The Device Security Manifesto
Having worked with numerous manufacturers, vendors, operators and service providers in the connected device space around the world, it has become crystal clear to the Vdoo team that the entire sector is long overdue for a serious shake-up. In fact, we believe that if device security does not become a strategic priority for the entire ecosystem, the market will soon come to a tipping point where the situation will become uncontrollable. This realistic scenario presents multiple and inevitable risks for manufacturers and users alike – negatively impacting many aspects of their business from their reputations down to their bottom line.
The number of attacks on connected devices surged 300% in 2019 alone. We can only imagine the effect if they all succeeded in compromising device functionality and availability, or even rendering hundreds of thousands of devices completely useless. It’s no surprise then that end-users from across multiple verticals are quickly becoming aware of these issues. In fact, according to a Bain report 45% of enterprise customers limit their investment in connected devices due to concerns about security risks, and 93% of executives would buy an average of 70% more devices and pay 22% more for them if manufacturers provided better security.
The bottom-line is that every company that develops, manufactures, supplies, distributes or operates connected devices needs to acknowledge the fact that in the eyes of their customers, shareholders and the media, as well as the relevant regulatory agencies, they are fully responsible for the security of their connected products. In addition, due to the nature of connected devices, they remain liable for their security regardless of whether they developed the entire product in-house, or sourced certain components from a third party through their supply chain.
The next step is for these companies across all verticals to recognize that device security has become a strategic imperative for them. The only way they can win in the long-term is to ensure that all their connected devices, across all business units and product lines, provide optimal security at all times regardless of where they are in the product lifecycle.
Even for companies with expert product security teams, reaching this goal by quickly integrating and ramping-up device security at scale can seem like a huge investment in terms of time, budget and people. But the required effort looks far less challenging when you break it down into the ten tasks listed below which include everything you need to do to achieve your device security goals.
The 10 Key Steps to Ensuring Device Security
1. Establish device security as a strategic, long-term, must-have project
Stop thinking about device security as a tactical short-term reactive task that is required solely to resolve tactical product or customer-related issues at a specific business unit or product line.
Instead, approach it proactively as a strategic long-term imperative across all business units and product lines that has become a must-have project due to supply chain limitations, risk management needs, regulatory requirements and customer demand.
2. Make executive decisions to be carried out by an expert device security team
Stop addressing device security as a sporadic effort that can be handled differently across various parts of the organization, with each business unit typically only having access to more basic security processes and knowledge.
Instead, create a corporate product security initiative to coordinate device security activities across the entire organization. This cross-functional team should have three main goals - establish a coherent device security strategy, ramp up the company’s device security capabilities, and centralize the device-related decision-making process. They need to become the focal go-to point for device security expertise across the company which provides every product team with access to the specialized know-how, recommended security processes, and automated technologies that are required to properly implement a device-centric approach at the product level.
3. Provide all relevant employees with access to device security information
Stop making device security information accessible only to the more technical people at the manager, developer and architect level. Especially since each of them typically has a different view regarding open security issues depending on the specific solution they happen to be using.
Instead, make sure that the security profiles for all product lines are visible to everyone across the organization – from the C- and VP-level business executives all the way through the product security, compliance and technical teams. This should include actionable insights based on internal and external benchmarks for security profiles so that best practices and recommended solutions can be shared across the organization, enabling cross-company collaboration and learning.
4. Build up sufficient internal device security resources and expertise
Stop thinking of device security as secondary to IT security needs even though it is just as critical, which usually means that devices end up being far more vulnerable.
Instead, since devices mandate a new way of looking at security, companies need to make sure their security experts have the appropriate experience and expertise they need to ensure the security of embedded devices and connected products.
5. Create a dedicated product security budget as a business enabler
Stop making people scrounge around for leftover money from discretionary development budgets when they need to handle device security issues. This only leads to making what should be important security decisions based on a cost-center mentality of how they would impact product timing, functionality and prices.
Instead, provide dedicated device security budgets that are approved at the C-level as strategic business enablers by the corporate device security team. These budgets should be assigned during the planning process to specific product security line items with the idea that they can create new business opportunities for the company as a whole.
6. Eliminate the patchwork of unsynced point solutions used across the company
Stop using multiple point solutions including both automated technology solutions such as software analysis (SBOM, SCA, SAST and DAST), vulnerability assessment, run-time protection and real-time monitoring, and security services such as manual penetration testing, threat intelligence data feeds, security architecture consulting and other managed services. Having to manage all these solutions is a waste of time and a drain on resources, not to mention that they cannot by synced with each other and with existing processes without extensive integration efforts.
Instead, start using a single integrated platform that provides all the capabilities needed to ensure optimal security, which will help maintain coherent standards across multiple product lines and business units. This will save time, cut costs and reduce the need for specialized resources so that teams can keep within business constraints such as product release deadlines, product functionality requirements and budget limitations.
7. Stop using existing IT security solutions for device security
Stop taking shortcuts to device security by using tools that were designed for IT security and software development. While it may be easier to work with known solutions, the broad range of device types, operating systems, components, attributes and technologies means that there is no one-fits-all device security solution. Existing solutions for endpoint or software security are simply insufficient to fully address the challenge of device security since they weren’t designed to deal with issues such as low-level programming, closed systems, real-time OSs and more.
Instead, look for solutions that were designed from the ground up for device security, since only they can address each device in the context of its specific configuration and implementation, and provide the high-quality device-specific prioritized results required to ensure that the right security issues are mitigated at the right time.
8. Secure devices across their entire lifecycle
Stop addressing device security at only one step of the device lifecycle, thinking that handling the rest can wait until later in the process. It is very difficult and costly to resolve issues after devices have been deployed in the field so the resulting costs can pile up when serious issues need to be resolved across the entire install base or when regulatory agencies do not approve devices due to their lack of compliance.
Instead, continuously address security issues at every step of the device lifecycle – from the initial design and development phases and all the way through to deployment and maintenance.
9. Gain control over the security provided by the software supply chain
Stop ceding control over device security to complex vendor supply chains. Companies tend to become dependent on the security provided by their vendors and end up having to chase them for patches which then need to be manually implemented.
Instead, gain visibility into and control over the security of all third-party hardware and software components in order to minimize the monetary risks that come from including them in devices.
10. Focus on device security without neglecting time-to-market, functionality and costs
Stop focusing on time-to-market, cost-to-market and functionality while doing the minimum required for security verification. While this may minimize direct costs in the short term, it significantly increases the monetary, legal, compliance and reputational risks which can cost them far more in the long-term when security issues surface and invite malicious attacks.
Instead, despite ROI models, slim margins and strict constraints, companies need to spend more time, resources and budgets establishing device security processes by working them ahead of time into their launch plans and budgets.