- Connected device security spend accelerates as three quarters (75%) of businesses report that security has become a bigger business priority in the last 12 months
- 7 in 10 aim to gain an edge over competitors by aligning early with upcoming regulation
- Firms are taking action to increase security robustness and plug perceived skills gaps, and 53% view certification as key way to demonstrate best practice, a 21% year-on-year increase
Cambridge, UK — 29th June 2023: The PSA Certified 2023 Security Report – now in its third year – today reveals how investment in connected device security has accelerated as upcoming legislation affecting the sector becomes more front of mind. It also reveals a noticeable difference from last year’s report in the extent to which industry customers and cruciallyconsumers now demand it.
The annual barometer of industry perceptions and intentions around connected device security surveyed 1,240 technology decision makers worldwide, and found that three quarters (75%) of businesses report that security has become a bigger business priority in the last 12 months, and they are spending on average 15.3% more in security related areas in 2023 compared to 2022. The average spend per company on both continuous security investment and building security into products have both risen by 12%. Spending on external validation is also on the rise, with the spending on third-party lab testing and evaluation rising by 24% and spending on security certification by 14%.
Exploring the reasons behind the increased investment, a significant factor is the desire to align with upcoming regulation worldwide, particularly EU legislation, which will have a big impact on businesses both inside and outside the European Union. Around half (49%) of those asked globally are monitoring and actively trying to adhere to the EU Cyber Resilience Act, 40% say the same of the EU Radio Equipment Directive (RED) and 39% say the same of the UK Product Security and Telecommunication Infrastructure (PSTI).
Industry has reached regulatory crossroads: companies acting now to stay ahead of compliance
Regulatory compliance was cited as a top three priority by 75% of respondents. Despite the pain points associated with ensuring compliance, 71% welcome new regulation and 69% are aiming for ‘first mover advantage’ by aligning with regulation ahead of time to gain an edge over competitors. Particularly notable is that 68% think they are already ahead of what’s required.
To put this development into context, almost two-thirds (64%) of those surveyed say they consider upcoming regulation, such as the EU’s Cyber Resilience Act, to be even more significant than GDPR (The EU’s General Data Protection Regulation, which has had a major impact on how data is shared globally). Referencing again the pull of consumer demand for more assurance over the security of connected devices, 65% of businesses think regulation will positively impact their bottom line.
However, uncertainty remains, as69% of business leaders in the space say regulation still needs better definition and 64% say they need more guidance on how to comply.
David Maidment, senior director, Secure Devices Ecosystem at Arm (a PSA Certified co-founder):
“As security standards and regulations have evolved, ensuring trust is built into devices is front of mind for industry leaders. The value of having certified security in trusted components has been firmly established, and businesses predict it will only increase once buyers see it become law. Consequently they are motivated to stay ahead of the curve and align with regulation now.”
There are also clear signs that buyers are becoming more savvy and demanding a higher level of security. Almost two-thirds (65%) look for security credentials when buying connected products as a consumer, and they are willing to pay more for it: over two thirds (69%) say they are happy to pay a premium for built-in security. From a business perspective, the main reason respondents see security as beneficial to the bottom line is increased public trust in the company leading to greater sales (64%). On the flip side of that, loss of customers is the outcome cited as having the greatest impact on respondents’ businesses if a product were to suffer a security failure (at 29%), above reputation damage (27%), cost of paying damages (19%) and regulatory fines (11%).
As a result, nearly all (96%) tech decision makers see device security as a benefit to the bottom line.
Maidment continues: “In PSA Certified’s last report, we called 2022 a turning point for connected device security, as it was becoming a key pillar of technology strategy. Awareness has only increased since then; this year’s report finds that customers now demand it. This is where the dial has really shifted: public engagement with the topic has grown, and as a result expectations of security standards have increased. Investment in security features, experts and certification is no longer optional and must be prioritized.”
Firms take action to prove security robustness, but more is required to ensure best practice
Organizations are also increasingly adopting robust security measures to reduce risk and liability. More than half of those polled say a security certification is useful in proving robustness to customers (53%) – a 21% year-on-year increase.
Currently, the major obstacle businesses feel they face in achieving best practice security is having the skills to implement it. Lack of security specialists (29%) and complexity (25%) were the top barriers cited to implementing stronger security. Lack of specialists is an even bigger security roadblock for APAC professionals with 36% of respondents highlighting it as the top barrier.
With this in mind, businesses are moving to address the issue head on: a significant number of surveyed businesses plan on upskilling their current team on security skills (51%) and adding headcount (44%) in the next 12 months. While there is a need to upskill internal teams, it’s well-recognized that there is a shortage of security experts globally. So, it’s unsurprising, that 72% also recognize that industry-led guidelines and processes are key for helping the industry to scale resources and reducing the need for large security teams to be deployed.
Maidment comments: “These are positive signs for jobs and opportunities in the sector, but skills alone won’t solve the security threat. A scalable solution built with pre-certified trusted components combined with recognized standards and external testing are essential and there is growing industry consensus around this. The issue needs to be solved in a smarter, scalable way through the entire supply chain.”
Find out more in the full report at https://report.psacertified.org/
Director, Head of Technology Strategy Product Marketing, Arm
PSA Certified Marketing Sub-Group Chair
About PSA Certified
PSA Certified is a global partnership of security-conscious companies who are proactively building security best practices into devices at scale. Our security framework and independent third-party evaluation scheme was originally spearheaded by Arm and six other security ecosystem leaders (and now maintained by Applus+ Laboratories, CAICT, ECSEC Laboratory, ProvenRun, Riscure, SGS Brightsight, Serma, TrustCB, and UL) providing the resources needed to build upon the Root of Trust.
PSA Certified has scaled to become one of the fastest growing, most valued security ecosystems, globally. Being awarded ‘Ecosystem of the Year’ in the IoT Global Awards 2021 is testament to the role it has played in uniting industry, standards bodies, regulators and insurers together under one initiative. In doing so it’s accelerating the cross-industry collaboration required to untap the full potential of the IoT.
Fast approaching 150 certifications from over 85 partners, PSA Certified has democratized the adoption of security across the electronics industry, giving the ecosystem the confidence to innovate, while protecting consumers from the most common hacks.
Find out more: psacertified.org/
Notes to editors
The core findings in this report were drawn from a survey conducted among 1,240 technology decision makers and consultants in North America (Canada and US), Europe (Denmark, France, Germany, Italy, Netherlands, Norway, Sweden, UK) and APAC (China, India, Japan, Korea, Taiwan). The interviews were conducted online in April 2023 using an email invitation and an online survey.
Notes on regulation
The UK’s new Product Security and Telecommunications Infrastructure Act 2022 (PSTI) will take effect on 29 April 2024, and will require manufacturers to implement minimum-security standards on all consumer products with internet or network connectivity, such as smartphones, smart meters, CCTV cameras, smart speakers, games consoles, smart doorbells, and medical devices and wearables before they can be made available for purchase.
The new regime will not only apply to manufacturers, but also distributors, importers and authorised representatives, which effectively encompasses the entire supply chain.