In the age of fake news, disinformation campaigns are about to get more sophisticated. It’s a pain point that has been plaguing social media platforms the last few years, but with advances in technology, Mike Kelley, CISO of The E.W. Scripps Company, believes it can only get worse. The firm is one of the US’ largest independent broadcast media companies with 36 television stations as well as content businesses like Newsy, Stitcher, Bounce, Grit, Escape, Laff and Triton.
“Democratic societies haven’t seen the worst of foreign influence operations. Harnessing the power of AI, one can create compelling, realistic videos using previous footage and overlay it with new audio completely changing the context of what the original video portrayed.” Kelley believes this is a concern not only for his broadcast company, on whose legitimate videos these alterations can be made, but for the population in general.
He has been thinking of ways to help the broadcast industry arm itself against the manipulation of video, but he is not sure something can be done in time for the next election cycle. “I think people just have to be more vigilant and think more critically about the content they see before jumping to conclusions,” he says.
“If we don’t, the division within our society will only get larger and people will continue to isolate themselves within their echo chambers with like-minded people – a scary possibility!”
Falling onto his lap
Kelley is Scripps’ first CISO, but this is not the first time he has worked in the company. After a stint at consulting company KPMG doing IT audit, he first worked at Scripps doing risk management and compliance. He eventually moved to a global company and prepared to do the same for a much broader employee base. At the last minute, he was asked to take on the security function as well.
“I had always been intrigued by the field of cybersecurity and way to break into it. I didn’t hesitate when asked and I seized the opportunity!”
Soon, the CIO at Scripps informed him that the company was hiring its first CISO, and he reached out. “I really enjoyed my time at Scripps and loved the mission-focused culture. I kept my eye on the company and saw they were doing creative things to diversify their portfolio.”
Not many broadcast companies hire a CISO, but Scripps decided to do so to because it understood that cybersecurity was a growing business risk. Kelley found himself speaking often to the board of directors, all of whom were willing to hear about cybersecurity issues.
Department of KNOW, not Department of NO
Kelley believes that his background in risk management consulting is key to his success as a CISO. “It helps to be technical, but what makes a CISO good is understanding of the business,” he says.
“You can write your security policy using a framework, but that is not what will make you successful. Success is sitting down with people, listening to their concerns, and working with them to securely enable their operations. It is talking to them about threats and risks from their perspectives and how these will affect their operations.”
With the executive management, he lays down options on the level of security controls that can be applied. “I make suggestions, but if they decide not to go with those, I give them an understanding of the risk involved in that decision. My job is to educate them on the risks and enable them to make enlightened decisions.”
A deliberate approach
As a media organization, Scripps has thousands of domains, and its 4,600-strong workforce is vulnerable and exposed.
“Because we have a higher number of connections, we have a much larger internet footprint, we are more visible to the world and more exposed to potential threat actors,” he says.
Phishing is a serious threat, precisely because there are so many ways to contact Scripps people.
“As a result, we take a deliberate approach in training people to guard against phishing,” he says. “We assess and simulate. We have streamlined the process of reporting phishing, so that people can take active steps to stop it.”
Making sure that what people learn in training translates into everyday, security-aware behavior is always a challenge. “We don’t simulate once; we do it on a regular basis. We track metrics and if we see somebody consistently failing, then we conduct a one-on-one conversation. We provide general awareness services on our employee portal. We even try educating employees through cartoons – anything to drive home the message!”
Comfort in numbers
Kelley is active in peer groups, both in broadcast and cybersecurity circles. He participates in roundtable discussions, sharing roadmaps and walking through what each company is doing. “We share lessons learned, and also our pain points.”
Right now he has just started an advocacy among fellow CISOs in the broadcasting industry in the light of prevalent disinformation. They also talk to general managers of TV stations, show simulations, and give them an overview of how to respond to an incident.
“We have to get smarter and be ahead of the curve,” he says. And the best way to do this would be together.
“All these CISO gatherings become my mental therapy of sorts. You understand that you are not alone because you have others to lean on, to talk to, and they are feeling the same pain as you are.”
At the end of the day, Kelley thrives in his role and in the environment.
“I like uncertainty. This is why I love my job. Every day is so different; it’s never mundane, and you are sure to run into something new.”