Securing the Stream: Inside Brightcove’s Security Strategy
The global shift to remote work has transformed video streaming from a convenience into critical infrastructure. Enterprises now depend on video platforms for everything from employee training to customer engagement, while media companies deliver content to millions of viewers worldwide. This evolution brings new security challenges: content must be protected from piracy, user data safeguarded and streaming quality maintained in the face of increasingly complex cyber threats.
These challenges converge at companies like Brightcove, which operates a video streaming platform for companies in more than 60 countries. After winning two Technology and Engineering Emmy Awards for innovation, Brightcove has focused on developing security frameworks that can scale across global networks while maintaining the performance demands of video delivery.
At the helm of this security operation is Karen Holmes, Head of Business Security at Brightcove. Her path to securing streaming media wound through military service and financial compliance. “Cybersecurity found me rather than me pursuing it,” Karen says, describing her progression through Sarbanes-Oxley legislation and GLBA compliance before entering the streaming sector. “I have five children, so I know how to catch people doing bad things. I realised this really fed into my normal life – that combination of ADD and OCD that you need to keep 27 balls in the air and not drop a single one.”
The challenge facing streaming security teams extends beyond traditional cybersecurity concerns. Video platforms must balance content protection with accessibility, manage varying compliance requirements across territories and ensure seamless delivery while maintaining robust security controls. For companies like Brightcove, this means developing security frameworks that can adapt to both emerging threats and evolving business needs.
The unique security landscape of video streaming
Video streaming security presents distinct challenges from traditional content delivery. The infrastructure must protect both content and user data across global networks while maintaining streaming quality. Karen’s previous role managing security for a cruise line offers perspective on these distributed systems.
“Cruise ships are floating data centres. They have WiFi, they’re holding personally identifiable information, HIPAA data, and there are life safety issues with bridge systems,” Karen explains. “Managing potential cyber events and incidents when you're working over satellites with ships all over the world is incredibly complex. Every day, your data centres are in a new place, and you’re relying on good satellite coverage, while you have guests concerned about their internet speeds.”
This experience with complex, moving infrastructure translates to Brightcove’s global content delivery network, where security must function across jurisdictions and technical environments. The company’s security framework centres on ISO 27001 certification, an international standard for information security management that enables consistent controls across borders.
Having recently passed its ISO 27001 certification audit, the certification process required demonstrating security controls across all operations, from development to delivery.
“ISO is the basis of everything we do because we are an international company. If the NIST framework seems to make more sense for a particular customer, we can pull in components of a NIST framework. I've pulled in COBIT so we can understand the business processes we’re tying the security processes to.”
“For me, it’s about creating an equal playing field for security across everything that Brightcove does. Every engineer knows the security rules. By following an international standard like ISO – which is best practice for managing security – everyone knows what they should be doing. The easiest way to secure data is to gather what you need for the purpose you need it, gather nothing else, and delete the data when you're done with it.”
Building a security-first culture
Brightcove’s approach to security integration reflects a deliberate cultural shift away from traditional, siloed security models. The transformation begins with a fundamental principle: security cannot be an obstacle to business objectives. “Cybersecurity needs to simply not be the power of no,” Karen emphasises. “The whole idea is to always find a way to yes and truly partner. Security can’t be the speed bump or the toll booth.”
This philosophy manifests in early security involvement with product development. Rather than treating security as an afterthought, Brightcove integrates security considerations from the earliest stages of product conception. The recent launch of the company's AI suite demonstrates this approach in action. “My team was involved throughout the conversations about what it would and wouldn't do, along with legal,” Karen explains. “There was amazing collaboration to put out this enabling tool for our customers.”
The results of this collaborative approach are evident in the strong partnerships formed across the organisation. “By adopting that ‘there’s always a way to yes’ strategy, I have amazing partners inside the engineering organisation,” Karen notes. “I’m included in their meetings and project planning. My team can do assessments and point out potential problems before something goes into production.”
Central to this success is creating an environment where teams feel safe discussing security concerns. Karen has established clear principles for cross-departmental collaboration: “It’s about building robust processes that stretch across departments and understanding this is a safe place. Let’s fix the problem, not fix blame.” This approach builds trust and encourages open communication. “Once people realise they can trust you and you're not there in an adversarial relationship, it really helps.”
This collaborative approach is particularly crucial in software development, where security needs to be considered from the start. “If you’re not baking security into what you’re doing and you’re trying to bolt it on later, you will fail,” Karen states. She challenges teams to think about the long-term implications of bypassing security measures: “I ask people: How can you not have time to do it right the first time, but somehow in six months you're going to have time to go back and redo it? When you point that out, they usually get it.”
This balance between security requirements and development pressures requires constant attention. “People want to do the right thing immediately, but there's also development pressure on the other side,” Karen acknowledges. The solution lies in maintaining continuous engagement: “By really being in the car with them and partnering with them the whole way, they don't see you as something holding them up. They start talking to you during ideation, which is foundational to the process.”
Technical infrastructure and response
Brightcove's technical security infrastructure relies on integration between specialised tools. The company partners with SentinelOne for endpoint protection, Wiz for cloud security, and Mimecast for email security. "You cannot expect engineers to be logging into 27 different dashboards and manually correlating what that data means," Karen explains. "Everything must be about interoperable tools and automation that can respond in nanoseconds."
The incident response framework emphasises rapid engagement and automation. "We follow the basic incident handling framework that everyone uses - there's no secret sauce in a technical response team, incident response team, and incident management team," Karen explains. "The tools need to be able to take action before you've woken an engineer up in the middle of the night - quarantine, drop a connection, then wake someone up to review it."
Annual breach tabletop exercises with executive and senior leadership ensure role clarity during incidents. These exercises simulate various attack scenarios, testing response procedures and communication channels. The security team maintains partnerships with external response firms, enabling rapid escalation when needed.
Emerging challenges and future focus
The emergence of AI presents new challenges for video streaming security. Karen identifies AI-powered threats as a priority: "ChatGPT is amazing, but not everybody using AI tools are peaceful hunter gatherers. Bad actors are using these too."
The business impact of security measures receives constant evaluation. "It's really about cost-benefit analysis - never spend $20 to protect a $1 item," Karen states. This calculation influences security resource allocation, particularly during high-value streaming events: "If we're live streaming a huge sporting event, that's a priority. When making load balancing decisions for security, I'm going to focus on that live event, ensuring it's streaming well, secure, and providing a great user experience, while all the best practices for ISO maintain the secure environment for all customer content at all times "
“Like all security professionals, I both fear a big security incident and get an adrenaline rush from handling one. We need to be able to correlate all that data in very few places where we can pull meaningful metrics and understand our mean time to detection and remediation. “We work with partners like Softchoice, who do an amazing job. If I have a problem, they bring me options. I affectionately call it "vendor speed dating" where you're evaluating different products, but utilizing those partnerships to find the right fit for your organization. Build a robust process first, then find a tool that fits your process.”
The future of streaming security
As artificial intelligence reshapes both threats and defences, Brightcove is adapting its security infrastructure. “We’re examining what AI our partners will offer to help respond faster to emerging threats,” Karen explains. “So much is going to change over the next couple of years because of AI that our partners will have to keep up.”
The pace of cyber threats has already transformed incident response. “The days of getting an alert, waking up, getting coffee, and then investigating - those days are gone,” Karen notes. “You have to have tools in place that respond in an automated fashion.”
In an environment of constant change, staying ahead of emerging threats requires constant vigilance. “There's always something new around the corner that we haven't seen, so it’s about maintaining our established level of security as we grow and evolve,” Karen reflects. “People always ask what keeps you up at night, and my answer is ‘I don’t know what I don’t know.’ I read threat feeds before bed – it’s all about staying ahead of what's coming next.”
Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.
Discover all our upcoming events and secure your tickets today.
Cyber Magazine is a BizClik brand




