Have you ever experienced the thrill of the lights coming down in a movie theater as you shovel back popcorn and anticipate something you’ve never seen before? Legendary entertainment company MGM Studios has been delivering these experiences to customers worldwide for over a century. During the early 2000s, as high-profile breaches across the entertainment industry made headlines, MGM Studios was kickstarting its own digital transformation. Its priority, from a cyber security standpoint, was to remain a safe space for creators to tell stories that delight customers around the globe. Over the past decade, the studio’s security journey evolved dramatically. A Wiz partner since 2021, it successfully handled security threats such as log4j, managed high-performance tech teams through difficult times, and more recently, completed a merger with Amazon.
At the recent AWS re:invent conference, our Co-Founder and CPO, Yinon Costica, shared the stage with MGM Studios’ CISO, John Visneski, to talk about the studio’s security journey over the past decade. He offered powerful insights into the past year at MGM and why it’s critical to use the right security tools if you want to bridge the divide between security and tech teams in the face of digital complexity.
Transformation adds complexity – but not headcount A dramatic moment in Hollywood’s digital security history, the Sony hack, pushed media organizations like MGM Studios to become more serious about securing their intellectual property and quickly undergo digital transformations. Developing a safe space for creators to tell their stories is essential to what film studios do, and cybersecurity plays a huge role. While migrating to the cloud helped address this set of problems, it created new challenges.
“A digital transformation gives you added complexity. And added complexity gives you additional risk,” said Visneski. The cloud offered new technologies ranging from serverless functions to Kubernetes containers. But for many companies, as was the case for MGM Studios, the rising level of risk is rarely accompanied by a larger security team to monitor and manage these new risks.
In the absence of a growing headcount, Visneski noted that “security telling people what they can’t do fails really quickly.” It became critical for MGM studios to find a new approach to security that included processes and skills along with new tooling and automation to help its security team keep up.
Democratizing security To increase his organization’s impact, Visneski explored how to spread a security culture into the wider engineering teams and business units. Tools like Wiz offer MGM Studios an accessible, shared language that unifies the whole organization and removes the common ‘us and them’ construct of the past.
“It’s easier said than done, for the most part,” said Visneski. “But when you talk about democratization, and you give them access to the portal and the insights, they're hungry for that sort of thing. [It’s about giving] people the tools to actually fish for themselves. One, it makes you more secure, which is what we're here for. Two, it ends up building better relationships and reduces that natural friction that comes with me being the bad guy or the cop, and them being the people that are actually generating revenue for the company.”
Visneski pointed out being a facilitator in the relationship as opposed to just giving developers a to-do list helps the security team concentrate on more critical challenges instead of having to constantly chase down and remediate vulnerabilities.
Additionally, in the context of dealing with an incident like Log4j, having the clarity to get everyone on the same page fast can make a big difference.
Shared language between the security team and developers helps reduce the amount of tension that comes with these sorts of incidents. Shared language and having the context that comes with knowing what needs to be prioritized ends up being a force multiplier for your entire organization.
John Visneski
CISO, MGM Studios
Securing a merger process: ultimate complexity management When Amazon’s M&A of MGM Studios was finalized in March 2022, Visneski managed the security transition. Explaining how his day one experience was receiving “20 emails from five new bosses and seven new best friends,” he found himself with a staggering to-do list to ensure the technical integration was managed efficiently and securely.
“The hardest part of a merger and acquisition activity is not the technical stuff. It’s the cultural stuff,” he said. “You have one of the oldest film studios on the planet joining forces with the behemoth that is Amazon. Having a shared understanding of our first priorities for 30, 60, 90 days… spoiler alert: Amazon cares quite a bit about security.”
Faced with the need to analyze the security implications of systems integration and identifying differentiated risks, there was quickly a lot of new work on the list and no extra staff to get it done.
“Prioritization doesn’t just become a daily activity, it’s an hourly activity,” said Visneski. “How do we bring these things together and move forward in a way that meets the objectives from a security perspective for Amazon, but most importantly, doesn’t break the shiny new toy they just acquired.
The hardest part of a merger and acquisition activity is not the technical stuff. It’s the cultural stuff.
John Visneski
CISO, MGM Studios
Wiz provided context and a shared understanding, becoming that centralized place where teams throughout the organization could have rational conversations about risk and move forward with them.
“There’s only so much you can do pre-acquisition to have an understanding of the entire threat landscape. There’s no guarantee that there’s going to be someone who can speak intelligently or eloquently about it,” says Visneski. “So what tools do we have at our disposal to help facilitate that conversation and get us moving in the right direction? The clock is always ticking. ”
To hear more of Visneski’s insights, watch his interview during Yinon Costica’s Amazon Re:invent 2022 session on Context is Everything.