Op-Ed: The Dirty Secret About Compliance and Digital Signage Security
August 23, 2025 by guest author, Florian Rotberg
In a provocative op-ed, Screenly Co-Founder Viktor Petersson exposes a critical blind spot in digital signage security: the illusion of safety created by compliance badges like SOC 2 and ISO 27001. While these certifications do improve general IT hygiene – mandating disaster recovery plans, MFA, and device management – they often exclude the very hardware that powers digital signage networks. Petersson warns that outdated, vulnerable operating systems on signage players can still pass compliance audits, leaving organizations exposed despite the appearance of security.
Op-Ed: The Dirty Secret About Compliance and Digital Signage Security
Here’s the dirty little secret: you can pass SOC 2 or ISO 27001 compliance with your digital signage players running Windows 95. Or with a hopelessly outdated version of Android, Linux, or just about any operating system. Buyers see those shiny compliance badges and assume their vendor is secure.
That assumption is dangerous.
To be fair, SOC 2 and ISO 27001 do improve security posture. They force companies to formalize disaster recovery plans, prove they can restore backups, enable MFA across systems, and deploy device management for laptops and phones. This is all valuable hygiene, though much of it is a documentation exercise.
Here’s the catch: these certifications say almost nothing about signage players. Unless you encounter an unusually thorough auditor, those devices are out of scope. The cloud infrastructure and supporting tools may be covered, but the hardware being sold to customers- the signage players themselves – most likely not.
This loophole allows vendors to ship devices running end-of-life operating systems riddled with vulnerabilities and still hold up a SOC 2 or ISO 27001 badge. And many do. At an industry event earlier this year, a vendor proudly launched “new” signage monitors built on an end-of-life version of Android. For context: if your Android players are running anything older than Android 13, they’re out of support. Google no longer provides patches, and your signage vendor is not backporting fixes – no matter what they claim.
I’ve seen it firsthand. Running basic security audits on signage players from well-known vendors revealed results that would horrify any CTO or CISO. And yet those vendors point to compliance badges as proof of security.
So what does security actually mean for signage players?
Every vendor will claim their devices are secure. But without proof, those claims are meaningless. Compliance badges don’t cover end-of-life operating systems, default passwords, insecure communication, or lack of automated security updates. Something like the UK government’s IoT Security Code of Practice, full of common-sense requirements, sits outside SOC 2 and ISO 27001.
And let’s be clear: you don’t even need a device management solution to pass compliance checks. That raises the critical question: even if a device is secure on day zero, who ensures it stays secure on day 100? Security issues will emerge. Pushing responsibility onto end users to manually update devices is lazy and reckless. Over-the-Air (OTA) updates and proper device management must be the vendor’s responsibility.
Why does this matter?
Because signage security isn’t just about embarrassing headlines of teenagers hijacking screens to display porn (a story Sixteen:Nine has covered repeatedly) or the political hack at Taipei airport. Those are PR problems. The real danger is when a compromised signage player becomes the entry point into your corporate network.
At DEF CON in Las Vegas just weeks ago, a Sophos researcher demonstrated exactly this: a signage player wasn’t the target, it was the foothold. From there, attackers could pivot into the corporate and cloud infrastructure.
That’s the risk too many overlook.
So where’s the hope?
The EU’s Cyber Resilience Act (CRA) may finally change the game. Vendors will no longer be able to wave a SOC 2 or ISO 27001 badge and call it proof of security. They’ll have to demonstrate it. Most experts agree CRA will require Software Bill of Materials (SBOMs).
Think of an SBOM as the ingredient list on a chocolate bar. Instead of cocoa and sugar, it lists every software component, version, and license. With this, organizations can scan for vulnerabilities using tools like Dependency-Track. SBOMs aren’t perfect, but they provide a much-needed litmus test for software security.
The timing couldn’t be better. As signage deployments shift under IT rather than marketing or AV, buyers are asking tougher questions. IT departments often use Third-Party Risk Management (TPRM) tools that dig far deeper than surface-level certifications.
If CRA has teeth – and I believe it will – SBOMs will become standard. That shift will likely influence future versions of SOC 2 and ISO 27001, closing the loophole that currently allows insecure signage to hide behind compliance badges. We’re already seeing signs of this direction: PCI DSS 4.0, which governs credit card processors, now mandates a “software inventory.” That’s just another name for SBOM.
I’m optimistic. After a decade of shouting into the void about digital signage security, it finally feels like the industry is beginning to listen.
Viktor is the co-founder of Screenly, the leader in secure digital signage. Powering over 10,000 screens worldwide, Screenly is trusted by organizations like Capital One, NASA, and Lowe’s to deliver content with security at its core. The company’s roots trace back to Anthias, the most popular open-source digital signage project on GitHub, which started with the Raspberry Pi and helped set the standard for modern signage solutions.
Earlier in his career, Viktor launched ventures including YippieMove, an email migration service, and Blotter, a Mac productivity app that reached the top 10 in the Mac App Store. Long before it was mainstream, he championed decentralized teams to bootstrap and scale his companies.
In addition to Screenly, Viktor is also the founder of sbomify, a platform that simplifies SBOM management and compliance in today’s evolving cybersecurity landscape.
A system is only as secure as its weakest link. Digital signage is especially at risk, not only because cybersecurity hasn’t been a big focus in the AV world, but also because the market is very fragmented. In many projects, the hardware player, the operating system, and the CMS come from different vendors. When nobody has full responsibility, updates are delayed or not available and securing the whole system becomes nearly impossible.
Today, the most reliable way to get real security is an integrated solution where one vendor provides the hardware, the OS, and the CMS. This is where SpinetiX is different.