Why security audits alone fail in broadcast environments

Security audits and penetration tests have become a routine part of cybersecurity programs across media and entertainment. In broadcast, they are often treated as proof of readiness: a clean report, a checklist completed, a requirement satisfied. But audits, by themselves, are not enough.

In modern broadcast environments — shaped by IP-based production, cloud workflows and distributed teams — point-in-time assessments struggle to capture how systems actually behave under live conditions. They identify gaps on paper, but often miss the operational risks that cause real-world outages, disruptions and breaches.

“Security audits provide a structured evaluation of your infrastructure,” said Jan Helgesen, head of product and solutions at Nevion. “But penetration testing is what reveals how an attacker would actually move through a media chain instead of how engineers believe the system operates.”

Even then, penetration testing has limits when treated as an episodic exercise rather than part of an ongoing operational discipline.

The problem with snapshots in live systems

Audits are, by design, snapshots. They examine configurations, policies and controls at a specific moment in time. Broadcast environments, however, are rarely static.

Live production systems change constantly. Devices are added or repurposed for events. Temporary workflows are spun up for remote production. Cloud resources scale dynamically. Vendors and freelancers gain access, then move on. In that environment, yesterday’s audit may say little about today’s risk.

Why ‘zero trust’ means something different in live production

“Regular audits reveal the gaps between policy and practice,” said Simon Parkinson, managing director at Dot Group. “But continuous monitoring provides the real-time intelligence that point-in-time audits miss.”

Configuration drift is a common issue.

Advertisement

Systems that were secure when assessed may slowly deviate as patches are delayed, ports are opened for troubleshooting or temporary workarounds become permanent.

“In hybrid environments, security configurations may drift without anyone noticing,” Parkinson said. “That drift is where attackers tend to find opportunities.”

Broadcast infrastructure is not enterprise IT

Another limitation is that many audits are rooted in enterprise IT assumptions that do not map cleanly to broadcast operations. Standard frameworks tend to focus on servers, users and applications, while overlooking timing systems, control paths and proprietary media devices.

“The quiet failures never appear on spreadsheets,” said Sergio Ammirata, founder and chief scientist at SipRadius. “A control device running the same vulnerable build for years, or a switch that was never configured to block external access — those are the risks audits often miss.”

Broadcast chains include encoders, gateways, timing sources and orchestration systems that may not support agents, logging or standard authentication. These devices are critical to live output, yet frequently fall outside traditional audit scopes.

“The hidden risks are usually in the corners nobody thinks to inspect,” Ammirata said.

Steph Lone, global leader for media and entertainment solutions architecture at Amazon Web Services, said audits are useful starting points but insufficient on their own.

“Modern security at scale demands continuous monitoring and automatic action,” Lone said. “Detecting changes as they occur is critical, particularly in cloud-based systems.”

Penetration testing reveals intent, not endurance

Penetration testing is often cited as the solution to audit limitations. By simulating real-world attacks, it can expose paths that documentation-based reviews overlook.

“Penetration testing simulates real-world attacks, allowing ethical hackers to exploit vulnerabilities as an attacker would,” Helgesen said.

But even penetration tests are typically time-bound exercises. They demonstrate how a system can be compromised, not how it behaves over months of operation under live conditions.

“Penetration tests expose how an attacker would move through a media chain,” Ammirata said. “They don’t tell you how the system behaves at 3 a.m. during a breaking news event.”

Advertisement

In live broadcast environments, endurance matters. Attacks may unfold slowly, exploiting unattended systems, flat networks or forgotten access paths. Those dynamics rarely surface during short testing windows.

A recurring theme between audits and testing, the disconnect between compliance-driven security and operational reality. Passing an audit does not guarantee resilience during an incident.

“A recurring challenge is the perception that cybersecurity is an IT issue rather than a direct broadcast risk,” said Michael Benda, chief security officer at Big Blue Marble. “Cyber incidents can disrupt live programming, compromise content integrity and damage audience trust.”

Audits tend to emphasize whether controls exist, not whether teams can respond under pressure. Incident response, escalation paths and decision-making authority are often documented but untested.

“Well-defined incident response plans ensure teams act quickly,” said Crystal Pham, vice president of operations and program management at the Trusted Partner Network. “But they must be exercised regularly to be effective.”

Without rehearsal, response plans may fail when timing matters most.

Continuous monitoring closes the gap

Sudits should be complemented by continuous monitoring that reflects how broadcast systems actually operate.

“Proactive monitoring platforms can inform operators of suspicious activity as soon as it is detected,” said Helgesen. “That enables near-instantaneous investigation and response.”

Monitoring also provides context that audits lack. Instead of checking whether a port is open, teams can see how traffic behaves. Instead of verifying access policies, they can observe how users and devices interact in practice.

“Automated compliance workflows transform audit preparation,” Parkinson said. “But ongoing vulnerability assessments ensure you find weaknesses before attackers exploit them.”

Advertisement

In broadcast environments, visibility must extend beyond IT systems into production and playout workflows, where small anomalies can escalate quickly.

“In flat, timing-sensitive networks, incidents spread fast,” said Jamie Horner, senior vice president of corporate strategy at Providius, in earlier responses. “Visibility is essential.”

Technology alone cannot replace trained personnel. 

“Monitoring tools are not sufficient on their own,” said Damien Sterkers, vice president of products and solutions marketing at Broadpeak. “In critical moments, the most effective response relies on skilled personnel who are trained to react and take immediate initiative.”

Audits rarely measure human readiness. They do not assess whether teams understand the implications of a compromised encoder, a misrouted stream or a delayed signal. They do not test coordination between engineering, editorial and IT during a live incident. That gap can be costly.

None of this diminishes the value of audits or penetration testing. They remain essential for establishing baselines, identifying blind spots and demonstrating due diligence. But treating them as sufficient creates a false sense of security.

“Security assessments help organizations identify hidden vulnerabilities,” Pham said. “But they must drive continuous remediation, not just documentation.”

In broadcast environments, assurance comes from sustained visibility, operational testing and the ability to respond without taking the show off the air.

Audits can tell broadcasters where they were vulnerable yesterday. Continuous monitoring and operational preparedness determine whether they stay on air tomorrow.