Investment in connected device security has accelerated as upcoming legislation affecting the sector becomes more prominent, according to PSA Certified. This acceleration also highlights a noticeable difference from last year in the level of demand from industry customers and, more importantly, consumers.
The annual barometer of industry perceptions and intentions around connected device security surveyed 1,240 technology decision makers worldwide, and found that 75% of businesses report that security has become a bigger business priority in the last 12 months, and they are spending on average 15.3% more in security related areas in 2023 compared to 2022.
The average spend per company on both continuous security investment and building security into products have both risen by 12%. Spending on external validation is also on the rise, with the spending on third-party lab testing and evaluation rising by 24% and spending on security certification by 14%.
Exploring the reasons behind the increased investment, a significant factor is the desire to align with upcoming regulation worldwide, particularly EU legislation, which will have a big impact on businesses both inside and outside the European Union.
49% of those asked globally are monitoring and actively trying to adhere to the EU Cyber Resilience Act, 40% say the same of the EU Radio Equipment Directive (RED) and 39% say the same of the UK Product Security and Telecommunication Infrastructure (PSTI).
Industry has reached regulatory crossroads: companies acting now to stay ahead of compliance
Regulatory compliance was cited as a top three priority by 75% of respondents. Despite the pain points associated with ensuring compliance, 71% welcome new regulation and 69% are aiming for ‘first mover advantage’ by aligning with regulation ahead of time to gain an edge over competitors. Particularly notable is that 68% think they are already ahead of what’s required.
To put this development into context, 64% of those surveyed say they consider upcoming regulation, such as the EU’s Cyber Resilience Act, to be even more significant than GDPR (The EU’s General Data Protection Regulation, which has had a major impact on how data is shared globally). Referencing again the pull of consumer demand for more assurance over the security of connected devices, 65% of businesses think regulation will positively impact their bottom line.
However, uncertainty remains, as 69% of business leaders in the space say regulation still needs better definition and 64% say they need more guidance on how to comply.
“As security standards and regulations have evolved, ensuring trust is built into devices is front of mind for industry leaders. The value of having certified security in trusted components has been firmly established, and businesses predict it will only increase once buyers see it become law. Consequently they are motivated to stay ahead of the curve and align with regulation now,” said David Maidment, senior director, Secure Devices Ecosystem at Arm.
There are also clear signs that buyers are becoming more savvy and demanding a higher level of security. 65% look for security credentials when buying connected products as a consumer, and they are willing to pay more for it: 69% say they are happy to pay a premium for built-in security.
From a business perspective, the main reason respondents see security as beneficial to the bottom line is increased public trust in the company leading to greater sales (64%). On the flip side of that, loss of customers is the outcome cited as having the greatest impact on respondents’ businesses if a product were to suffer a security failure (at 29%), above reputation damage (27%), cost of paying damages (19%) and regulatory fines (11%).
As a result, 96% of tech decision makers see device security as a benefit to the bottom line.
Maidment continues: “In PSA Certified’s last report, we called 2022 a turning point for connected device security, as it was becoming a key pillar of technology strategy. Awareness has only increased since then; this year’s report finds that customers now demand it. This is where the dial has really shifted: public engagement with the topic has grown, and as a result expectations of security standards have increased. Investment in security features, experts and certification is no longer optional and must be prioritized.”
Firms take action to prove security robustness, but more is required to ensure best practice
Organizations are also increasingly adopting robust security measures to reduce risk and liability. 53% of those polled say a security certification is useful in proving robustness to customers – a 21% year-on-year increase.
Currently, the major obstacle businesses feel they face in achieving best practice security is having the skills to implement it. Lack of security specialists (29%) and complexity (25%) were the top barriers cited to implementing stronger security. Lack of specialists is an even bigger security roadblock for APAC professionals with 36% of respondents highlighting it as the top barrier.
With this in mind, businesses are moving to address the issue head on: a significant number of surveyed businesses plan on upskilling their current team on security skills (51%) and adding headcount (44%) in the next 12 months.
While there is a need to upskill internal teams, it’s well-recognized that there is a shortage of security experts globally. So, it’s unsurprising, that 72% also recognize that industry-led guidelines and processes are key for helping the industry to scale resources and reducing the need for large security teams to be deployed.
“These are positive signs for jobs and opportunities in the sector, but skills alone won’t solve the security threat. A scalable solution built with pre-certified trusted components combined with recognized standards and external testing are essential and there is growing industry consensus around this. The issue needs to be solved in a smarter, scalable way through the entire supply chain,” Maidment concluded.