to be regulated, because AI is going to interact with the profile and consumer profile information. It's going to interact with everything. So there's a lot of different aspects in which potentially things could be falling off the rails in the near future, if we're not putting a focus on the right areas. And who knows? I can't predict the future, but it definitely is growing at a rapid pace, and that's definitely going to play into compliancy and everything else inthe very near future.
Tom Rourke 16:47
It's interesting. Maybe an analogy here, in the sort of martech/the marketing technology space, is that there's a lot of discussion around how fragmentation around content creators and influencers is completely changing how people market and build an audience for a marketing message. Is there an analogous issue with the sort of security dimension about how content creation and content consumption has fragmented? Does that create new threats, or is all really about the fact that most of this is still happening on platforms, and it's actually the platforms that you need to secure? But to what extent does that kind of fragmentation of content creation and consumption add new threats? Or is that not really relevant to the question?
Tina Slivka 17:27
So Netflix, for example, they created a bespoke content production ecosystem because I think they did realize that there are a lot of threats in this bespoke model of content creation, and so they've got this bespoke content production ecosystem that includes watermarking, secure cloud workflows and just rigorous vendor audits. Their third parties are on a very, very short lease, and then they also use these zero trust principles to secure remote production environments, because they know that production is going to go on around the globe. And so it's just you're going to have to authenticate, and you have to be trusted, coming from a trusted place and a trusted network to get into their platform for content creation.
Tony Lauro 18:07
The whole idea of the social aspect of the democratization of media delivery is changing the game quite a bit, and it already has. We've seen this for years, so the zero trust principles really do fall into place here from the whole aspect of your employees are everywhere. Your constituents are everywhere. Your customers are everywhere. You need to be able to handle those different workflows very uniquely and succinctly to make sure that they're not abused, because abuse will definitely follow usage 100% of the times. So you have to be prepared for that.
Tom Rourke 18:45
I'm interested in the lessons or technologies that other industries might benefit from beyond media, so learning from media and applying them in other contexts.
Tina Slivka 18:56
So, security hygiene is really important, but this is kind of a workaday example, but secure APIs and session management. So, entertainment platforms rely heavily on APIs, securing these endpoints with token based authentication, rate limiting ensures that content and your data isn't exposed during playback or transmission. And then one of the biggest risks to streaming platforms during live events are DDoS attacks that Tony mentioned earlier, which disrupts streaming, disrupt your revenue. You're not making any money. And the easiest way to enable a DDoS attack is to leave sessions enabled so that attackers have a chance to get into your system. So I think as media companies really push the boundaries of what you can do on a network with live streaming, I think that is where other industries are going to take a note from the media industry.
Tony Lauro 19:45
You look at your top cloud providers in the world and what their total capacity is is somewhere around 500-600 terabits per second into and out of their data center for companies like kyndryl and Akamai. And then you look at companies like Netflix that built their own platform, you have to applaud the audacity to kind of take on, "Hey, we're going to build a whole new distribution platform to sit on top of the internet." That's pretty exciting. But, yeah, there's no hub and spoke model. You have to be massively geographically diverse, and you have to give users experiences as though they're right down the street from you, and if not, they're going to go to another provider.
Tom Rourke 20:30
Time passes incredibly quickly in these conversations once they get going, but we are The Progress Report and and hence, there's always a question around what is it for both of you, that would would look like progress as we look to the future? Either in terms of things that we might do differently or opportunities that are only just beginning to emerge. And maybe I might start with you, Tina, as you look to the future, what does progress in in this area look like for you?
Tina Slivka 20:54
Trust and authenticity are two of the themes that are really important today and will become more and more important tomorrow, and I think the only thing that's going to break AI is AI. So as these deep fakes become more convincing, AI is being used to verify content, and advanced models today can now detect subtle artifacts and deep fakes. They can flag manipulated audio, and they can even within content like trace the origin of visual assets, but there's a couple initiatives out there. One's called C2PA, which is an industry initiative. There's watermarking 2.0, which is now using, I get kind of excited about this, but it's using forensic watermarking to embed invisible only AI readable signatures which you can't see as a human being. Your own eyeball can't see it, but only AI can read it into content that persists, and this is the best part, even after compression. And like, after compression, my mind, just kind of blows, because that's really hard to do, and so I think they're trying to really crack the nut on deep fakes and understanding and flagging synthetic media that other industries can also learn from the media industry. If they can get watermarking down and authenticating content, then this is something that can go worldwide.
Tony Lauro 22:08
I think progress looks like the idea of shared passwords across different households. This seems like a very simple issue, but when you look into banking for lessons, you say, when someone logs in, can I trust that the username and password being provided, even though it may be the correct one, can I trust that it's Tony Lauro logging in from Dallas, Texas on AT&T Internet service or whatever the case is? How do you know who that person is? I think that same thing is bleeding into the media space quite a bit, and already has, but ultimately, kind of in a simple perspective, I think progress looks like security being a core pillar of the development process of the whole workflow within a media organization. From studio delivered assets to in-house security operations and software development. If security is not at the head of that, you know, at the forefront of that life cycle, I think we're going to be behind. So kind of keeping security at the head of the table. And then emerging security risks, AI leaders being needed now at organizations. How many companies have chat bots that answer questions for them? Well, if I'm an attacker, I'm going to try to talk to that chat bot and trick it into giving me more access than I should have, or bypassing whatever guardrails you have. I mean, this is all kind of real world things that are happening right now. So having security lens across all those things, I think, is what progress looks like.
Tom Rourke 23:53
So, Tony, Tina, thank you so much for joining us today. It was an absolutely fascinating discussion, and I feel I've learned so much. So thank you, both of you, for joining The Progress Report.
Tina Slivka 24:02
It's been lovely being here. Thank you so much.
Tony Lauro 24:05
It was a pleasure. Tom, thanks for having us.
Tom Rourke 24:11
Today's guests spoke the identity of their own deep knowledge and experience, but also their enthusiasm for their subject. Couldn't help but make me curious about some of the more technical aspects of the work they do, and I feel like I have learned some new things today, and I hope that you, as listeners, have also enjoyed their enthusiasm and insight and learned from your listening. When it comes to listening, please do, like, share and subscribe to The Progress Report.