Cyber threats targeting IoT ecosystems are not just increasing—they’re evolving, scaling, and demanding more of device manufacturers than ever before. Security can no longer be an afterthought or bolt-on feature. It must be designed, enabled, and expected by default. And increasingly, it’s demanded by regulators, enterprises, and markets.
In this post, we explore how the principles of security by design, default, and demand are converging to redefine the expectations for connected product security. These concepts were powerfully articulated in a recent IMC panel discussion featuring Finite State CEO Matt Wyckhouse, now available on-demand.
Security by design starts with a clear understanding of a product’s intended functionality and a commitment to ensure it can do only that. Manufacturers can reduce attack surface and simplify long-term maintenance by limiting complexity and eliminating unnecessary components.
As Matt Wyckhouse noted during the panel, "With an IoT device... you can actually strip away a lot of the attack surface and design it to do the thing that it needs to do and nothing else." This approach strengthens security and aligns naturally with regulatory expectations around secure product development practices and supply chain transparency.
Finite State enables this by performing deep binary and source code analysis across all types of firmware, from monolithic embedded systems to complex containerized edge platforms. These capabilities give manufacturers unmatched insight into the software running on their devices and the ability to take proactive security actions early in the SDLC.
Building security into the product is only the first step. Secure configuration cannot be left to chance - security features and settings need to be enabled by default, designed with the user experience in mind, and functional when the device ships, providing protection and reducing risk out-of-the-box.
Security by default ensures that best practices like encryption, secure boot, and credential hygiene are not left to optional configuration. As Wyckhouse emphasized, “setting secure defaults, like encryption, like not having hard-coded default credentials,” is key to reducing the likelihood of exploitation.
Finite State’s policy enforcement features allow teams to define, validate, and enforce security defaults automatically, integrated with CI/CD workflows and across entire product lines. Our findings triage and remediation workflows help teams prioritize what matters most while maintaining audit readiness.
What was once a competitive differentiator is quickly becoming a prerequisite. Enterprises, governments, and regulators are increasingly asking vendors to prove their security posture through SBOMs, VEX documents, and independent validation.
Panelist Zee Hussain summarized this shift as "security by demand," a term that reflects how customer pressure is now a driving force for security assurance. Regulatory frameworks like the EU Cyber Resilience Act, CE RED, and the U.S. Cyber Trust Mark are further codifying these expectations.
Finite State helps device makers meet these demands with:
Adopting secure-by-design and secure-by-default principles—and responding to demand for verifiable security—requires more than tools. It is a paradigm shift. It requires treating product security as a continuous practice throughout the full product lifecycle, not a bolt-on feature or a development phase.
At Finite State, we help organizations operationalize these principles at scale, across global product portfolios, and in alignment with evolving regulations.
Learn more about these principles in action by watching the full webinar here.