With the global IT outage a very recent memory, and still not fully resolved for some CrowdStrike customers, software security and IT best practises are now (or certainly should be) big discussion points across organizations and industries.
Numerous digital signage CMS software providers have had announcements in the past year or two about attaining security certifications like SOC 2 for their platforms. But Screenly has gone a step further, signing what is called a Secure Design Pledge that, among several principles, puts the burden of security integrity on the software company, not the end-user/network operator.
Viktor Petersson, the founder and CEO of Screenly, explains things in a company blog post …
Every once in a while, you come across something that really resonates with your core values. For me, the most recent time this happened was when I came across CISA’s Secure by Design. At Screenly, we’ve been trying to lead the way in security since our inception. It is fair to say that we’re way ahead in the digital signage industry. Publicly committing to Secure by Design allows us to really put our money where our mouth is.
This is why we are very excited to be the first digital signage company to have signed CISA’s Secure Design Pledge. For those not familiar, the Cybersecurity and Infrastructure Security Agency (CISA) is a government agency under the Department of Homeland Security (DHS). The agency’s purpose is to advise both other government agencies and the industry on security best practices. This is the agency that is also lobbying for the use of Security Bill of Materials (SBOMs) as mentioned in the State of Security at Screenly – Ongoing Efforts and Improvements. However, Secure by Design is not just a US program; it is also a collaboration with the following agencies:
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ)
- Cyber Security Agency of Singapore (CSA)
- Czech Republic’s National Cyber and Information Security Agency (NÚKIB)
- Germany’s Federal Office for Information Security (BSI)
- Israel’s National Cyber Directorate (INCD)
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)
- Korea Internet & Security Agency (KISA)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- Norway’s National Cyber Security Center (NCSC-NO)
- OAS/CICTE Network of Government Cyber Incident Response Teams (CSIRT) Americas
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
The core principles for Secure by Design are outlined in the whitepaper.
The rest of the article gets into the weeds on just the first principle: Taking Ownership of Customer Security Outcomes
This is something that really resonates with us. Some of the items in this list are really obvious, but it’s good that they are highlighted to ensure no corners are cut. Too many vendors (particularly in the world of digital signage) just push the burden of security onto their customers. While some savvy customers have the tools and infrastructure for doing this, the reality is that the vast majority will just deploy the devices on the network and call it a day. This cohort will either assume (incorrectly) that security is owned by the vendor or not be savvy enough to even entertain the problem space.