August 20, 2018
While we are always excited to both learn and share the latest technical developments in cybersecurity (the recent Black Hat and DEF CON conferences were no exception), we also enjoy stepping back once in a while to look at macro trends in the embedded security industry. While security is a top priority in many enterprise and industrial settings, here are three key concepts that we think are important for us all to keep in mind:
Security can drive demand… and has pricing power
Instinctively it seems that companies are starting to value security when making purchasing decisions. However, this summer Bain released research showing some staggering statistics on IoT security opinions in the enterprise that substantiate those instincts:
- Enterprise customers will buy 70% more IoT devices if their security concerns are addressed
- Executives claimed they would be willing to pay 22% more for devices with better security1
Since we still do not yet have good models to financially price cybersecurity risk, these metrics provide signals of the financial benefit of security to device makers. However, effectively realizing this upside will require manufacturers to not only have a strong track record of security, but also be able to demonstrate this clearly in the market, which leads us to the next point.
Companies lack effective ways to measure security in their supply chain and procurement processes
While some companies are putting in place information security due diligence as part procurement processes, this often takes the form of the dreaded vendor questionnaire. Some firms may take a more hands-on approach and test devices themselves, but this is time consuming, and can be expensive and unscalable. The cybersecurity community has an opportunity to help companies:
- Move beyond questionnaires (with questions like “Does your company have a process to verify device security during development”) to finding methods that actually validate the impact of bringing a new device onto a network
- Create standard and scalable avenues to get informed, verified data on device security
There are two sides of this problem – companies need to improve procurement and device makers need to find ways to demonstrate their security. This need has not gone unnoticed – activity is heating up in data, detection, and automated response, as evidenced by growing M&A activity in cybersecurity. Firms want to cover a broader spectrum of security gaps, which is creating the trend we address next.
M&A is leading to more vertical integration from manufacturing through deployment, but major gaps remain
Amazon Web Services acquired Harvest.ai2, a security behavioral analytics company, Microsoft acquired Hexadite2 to automate incident response, and ARM acquired Treasure Data3 to gain an edge securely managing IoT deployments. While these deals show how creative security solutions hold significant value for large enterprises, they do not yet close the loop on end-to-end IoT deployments. These solutions, while valuable, do not address the first stage of this problem – whether or not a device itself has major security flaws.
We are excited to be working at the center of this crucial domain, and looking forward to projects which can, for example, create models to measure the risk a hospital acquires when it brings a new device on its network, or that which a utility is exposed to due to its deployed devices. While the pace of innovation in this industry appears at an all-time high, more coordination is needed to help companies better understand their risk and provide clear paths to mitigation.
We would love to hear from you – whether you are a researcher looking to help solve these problems or a company facing difficult or unknown cybersecurity threats. We enjoy collaborating with both device makers and purchasers to solve these issues, and continue to work with both large and small companies to ensure the devices they produce or purchase meet industry expectations for security.
We encourage you to contact us if you have any questions or comments based on this post, as we value your feedback and would be happy to discuss your specific questions.
- Bain & Company. (2018, August 07). Cybersecurity Is the Key to Unlocking Demand in the Internet of Things. Retrieved from https://www.bain.com/insights/cybersecurity-is-the-key-to-unlocking-demand-in-the-internet-of-things/ [return]
- Morgan, S. (2017, November 03). Largest cybersecurity venture capital deals in 2017. Retrieved from https://www.csoonline.com/article/3235961/security/largest-cybersecurity-venture-capital-deals-in-2017.html [return]
- ARM Ltd. Arm acquires Treasure Data to set the stage for IoT transformation. Retrieved from https://www.arm.com/news/2018/08/arm-acquires-treasure-data [return]