Spencer Stephens

Spencer Stephens

Alumni (MICS 2020)


Threats from IoT, vulnerabilities in systems hardware and how policy makers can address the dynamic nature of cybersecurity.





My focus is the on the areas of cybersecurity that are outside of established InfoSec practices. These are the threats from IoT, the vulnerabilities in systems hardware and how policymakers can address the dynamic nature of cybersecurity.

I am recognized as a leading technologist in the entertainment industry, manifest by the award by my peers of the Bob Lambert Technology Leadership Award of the Entertainment Technology Center at USC. My work has covered every part of the glass-to-glass content lifecycle.

Much of what our industry has learned about protecting content from theft is applicable to IoT devices and to the hardware vulnerabilities such as within the hardware root of trust. The security of the average IoT device is on a par with a DVD player where the security specification published in 1996.  


My undergraduate degree is a 1st class honors degree in physics from the University of Sussex, my graduate degree is a MS in computer science from Berkeley.

Early Career

My early career was a software engineer and a systems designer in Silicon Valley, spending thousands of hours writing real-time C code for groundbreaking data communications systems. I worked closely with the hardware design team, debugging and testing hardware.

Current Career

I have worked as a technologist at Disney, Warner Bros., and Sony Pictures. Last year, I left Sony Pictures where I was CTO and founded a consulting practice. I have been working on cloud production workflows, cyber security in TV and movie production, AI for audience sentiment analysis and prediction and a digital product placement start-up.

Cyber Security in the Content Industry

Cybersecurity threats abound in the entertainment industry. Beyond the threats to the IT infrastructure that all organizations face, is theft of content. This happens with pre-release content from the production pipeline and in the consumer space. It is easy for some to dismiss theft of content as a victim-less crime, but the content industry is the only industry where companies are forced to compete against criminal enterprises with identical products and a zero cost of goods, and who are sometimes first to market.

Securing the production pipeline is challenging because of the volume of data (between 200TB and 1PB from the cameras alone), the distributed nature of production, workflows established when the risk was theft of a videotape, the use of small and individual suppliers outside of the corporate infrastructure, systems that were designed with minimal security and a, thankfully diminishing, mindset that A-list directors and producers should not be hindered by security measures such as two-factor authentication.

With 15 years’ experience in the field of content security in consumer delivery (DRMs, conditional access, forensic watermarking, digital cinema, etc) I am regarded as an expert. I was instrumental in the development of the MovieLabs’ Specification for Enhanced Content Protection (ECP). This specification brought about a step function in content security.

Many of us in the field know that loss cannot be prevented – the FIPS compliant security of a digital cinema projector can be defeated by a camcorder.  The goal is to make the consumer experience for legitimate use the best possible while degrading the consumer experience for illegal use. Thus we seek to raise the bar, avoid class breaches, use forensic methods to determine compromised devices, mandate renewable security and, above all, having an answer to the questions: you just got hacked, what are you going to do next?

Related Activities

I have spoken frequently on the topic of content security and piracy.

I am the executive produced of the Cyber Security Conference at the IBC broadcasting conference which addresses the broad spectrum of threats to the broadcast industry. I recruited security thought leaders from within the content sector and from the technology sector. Paul Rosen, former chief of staff at the US Department of Homeland Security, gave the keynote last year and this year’s keynote will be given by Rob Silvers, former Assistant Secretary for Cyber Policy at the U.S. Department of Homeland Security.

Last December I presented a paper to the CDSA Content Protection Summit that drew attention to hidden risks in the underlying technology used in standard security practices. For example, SMS and calls can be redirected because of vulnerabilities in the 40-year-old PSTN management protocol SS7. This has defeated two-factor authentication when it was used in conjunction with a phishing attack that collected passwords.

I am also a strong advocate of explainable AI. If an AI system develops abnormal behavior, for example, autonomous cars start driving into ponds, and if there is no way of determining why then correcting the behavior is going to prove very difficult.


Last updated:

December 6, 2021