Talking TV: Building A Cybersecurity Culture For Broadcasters

When it comes to cybersecurity, a broadcaster doesn’t stand a chance against bad actors without total buy in from the C-suite.

Brian Morris, chief information security officer (CISO) for Gray Television, says top leadership needs to be completely invested in propagating a culture of cybersecurity across the company. But he hastens to add that awareness and understanding need to be bidirectional between the CEO’s and CISO’s offices for that investment to truly take root.

In this week’s Talking TV conversation, Morris shares tips for building a culture of cybersecurity amid more frequent and clever attacks. He says the nearing of an election year should make vigilance all the more urgent. And he says reenforcing the positive in cybersecurity, rather than making it a punitive cudgel, makes all the difference.

Episode transcript below, edited for clarity.

Michael Depp: The threat of cyberattack remains one of the most serious facing broadcasters today. The problem is that arming themselves against such attacks is a fast-moving issue requiring constant adjustments in strategy. So, what do broadcasters need to be doing today and every day to be ready?

I’m Michael Depp, editor of TVNewsCheck, and this is Talking TV. Today, I’m with Brian Morris, chief information security officer, or CISO, for Gray television. We’ll be talking about how to build a culture of cybersecurity at a broadcast company and critically, how the CEO needs to be a critical instrument in establishing and maintaining that culture. We’ll be right back with that conversation.

Welcome, Brian Morris, to Talking TV.

Brian Morris: Thank you, Michael. Good to be here.

Good to see you, Brian. How grave is the threat of cyberattack that broadcasters face each day?

Well, it’s grave, and I’m sure that’s not a surprise to anyone. I think one of the things that we have to get used to is that it’s not a single threat. You don’t fix it and walk away. It’s constantly changing, constantly evolving, constantly something that we have to adjust ourselves to be able to relate to and to be able to protect ourselves against.

Now, I mentioned at the top cybersecurity is a moving target, which you’re speaking to right now. Can you explain why that is and how a broadcaster needs to be continuously adapting to threats?

Well, I think it relates to as threat actors get better at their job, we get better at our job. Not only us, but cybersecurity vendors do. It was just a few years ago, pretty much everything was malware based. If you had good endpoint protection, if you had EDR, you could knock out 90% of the threat.

Well, now today that’s changed. It’s fileless, it’s non-malware based. Today the credential is the golden tool for getting in. A compromised credential is how a threat actor gets in the phishing campaign.

A few years, those were mass volume coming out. Nowadays, it’s a spear phishing campaign. Spear phishing, smishing phishing, all designed to reach instead of a mass group, the individual target. The threats are more personal to the end user, therefore they’re more effective.

Let me roll back here. Is a spear phishing is targeting an individual person, not just sort of phishing across the whole company?

Exactly.

1. What is motivating these threat actors primarily? Is it money or are they just trying to ransom or is it something else?

It depends on whether you’re talking about cybercriminals. In many cases, those are monetary driven. That’s the ransomware. But then when you get into state actors, it changes a little bit. You know, North Korea is focused on ransomware. China is focused on information. Russia, they’re just disruptive right now. So, it depends on where it’s coming from as to where the target is within a company.

Are the state actors targeting media more than other categories of business or corporation?

I don’t think so. I don’t think we’re immune to that. I’m actually surprised that we don’t see more of it from a media standpoint. Of course, with election year coming, that’s going to increase, I believe, the ones that you see a lot. Health care, government and such are the big ones that are getting hit. But I think we are seeing a rise in it, and we will continue to.

Is AI making the threat of attack any worse right now?

Somewhat. I don’t think it’s quite the boogeyman everybody points it out to be, yet. It’s done some things to make threat actors a little bit easier. Some of it’s been documented. Well, helping to generate better code is one. Another one is just the general phishing campaign. There is a language barrier for overseas phishing. And a lot of times you can spot phishing emails just because the grammar and spelling is poor. With generative AI, you can put it in English and get it in something that looks a little bit better. And so, that is a threat. But then again, on the other side to that, it’s not just the threat actors that have AI, we also have it on our side and security companies stuff are using that to help identify these threats and help remediate.

And so, when you talk about on the two sides here, is it sort of just always leveling up like increment by increment? The threat actors are on a par with the level of the defenses that you bring to bear. Does anybody ever get the edge there?

Well, I think the threat actors always have the advantage because they always think of the next thing and then we have to follow up and figure out how to block it. We’re never sitting here thinking, OK, what can they do next? Let’s come up with something. So, we’re always a bit on the defensive. But, you know, that’s the nature of the beast.

Those damned threat actors. So, protection is largely about employee training, isn’t it? A big part of it?

It’s becoming more and more about that. It’s less the fact that you can put a tool in place and color it covered. Not to say that has any less importance that’s still there. It needs it. But the employee you know, employees, are your biggest threat. They’re your biggest area. That’s not really a valid statement. Employees in concert with a good security program are some of our best protection. Employees can notice things long before the security department notices.

I know in our phishing emails, a lot of times the ones that get through our email security are caught by, I can almost put in a handful of employees that’s going to tell me right away, Hey, Brian, this doesn’t smell right. Take a look at this. And so, they’re very helpful in covering that.

How does the training come in to building an overall culture of cybersecurity? Does it need to be a constant, recurring thing? Is it something that you do in in regular intervals?

It is. And there’s been security awareness campaigns, you know, monthly trainings or something like that, and then simulated phishing campaigns and such going out. But that’s evolving, too, nowadays. We have to develop a security culture within our business. It has to be more than sending out a training video and assuming that people are going to have that and they’re going to they’re going to follow it. People are in a hurry. They do their job. And unless the response to, say, a phishing email is automatic, there’s a good chance they’re going to click on it. So, we have to build a culture that that means security is just part of the way of life for us.

Are you still testing people, though, that, you know, you could put out false phishing or spear phishing attempts to test individuals, and if they fail the test, you kind of pull them in for more direct training?

Well, we are doing simulated phishing, but my view on that is a little bit different. I think simulated phishing for the most part is not to tell us if the employees are doing their job, but to tell us if we’re doing our job. Are we building the culture where people are looking for this? Are we building a culture where they’re on our side, where they see themselves as a part of the overall security landscape and they want to do it rather than trying to catch somebody doing something wrong and then clobber them for it?

What are some of the other best practice facets of building up a culture of cybersecurity at a broadcaster?

Well, I think one of the first things we need to do is to make security a positive thing, not a negative thing. I always joke that I’m the “Office of No,” and to a certain extent that that tends to be true. But we need to make it something that people embrace. We need to develop champions within each department. As I said, I have I have certain people out amongst our stations. If they see something wrong, they’re going to hit me up right away and let me know.

We need more people like that, and we need to encourage that rating to reward that. We need to make sure that we brag on those people and let them know training needs to be fun, less tedious than what it is. And there are vendors out there that are working hard at making training something that people look forward to rather than something that people dread.

The other thing we need to do is we need to be better at communicating. We need to get out and let people know, hey, this is what we’re seeing. This is what you need to look out for. Not scary, but just informative to get people involved in it.

Now, getting C-suite buy in is absolutely critical to all of this. Why?

It is because cybersecurity is no longer an isolated department that covers one little area. You’re not just covering email and endpoint; it becomes a broader spectrum. You’re talking about an enterprise risk, you’re talking about governance, you’re talking about compliance.

And now with some of the regulations that are forthcoming for publicly held companies, recommendations to CSA from the White House and such and the FCC. Now we’re having to become more formalized in what we do, our documentation, our vendor reviews.

And that means we need to be able to justify what we’re doing to the C-suite and then up to the board. And so, getting C-suite involvement, the CEO involved in that and supporting it is critical to being able to go out and reach all areas of the enterprise and not just select employees or select departments.

What does responsible CEO behavior look like in this context? What’s the onus on the CEO in both a more macrocosmic and a daily sense?

I think the first thing we need to expect from a CEO is to support the security program, support the CISO, and let it be known that the CISO is an important part of the business and that the influence needs to go across the entire company.

But it’s also on the CISO to understand the business from the CEO side. You know, we sit here, and we say, Well, here’s a tool to do this. Here’s a tool to do this, here’s a tool to do that. We need to be able to look at it from the CEO side and say: Why is that important to the CEO as it is to us? So, we need to become more savvy that direction.

Well, fascinating stuff, Brian. I know that we will be getting into a lot of these issues at TVNewsCheck’s Cybersecurity for Broadcasters Retreat at the NAB New York show this October, which you’ve been involved in. This is a convocation of CISOs and other security executives, all done off the record with no media coverage. And the conference sessions are interspersed with private information exchanges in which people like me aren’t even allowed in the room. So, if you’re interested in this event for you or your company, there are links in the story attached to this podcast with information where you can get more information on tickets and details of the event. Brian, thank you so much for being here.

Thank you. Enjoyed our conversation.

Thanks to all of you for watching and listening. You can always watch our extensive back catalog of episodes on TVNewsCheck.com or on our YouTube channel, as well as on most places where you get your audio podcast. We’re back most Fridays with a new episode. Thanks for watching this one and see you next time.