Screenly First Digital Signage CMS Software Company To Sign Multinational Secure By Design Pledge
July 31, 2024 by Dave Haynes
With the global IT outage a very recent memory, and still not fully resolved for some CrowdStrike customers, software security and IT best practises are now (or certainly should be) big discussion points across organizations and industries.
Numerous digital signage CMS software providers have had announcements in the past year or two about attaining security certifications like SOC 2 for their platforms. But Screenly has gone a step further, signing what is called a Secure Design Pledge that, among several principles, puts the burden of security integrity on the software company, not the end-user/network operator.
Viktor Petersson, the founder and CEO of Screenly, explains things in a company blog post …
Every once in a while, you come across something that really resonates with your core values. For me, the most recent time this happened was when I came across CISA’s Secure by Design. At Screenly, we’ve been trying to lead the way in security since our inception. It is fair to say that we’re way ahead in the digital signage industry. Publicly committing to Secure by Design allows us to really put our money where our mouth is.
This is why we are very excited to be the first digital signage company to have signed CISA’s Secure Design Pledge. For those not familiar, the Cybersecurity and Infrastructure Security Agency (CISA) is a government agency under the Department of Homeland Security (DHS). The agency’s purpose is to advise both other government agencies and the industry on security best practices. This is the agency that is also lobbying for the use of Security Bill of Materials (SBOMs) as mentioned in the State of Security at Screenly – Ongoing Efforts and Improvements. However, Secure by Design is not just a US program; it is also a collaboration with the following agencies:
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- Computer Emergency Response Team New Zealand (CERT NZ) and New Zealand’s National Cyber Security Centre (NCSC-NZ)
- Cyber Security Agency of Singapore (CSA)
- Czech Republic’s National Cyber and Information Security Agency (NÚKIB)
- Germany’s Federal Office for Information Security (BSI)
- Israel’s National Cyber Directorate (INCD)
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)
- Korea Internet & Security Agency (KISA)
- Netherlands’ National Cyber Security Centre (NCSC-NL)
- Norway’s National Cyber Security Center (NCSC-NO)
- OAS/CICTE Network of Government Cyber Incident Response Teams (CSIRT) Americas
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
The core principles for Secure by Design are outlined in the whitepaper.
The rest of the article gets into the weeds on just the first principle: Taking Ownership of Customer Security Outcomes
This is something that really resonates with us. Some of the items in this list are really obvious, but it’s good that they are highlighted to ensure no corners are cut. Too many vendors (particularly in the world of digital signage) just push the burden of security onto their customers. While some savvy customers have the tools and infrastructure for doing this, the reality is that the vast majority will just deploy the devices on the network and call it a day. This cohort will either assume (incorrectly) that security is owned by the vendor or not be savvy enough to even entertain the problem space.
The Crowdstrike event appears to be a simple (unintentional) mistake that caused an inordinate amount of trouble (it is always the simplest ones that cause the most damage). Seems to me CISA has good ideas. I’m pretty sure nobody designs their systems to be insecure. However…
This is how bureaucracy is born and I’ll just bet this well-meaning organization – or another like it – will expand without limits … until their dogma calcifies and, in turn, also proves fallible.
Crowdstrike was a single point of failure. My hope is that “CISA” doesn’t repeat it.
(And thank goodness I retired!) Thanks Dave…
…and don’t even get me started on the lack of care and expertise exhibited by many endusers. It is their network after all. CMS companies have many ways to help protect those networks…if permitted to do so.