Exploring Practical Paths for Cybersecurity Governance in Media Organizations

Hainan Nanhai Net Media Co., Ltd., Haikou, Hainan 570100

Abstract

[Objective] This study examines cybersecurity governance in news organizations, explores solutions for cybersecurity governance, and adapts to the environmental requirements of cybersecurity governance in the era of all-media and intelligent media. [Method] The research utilizes information system security level protection assessment, cybersecurity technology, and management practices to achieve secure operation under cybersecurity safeguards. [Result] Through cybersecurity governance, systematic improvements in security posture and security operation capabilities have been achieved, ensuring the safe production of systems. [Conclusion] Cybersecurity, like operational safety, is a fundamental safeguard. Through practical exploration of cybersecurity governance, this paper provides reference for cybersecurity governance work in industry organizations.

Keywords: Cybersecurity; Level Protection; Information Systems; Media Convergence; Information Security

Media organizations' cybersecurity has developed in parallel with their own operational needs. Different dissemination carriers and production modalities face distinct cybersecurity challenges. The impact and losses from cybersecurity incidents vary, as do the requirements for cybersecurity work. For instance, print-based media organizations primarily deployed information systems on internal networks, with users mainly being internal staff, resulting in relatively smaller cybersecurity perimeters. With appropriate VPN virtual channels and network isolation measures, the external attack surface was relatively reduced. The cybersecurity posture faced was somewhat similar to OA systems, financial systems, and CRM systems.

However, media organizations that use the internet as their primary dissemination channel have expanded their information systems to serve end users, significantly increasing system exposure and complexity. Simultaneously, the difficulty of isolating internal and external systems has risen, and cybersecurity incidents have greater impact and spread more rapidly. As platforms become increasingly feature-rich, sensitivity to cybersecurity events has grown rapidly, tolerance for cybersecurity risks has decreased, and costs have escalated quickly.

During this evolution, constrained by the policy environment, domestic and international contexts, network conditions, internal and external organizational environments, and market conditions, many media organizations' cybersecurity governance has experienced a process from nonexistence to establishment—except for a few units that recognized cybersecurity's importance early on. This systemic phenomenon is directly and indirectly related to the nature, institutional mechanisms, and technical environment of media organizations. Since cybersecurity work is supportive, similar to many operational maintenance tasks, it plays a critical role behind the scenes. However, cybersecurity governance is also costly and does not directly generate financial returns. Consequently, organizational leadership initially did not fully prioritize cybersecurity governance, resulting in insufficient initiative, inadequate attention, insufficient investment, and talent shortages that caused considerable damage. The proliferation of online information, frequent information system vulnerabilities, and inadequate governance mechanisms and legal frameworks were particularly prominent. Many organizations' systems operated with little or no protection—essentially "running naked"—offering virtually no defense against cyberattacks.

Based on these circumstances, cybersecurity incidents such as webpage defacement, server privilege escalation, rebound control, DNS tampering, malware injection, DDoS attacks, weak password exploitation, database breaches, hidden links, and SEO black-hat activities emerged incessantly. Within media organizations, this gradually created a phenomenon of resigned acceptance, with problem-solving approaches being crude and simplistic, such as system shutdowns, backend restrictions, and backup restoration. The situation faced by media organizations to some extent represents a microcosm of China's internet and cybersecurity development.

1. Historical Review of Cybersecurity Governance Development

1.1 First Stage of Cybersecurity Governance Development

Media organizations' cybersecurity has evolved in sync with their development needs. Traditional print-media organizations primarily deployed information systems on internal networks, with most users being internal staff, resulting in relatively small cybersecurity boundaries. With proper VPN virtual channels and network isolation measures, the external attack surface was relatively limited. The cybersecurity posture was somewhat similar to OA systems, financial systems, and CRM systems. These organizations faced more other types of information security issues, such as information confidentiality, information errors, and production system failures.

1.2 Second Stage of Cybersecurity Governance Development

With social development and technological progress, changes in the media ecosystem, improvements in the legal framework, and the rapid elevation of cybersecurity governance to a national strategy—particularly the perfection of the legislative system—have created a top-down systematic governance environment. For media organizations, their responsibilities and obligations, especially the critical duty of ideological security, combined with various reforms and network environmental factors, have significantly raised cybersecurity awareness, particularly among organizational leadership. This has provided a foundation for improving cybersecurity governance, and various units have gradually developed cybersecurity awareness and specific measures.

As the cybersecurity legislative system has improved, digital economy and information technology have advanced, and public cybersecurity awareness has rapidly increased. From organizational leadership to ordinary netizens, everyone has contributed to cybersecurity governance, further creating a social environment conducive to cybersecurity. Advances in cybersecurity technology and other supporting technologies, such as cloud computing and cloud security, along with systematic upgrades in the cybersecurity industry's industrial chain and supply chain—especially the state's large-scale investment in the cybersecurity and related information industries—have reduced cybersecurity costs and provided basic conditions for cybersecurity investment in media organizations with limited revenue.

Meanwhile, increased cybersecurity regulatory enforcement and changes in the law enforcement environment have injected executive power into media organizations' cybersecurity governance work, creating comprehensive and systematic safeguards that elevate high-quality development to a sufficient priority. After approximately a decade of development, media organizations' cybersecurity governance work in the second stage has made significant progress, with many problems from the first stage being gradually resolved. Leadership and the entire organization's cybersecurity governance philosophy have improved, with corresponding investment made whenever possible. This process has also been one of accumulating experience across generations of leadership. However, cybersecurity work is cyclical; new problems continuously emerge during development. To achieve long-term governance, we must explore long-term paths and methods—this constitutes the core purpose of this paper.

In summary, many problems have been resolved during these two developmental stages, yet many remain unsolved. Faced with improved cybersecurity awareness, system vulnerabilities, insufficient investment, inadequate systems, management failures, talent shortages, and insufficient R&D capabilities, media organizations must continuously strive to enhance systematic cybersecurity governance, gradually achieving modernization of cybersecurity governance levels and capabilities in the new era.

2. Cybersecurity Governance Process

2.1 Cybersecurity Governance Expectations

Since cybersecurity is a costly undertaking, governance must first define standardized objectives: what goals should cybersecurity governance achieve, how to achieve them, what specific tasks are required, and what investments are needed. For media organizations, which generally face revenue pressures, establishing reasonable cybersecurity governance expectations is crucial. Unrealistic expectations lead to excessively high costs, affecting implementation and even causing investment waste. Conversely, overly low expectations fail to meet substantive needs, placing organizational safety production and external security at high risk.

From the perspective of cybersecurity governance itself, it is a systematic project requiring definition of security needs within a standard framework, followed by project-based implementation. During engineering implementation, various tasks should be executed in phases and batches according to actual organizational conditions. Security requirements guide subsequent specific work and should be within a reasonable range without exceeding actual needs. So how should the standardization of cybersecurity needs or expectations be defined?

To address the systematic requirements of cybersecurity governance, China promulgated the Regulations on the Security Protection of Computer Information Systems of the People's Republic of China in 1994, commonly known as "Level Protection 1.0," along with various other regulatory policies that provide systematic standard requirements. Particularly, the revised Cybersecurity Level Protection Regulations in the new era, known as Level Protection 2.0, provides a comprehensive and systematic guide for cybersecurity governance work, establishing standards to follow. Based on the requirements of these regulations, combined with organizational cybersecurity governance needs and cybersecurity risk assessments, cybersecurity requirements can be essentially determined (see framework diagram in [FIGURE:1]).

[FIGURE:1]

In short, under the requirements of these regulations and in combination with self-assessed cybersecurity needs and risk evaluations, cybersecurity requirements can be fundamentally established.

2.2 Cybersecurity Governance Measures

From a macro-strategic and traditional security perspective, most media organizations conduct cybersecurity governance within the Level Protection framework. In most cases, they believe that meeting basic legal constraints by purchasing and configuring cybersecurity hardware or products, guided by Level Protection assessment companies, and ultimately obtaining an assessment report with a passing score fulfills cybersecurity work requirements. However, the reality is that systems obtaining such legally compliant assessment reports still face significant possibilities of being compromised when confronted with cybersecurity threats. Therefore, we can conclude that the score achieved in Level Protection assessment represents only the minimum requirement for cybersecurity governance, far from meeting the actual risks and security needs faced.

Meanwhile, many media organizations' cybersecurity governance primarily focuses on protection-oriented systems, particularly emphasizing external cybersecurity threats far more than internal network concerns. This creates an incomplete or biased protection pattern that leaves significant hidden dangers for cybersecurity work. Many cybersecurity incidents in recent years have traces of this pattern. Simultaneously, other cybersecurity systems such as monitoring, talent, and institutional systems receive less attention, though the factors causing this situation are complex and will not be discussed here.

Furthermore, many media organizations adopt delegation approaches to cybersecurity governance, completely relying on cybersecurity vendors by purchasing various cybersecurity devices and products along with certain cybersecurity services. They believe this can solve their cybersecurity problems through trust transfer. However, practice shows this approach cannot truly solve cybersecurity issues. Moreover, due to the technical composition of media organizations, their actual conditions, and the development process of cybersecurity work, there is insufficient or inadequate understanding of cybersecurity professionalism. Without proper understanding of how cybersecurity problems form and their root causes, even the most advanced cybersecurity equipment or products cannot perform effectively. Cybersecurity product designs require compliance to maximize effectiveness, yet actual cybersecurity management and information system compliance levels in many organizations remain low.

The discussion above does not negate the necessity of cybersecurity systems but rather seeks scientific approaches to cybersecurity governance. We still need to conduct our micro-level cybersecurity governance practices under the macro guidance of the national cybersecurity governance system.

3. Addressing Cybersecurity from the Root

3.1 Root Cause Governance of Cybersecurity

Based on previous discussions, during development, media organizations failed to implement the "three synchronizations" (synchronized design, construction, and operation) in system construction and operation. Early systems were primarily purchased, and later, substantial costs were not invested to update and patch system vulnerabilities. Many systems can no longer receive technical support, making vulnerability remediation impossible. Therefore, when building cybersecurity systems, organizations often adopt an outer-shell approach, deploying cybersecurity devices at the system periphery while ignoring vulnerabilities within the system itself. In reality, cybersecurity risks have not been significantly reduced. Filtering external traffic through cybersecurity devices is merely a mitigation measure.

Information system defects or vulnerabilities often exist from the initial construction phase or even during design. Therefore, the ultimate principle for solving cybersecurity problems should start from the "three synchronizations" for full lifecycle governance, and this principle must be consistently maintained during later iterations. Internally, organizations should emphasize root cause governance of defects, repairing vulnerabilities and upgrading legacy systems to enhance security levels. Externally, they should focus on cybersecurity industry trends and threat intelligence acquisition. Only through continuous dynamic advancement of both contradictory aspects can we achieve dynamic security that keeps pace with the times and fundamentally enable security operations.

However, management issues cannot be ignored and will be discussed separately. There is no cheapest security, nor most expensive security—only the most appropriate security. Root cause and systematic cybersecurity governance involves multiple aspects including technical R&D capabilities, management capabilities, and financial resources. Organizations must make reasonable decisions based on their actual conditions.

3.2 Specific Technical Practices in Cybersecurity Governance

Based on Level Protection 2.0 standards, this paper does not intend to discuss all aspects of the entire cybersecurity system but focuses on several specific areas in practice.

3.2.1 Security Management Systems

The author's organization established a cybersecurity management system in 2014 under Level Protection 1.0 guidance, defining cybersecurity management personnel and supporting regulations. With overall cybersecurity development, the system has been continuously improved through annual Level Protection assessments, security drills, security inspections, and other supervisory requirements from higher authorities and internal cybersecurity construction needs. A relatively complete institutional system has now been formed. Additionally, compliance with policies from the national and local cyberspace administration, communications management departments, public security departments, and others requires media organizations to meet more regulatory provisions, particularly regarding compliance with non-technical regulatory specifications such as information review, content security, and content standards.

However, many media organizations currently face the problem of massive institutional systems with a disconnect between regulations and implementation. The operational cost of systems is high, as is the cost of maintaining the systems themselves. Nevertheless, from a compliance perspective, institutions are the forerunners and top-level design—the guiding framework for cybersecurity work that must be constructed.

3.2.2 Security Technical Environment

Regarding technical security encompassing physical security, communications security, boundary security, application security, and environmental security, media organizations should employ cybersecurity professionals or personnel with professional knowledge and comprehensive understanding of cybersecurity technology. Cybersecurity cannot be built on vague foundations; it must be reflected in actual work details.

Cloud computing development has changed our cybersecurity work methods. Physical security, communications security, boundary security, and environmental security aspects are undertaken by cloud computing providers when adopting cloud solutions. However, in practice, organizations must still comprehensively and systematically master knowledge and capabilities in all aspects. They cannot simply delegate all security issues through outsourcing, as this abdicates responsibility for cybersecurity problem-solving while introducing risks inherent to outsourcing models.

Based on previous discussions, many media organizations focus on protection when building cybersecurity systems, while lacking cybersecurity monitoring and audit systems. Combined with fragmented management systems, this无形中 reduces cybersecurity governance effectiveness. Particularly at the application security level, audit functions often do not constitute high commercial-value business requirements and frequently remain undeveloped. Cybersecurity monitoring and audit capabilities significantly impact cybersecurity governance levels. Without these capabilities as safeguards, the unknown aspects of cybersecurity work expand considerably. The 24-hour status of the entire system is not fully understood by security management personnel, causing critical information gaps in subsequent cybersecurity emergency response, security posture assessment, and cybersecurity construction decision-making, thereby reducing decision-making科学性.

Many media organizations still exhibit obvious shell-covering situations. Where possible, they should promote integrated cybersecurity systems guided by systems thinking. Applying the barrel principle and other concepts can minimize gaps between application security and cybersecurity devices and products, avoiding systems going online or operating with inherent flaws. When procuring related security products and devices, cybersecurity teams should conduct in-depth evaluations of products and solutions to maximize return on investment.

3.3 Management Issues in Cybersecurity Governance

Management issues in cybersecurity governance—namely, security operations under the Level Protection 2.0 framework—involve high-cost construction and operation of security operations systems. Most media organizations lack the capacity to build complete security operations systems and often operate勉强 within the Level Protection compliance framework, maintaining basic institutional and technical protection systems. As seen in previous research, cybersecurity governance without security operations system support is essentially passive governance.

The author's organization faces this issue, with cybersecurity work remaining in a relatively ambiguous state where no one concerns themselves with cybersecurity conditions outside working hours. However, the essence of cybersecurity governance requires active management. Combined with imperfect cybersecurity monitoring and audit systems, cybersecurity operations effectively run in a "black box" state with very inaccurate cybersecurity posture awareness.

Management issues are, to some extent, the implementation of top-level organizational will and development strategy. The principle that "cybersecurity is 30% technology and 70% management" has not been truly recognized in many media organizations. In practice, whether technical work is properly executed ultimately returns to management issues—such as cybersecurity policy management, system configuration, baseline compliance, and other fundamental technical implementations whose effectiveness must be resolved through management. However, many leaders in media organizations do not come from technical backgrounds, and technically-oriented leaders have not reached high-level consensus with other leaders, causing many cybersecurity incidents to originate from management levels, such as information leakage, patch updates, vulnerability remediation, and weak passwords—all resulting from failure to proactively manage.

Therefore, building a proactively driven security operations management system is crucial for current cybersecurity governance work in media organizations. Passive approaches are unsuitable for cybersecurity governance, as losses from cybersecurity incidents cannot be standardly estimated. Many matters require proactive action and predictive response because passive experimentation is impossible—the costs, conditions, and consequences are not viable in reality.

4. Research on Key Issues in Cybersecurity Governance

4.1 Continuous Learning of Policies, Regulations, and Cybersecurity Technology

Cybersecurity governance is a long-term undertaking corresponding to the lifecycle of information systems and organizations. Media organizations and their technical teams should continuously update their knowledge systems, particularly regarding policies and regulations, cybersecurity posture, and new cybersecurity technologies. Externally, they should maintain awareness of compliance and security posture; internally, they should meet security assurance and operational needs.

Moreover, organizations should not simply understand various policies and regulations superficially but achieve mastery through comprehensive study. Different regulations have different focuses and may conflict in practice. Beyond following regulatory system requirements, specific problems require specific solutions. For example, many larger media organizations have launched multiple businesses and face different security compliance scenarios for different operations.

Cybersecurity technology learning should follow applicable principles to meet media organizations' cybersecurity governance needs. Organizations should not simply pursue new technologies but align them with their own cybersecurity needs. Additionally, they should pay attention to in-depth research on technologies specific to media organizations—for instance, the "three reviews and three proofreads" mechanism is a very special mechanism in media organizations.

4.2 Cybersecurity Governance Under Dynamic Operations Support

During development, media organizations should establish their own cybersecurity operations systems to the greatest extent possible. Long-term and dynamic cybersecurity governance—particularly cybersecurity supported by new technologies such as artificial intelligence and big data—is the needed solution path. Simply purchasing external cybersecurity services cannot fundamentally solve their own problems well.

The author's organization ultimately resolved the driver for long-term cybersecurity governance by recruiting professional cybersecurity personnel after extensive exploration. Security vendors can provide solutions such as on-site personnel, penetration testing, risk assessment, detection services, and cybersecurity drills. However, these services are generally expensive, often unaffordable for media organizations, with low demand and mostly one-time services. Meanwhile, even with vendor personnel on-site, internal management coordination problems remain fundamentally unresolved—internal personnel know their own systems best.

Cybersecurity governance also demands high technical capabilities, particularly in R&D and technical management. Media organizations should invest more resources in building core technical capabilities. Systems that can be independently developed should be developed in-house to form a "three synchronizations" mechanism that actively and promptly solves cybersecurity problems. For procured systems, organizations should leverage their own technical capabilities combined with vendor capabilities to jointly promote cybersecurity problem-solving, particularly eliminating the behavior of turning a blind eye to problems.

Under a dynamic operations system, media organizations should avoid separating security from operations. Cybersecurity and operations are both safeguard systems for ensuring long-term safe system operation, with close and inseparable connections. For example, system availability and reliability are concerns not only for operations teams but also important indicators for cybersecurity, and both serve the same objectives. Simultaneously, cybersecurity work should be granted sufficiently high authority to enable high-quality operations under security assurance.

Based on years of summary and reflection from cybersecurity work practice in media organizations, this paper conducts specific analysis and practice on concrete problems in combination with internal and external environments and regulatory policies. The paper only studies key points and cannot comprehensively cover the entire cybersecurity system. After years of exploration, the author's organization has made certain progress in cybersecurity governance—through specific analysis and solutions for problems, vulnerability numbers continue to decrease, cybersecurity incident rates continue to decline, and cybersecurity assurance capabilities and levels steadily improve. Media organizations bear important responsibilities for ideological dissemination, where ideological security is of great significance. Only with cybersecurity as the backing can they achieve high-quality development under security assurance.

References

[1] Wu Caiyu. "Research on the Implementation of the Legal System for Network Information Security Supervision" [J]. Journal of Political Science and Law, 2024(2): 29-37.

[2] Dai Zongkun, Tang Sanping. VPN and Network Security [M]. Beijing: Publishing House of Electronics Industry, 2002.

[3] Song Lingmei. Application of Virtual Network Technology in Computer Network Security [J]. China Media Technology, 2021(2): 105-107.

[4] Zhao Peng. Research on Network Security Issues in the Context of Media Convergence [J]. Science and Technology Communication, 2016(1): 198-200.

[5] Han Xiaoguang, Wang Ruosong, Tang Jincai. Research and Practice on IT Operations Management Systems in the New Era [J]. China Media Technology, 2024(6): 150-155.

[6] Wang Lin. Technical Risks and Response Strategies in Media Space Governance [J]. China Media Technology, 2022(10): 68-71.

[7] Zheng Lianqing. Introduction to Cybersecurity [M]. Beijing: Tsinghua University Press, 2015.

[8] Sun Yuan. How to Ensure Information Security in the Environment of Converged Media Construction [J]. West China Broadcasting TV, 2018(23): 46-47.

[9] Shen Changxiang. "Cloud Computing Security and Level Protection" [J]. Information Security and Communications Privacy, 2012(1): 16-17.

[10] Wang Yunbo. Thoughts on Network Security in the Context of Media Convergence [J]. Media Forum, 2019(21): 94.

[11] Wang Shiwei. On Information Security, Network Security, and Cyberspace Security [M]. Beijing: Social Sciences Academic Press, 2015.

[12] Huang Jie. Discussion on New Technology Applications in Network Security and System Operations [J]. Communications World, 2024(3): 30-32.

[13] Wang Jiatong. Analysis of Network Security Technology for Information Systems [J]. Cyberspace Security, 2024(2): 45-48.

[14] Wu Honghui. Research on Data Center Network Security Hardening Construction Based on Media Convergence [J]. China Media Technology, 2021(3): 114-116.

[15] Zhu Lei. Research on the Application of Big Data Technology in Network Security Analysis [J]. Digital Users, 2023(29): 40-42.

[16] Wang Dapeng. "Exploration of Computer Network Security Management and Effective Operation" [J]. China New Technologies and Products, 2013(7): 12.

Author Biography: Ling Yunyi (1986—), male, from Tianshui, Gansu, Senior Engineer (Deputy Chief Engineer, in charge), Hainan Nanhai Net Media Co., Ltd. Research interests: media convergence, technology management, project management, software engineering, cybersecurity, etc.

(Responsible Editor: Li Yansong)