The Value of Staying “Ahead of the Curve” on Connected Security

When Arm first launched PSA Certified in 2019, we wanted to guide the industry through one of the greatest challenges to deploying intelligence at scale: connected device security. With hacks increasing every day alongside the value of data, we could see that connected device security was paramount.

There is a desire from the Arm ecosystem to do the right thing, and proactively build security into these devices to provide three clear benefits:

1. Give the ecosystem confidence in device security, which enables them to deploy at scale and realize the true benefits of the ongoing digital transformation.
2. Help make the devices of tomorrow more secure, which protects the data and wellbeing of businesses and consumers.
3. Help our partners gain a competitive advantage with greater security providing “added value”, while also staying ahead of the curve of global regulation.

While we still have a long way to go on the PSA Certified journey, 2023 represents a very different world to 2019. We have an ecosystem with a common, agreed definition of security best practice, which includes building connected devices on a Root of Trust – a fundamental part of the chip that is responsible for all secure operations. We have a large catalogue of Arm-based PSA Certified products, all choosing to put security-first. And, finally, we have an industry that is better equipped to tackle global regulation.

However, PSA Certified is more than just Arm. There are nine board members comprising of industry leading cyber security labs and an evaluation body who meet weekly to discuss security trends and what might be needed from a framework and certification perspective. Our annual PSA Certified Security reports serve us with vital market data on the security challenges being faced by the ecosystem and what we can do to help.

The PSA Certified 2023 Security Report

With each annual PSA Certified Security Report, I’m always encouraged by what I see as the natural evolution of security in the minds of the tech industry and beyond. The PSA Certified 2022 Security report found that connected device security is now a vital supporting pillar of companies’ overall technology strategy. However, from the recently published PSA Certified 2023 Security Report, it’s clear that connected device security has evolved to a point where the actual customers using the devices are now demanding it. Security expectations have undoubtedly changed since last year.

As a result, we’re seeing increasing investments which assist businesses making secure devices, and testing device robustness with security certifications worldwide. The customer is now creating pull for companies to do even more. In fact, companies are keen to be seen as first movers, not just to stay ahead of upcoming security compliance and regulations, but also to gain a commercial advantage.

Strong awareness of upcoming regulation

Governments worldwide now see device security as a critical national security issue and are naturally looking to regulate the space. Strong awareness of these upcoming regulations is reflected in the survey results, with 75 percent of respondents citing regulatory compliance as a top three priority. The potential impact of new device regulation, like the EU Cyber Resilience Act, was not lost on respondents, with 64 percent stating that this would be more significant than GDPR.

Early compliance to gain commercial advantage

While new regulations are often seen as a pain point for many companies, the survey actually revealed that 71 percent of respondents welcome them. In fact, 69 percent are aiming to be a “first mover” and align with the new regulations ahead of time to gain an edge over competitors. Security means trust, with nearly all (96 percent) respondents believing that this has a positive impact on their bottom line, be that net income, net earnings or net profit. 64 percent of those surveyed even said that better security increases the likelihood of customers trusting their company and buying their products.

To me, this is very encouraging. Connected device security is clearly seen as providing “added value” to companies from a commercial perspective. Rather than waiting for compliance to arrive, companies are moving early to stay ahead of the security curve. In fact, 68 percent of respondents think they are already ahead of what’s required.

The wider commercial advantage of connected security is supported by findings around security certification. Over half of respondents (53 percent) consider security certification to provide robustness to their customers, which is up 21 percent year-on-year. Security certification is now an essential part of the customer purchasing decision.

Customers increasingly looking at security

The desire to stay “ahead of the curve” was not only being led by companies, with customers influencing commercial decisions. The survey revealed that 65 percent of buyers now look for security credentials when choosing connected products as a consumer. Meanwhile, 69 percent say they are happy to pay more for products that have security built-in. This supports the notion that security is providing added commercial value to companies.

Increasing security investments

The strong commercial commitment to security is reflected in the survey where respondents stated that their own security investments are increasing. Businesses are spending on average 15.3 percent more in security related areas in 2023 compared to 2022. Additionally, the average spend per company on both continuous security investments and building security into products has risen by 12 percent. Investments into external validation are also on the rise, with third-party laboratory testing and evaluation rising by 24 percent and spending on security certification by 14 percent. 

But some challenges remain….

The complexity of security remains an ongoing challenge for the industry and is one of the top barriers for companies. This was reflected in responses to the new security regulations where, despite the majority embracing them, there is still uncertainty about what they entail. More information about the new regulations coming into force worldwide is needed, with 69 percent saying that these need to be better defined and 64 percent saying that they need more guidance on how to comply.

At Arm, we believe that this ongoing complexity and uncertainty can be reduced through combining trusted hardware with recognized standards and external testing throughout the IoT supply chain. We support our partners to deploy security at scale by ensuring our products help them to meet PSA Certified requirements.

Alongside complexity, commercial challenges around security still exist, particularly around skill shortages. Companies are sometimes struggling to find and hire the right talent, with this being felt more by smaller businesses. However, encouragingly, a significant number of companies surveyed are planning to upskill their current team (51 percent on IoT security skills) and also add headcount (44 percent) in the next year.

Moreover, while it was encouraging to see investments growing in connected security, not all businesses, particularly smaller-sized ones, are able to invest this confidently. Perhaps unsurprisingly, security spend increases with company size, with smaller businesses unable to commit as robustly to further security investments.

The shift in connected security

As ever, the PSA Certified Security report aims to give various insights into the current state of play with connected device security worldwide. The PSA Certified 2023 Security Report shows that connected security is moving from just being an internal company strategy to something that is recognized as increasingly valuable by customers. There is true commercial value attached to producing connected products that have security built-in. Companies also see great value from being ahead of the curve on upcoming regulations, which will undoubtedly create global demand for all connected devices to have consistent certified components built on the latest standards.  

These findings ultimately show that the technology ecosystem is fast adopting security best practice. We believe that ensuring security is baked into devices proactively, gives the industry confidence that they can trust devices and services. This confidence enables digital transformation at scale across all markets, leading to a more secure future.  

Common standards combined with established Root of Trust in hardware will democratize security access to all sectors, even for businesses that are struggling to access the right talent and skills or invest confidently. As a first step, exploring a collaboration-based security framework and certification scheme – such as the one crafted and guided by PSA Certified – offers a consistent approach to creating trusted components. This is an essential component in democratizing security best practices throughout the connected device ecosystem.