In a rapidly shifting landscape where connected devices underpin everything from automotive systems to industrial control and healthcare equipment, ensuring security and compliance is no longer optional.
On May 7th, I joined a compelling discussion with Beecham Research and Aeris, unpacking the latest challenges and strategies in IoT cybersecurity. Here are the key takeaways—and why they matter for organizations navigating the complexities of software supply chain security.
1. Global Regulations Are Raising the Bar
Governments across the globe are tightening compliance expectations, with frameworks like the EU Cyber Resilience Act (CRA), CE RED, and the U.S. Cyber Trust Mark reshaping product development priorities. A central theme in our discussion was how regulatory momentum is accelerating faster than many manufacturers can adapt.
I emphasized that organizations need to move beyond checkbox compliance and invest in continuous visibility across their software supply chains. With shifting enforcement timelines and penalties for non-compliance, early preparation isn’t just advantageous—it’s essential.
“You can’t secure what you can’t see. Without a living SBOM strategy, companies will always be behind.”
2. Device Insecurity Is a Business Risk, Not Just a Technical One
We agreed during the panel that cybersecurity is no longer just an engineering or IT issue. Insecure devices now directly impact enterprise risk, including financial exposure, brand reputation, and regulatory liability.
Connected product security must be embedded into the business strategy, not bolted on as an afterthought. Manufacturers who ignore the security of their embedded software and third-party components risk long-term fallout.
3. Visibility and Collaboration Are the Foundation
Another key theme was the importance of visibility across every layer of the device stack—from source code and open-source dependencies to firmware and cloud APIs. The discussion highlighted how manufacturers often lack unified tools to manage this complexity.
At Finite State, our approach centers on transparency, automation, and collaboration:
- Automatically generate and manage SBOMs for any software or firmware
- Correlate vulnerabilities from over 200 sources
- Integrate security insights into DevSecOps workflows
These capabilities empower cross-functional teams to make risk-informed decisions throughout the product lifecycle.
4. Secure-by-Design Requires Expert-Led Guidance
We also explored the need for security leadership at the design stage. It’s not just about tools; it’s about embedding secure development principles from the start.
This is where Finite State’s policy-driven consulting and secure SDLC guidance add value—from virtual Chief Product Security Officer (vCPSO) support to independent security validation services.
“Secure-by-design isn’t a buzzword. It’s a survival strategy.”