For years, AV and IT existed in separate worlds. AV systems were judged solely on features and user experience; cybersecurity wasn't part of the AV conversation (and, to a large extent, it still isn’t). CIOs largely ignored AV equipment tucked in corporate production studios, and CISOs saw little reason for concern, as long as AV systems were air-gapped.
But that clean separation is now a thing of the past. AV software suppliers have embraced IT protocols and introduced IP-based solutions. Today’s AV solutions access the internet, often have remote management capabilities, and are delivered and consumed using software-as-a-service, platform-as-a-service, and infrastructure-as-a-service models. As a result, many organizations are calling on their CISOs and CIOs to take ownership of their AV environments.
Despite major advancements, AV systems still lag years behind their IT counterparts when it comes to patch management, certifications, and testing control. Implementing modern cybersecurity controls such as VPNs or microsegmentation into an AV or media solution can be especially difficult because AV environments were not designed with these protections in mind.
Additionally, some AV systems lack the same tolerances as IT systems in terms of factors such as latency, which can occur when implementing cybersecurity controls. For example, if it takes a few seconds for an employee on a corporate laptop to bring up a web browser or access an application, that latency isn't going to impact your business. But if an AV broadcast out of your facility has too much latency, it can create jitter, which can result in choppy audio, dropped frames, synchronization issues between audio and video, freezing video, and other problems that impact the quality of the content and the overall experiences of the viewers and listeners.
Unsure where to begin with AV cybersecurity? Start here.
Early Involvement
Implementing an AV environment without understanding and addressing the requirements of your organization’s CIO and CISO is like building a house without including electrical wiring. Your new AV system may look great, but if it lacks crucial pieces, it can bring your project to a screeching halt and you may have to rebuild the AV system to meet those requirements.
Ask your CIO and CISO for their requirements at the beginning of your AV project planning. CISOs may have certification requirements and need the project to follow standards such as NIST and/or OWASP. Ask them to share a full list of their cybersecurity requirements.
Most CIOs will ask questions about access, the patch management process, what controls will be used, and what systems IT needs to connect for monitoring uptime and downtime as well as alerts. But every CISO and CIO has different requirements and concerns, so ask them exactly what they need.
Involving your CIO and CISO at the onset of your AV products will prevent you from having to incur costly and frustrating do-overs, eliminate much of the consternation associated with these efforts, and enable you to get your AV program implemented more successfully and far faster.
Include Control Requirements
Typical AV requests for proposals (RFPs) include details about what functionality a company wants, how many rooms they are looking to outfit, and when they need the job to be done. But you don’t often see cybersecurity and IT control requirements in these invitations to potential partners—and that’s an oversight.
In today’s connected environment, AV has the potential to take down infrastructure like core switches and firewalls.
Include those requirements if you issue an AV RFP, because if your partner doesn’t understand cybersecurity and tech stack controls, you will run into problems, because your integrator won’t be able to answer questions from your CIO and CISO. Also, initiate conversations with your product manufacturers. Ask questions, such as what does your patch management program look like? What can you tell me about your third-party testing program? What is your current product revision? Have you done user acceptance testing that you can share to enable us to verify that your solution will be interoperable with our existing environments?
Getting answers to these questions, and aligning cybersecurity and IT control requirements, can go a long way toward preventing issues that could impact your overall environment. You don’t want to run into a situation in which an untested patch is automatically deployed, floods the network with too much data, and takes down other parts of your infrastructure.
In the past, when AV environments were isolated, such issues were not a concern. But in today’s connected environment, AV has the potential to take down infrastructure like core switches and firewalls.
Not a One-Time Exercise
Even if you get your CIO and CISO involved in your AV project from the start, share their requirements with your AV integrator and suppliers, and work together to implement a solution that is built with the proper cybersecurity and IT controls, there’s still important work to do. Given configuration changes, new patches, and other evolving situations, you will want to revisit, test, and potentially make changes to your cybersecurity and IT controls on a periodic basis.
You may even want to consider contracting with your AV integrator or other partner to do an independent security verification of your AV environment every time you implement a patch. Nothing is bulletproof, but your organization will be more resilient if you do regular testing. Seek an integrator that looks beyond just the features and functionality aspects of AV solutions and brings cybersecurity and IT controls to the forefront of all of its designs and conversations.
Partners with cybersecurity expertise and capabilities—from Security Technical Implementation Guides (STIGs) to third-party verification—can address your CIO and CISO’s requirements. What’s more, they can raise critical questions your organization needs to think about but may not have even considered.
In fact, it’s similar to what happened when IT and operational technology converged and internet of things (IoT) devices came onto organizations’ networks. Events like the Target breach, where adversaries came in through an HVAC contractor, and the casino attack, in which bad actors gained entry via a fish tank thermometer, demonstrated that vulnerabilities are everywhere and cyberattacks can originate from the most unexpected places.
In the wake of this, businesses realized they needed to prevent adversaries from getting access to and through these systems, implement secure patch management, and take other steps to control and secure these environments. With IT, IoT, and AV coming together, AV is now just part of the mix.
Don’t wait to address AV cybersecurity. Make it foundational to all your AV projects.
