The Future of IoT Security: Conversations from CES 2025

At CES 2025, Transforma Insights' founding partner Jim Morrish sat down with Matt Wyckhouse, founder and CEO of Finite State, to discuss the rapidly evolving landscape of IoT security regulations. Their conversation revealed how new regulatory frameworks are transforming the connected device industry, driving meaningful improvements in security standards, and redefining best practices.

The New Era of IoT Security

The IoT industry is entering an exciting new chapter of enhanced security and trust. During the interview, Matt Wyckhouse highlighted how global regulators are collaboratively establishing comprehensive security frameworks that benefit both manufacturers and consumers. 

These frameworks, led by initiatives like the EU Cyber Resilience Act (CRA) and US Cyber Trust Mark, are creating a unified approach to device security that transcends geographical boundaries. Industry players of all sizes — from innovative startups to tech giants like Google and Amazon — are embracing these standards to build more secure and reliable connected devices. 

Key Regulatory Requirements

The new regulatory landscape introduces several critical requirements for device manufacturers:

• Generation of Software Bills of Materials (SBOMs) in machine-readable formats
• Structured vulnerability reporting with defined response times
• Mandatory minimum 5-year device support periods
• Clear end-of-life and contract requirements

These requirements represent a significant shift from previous practices, forcing manufacturers to take a more structured approach to security throughout their products' lifecycles and rethink traditional development and maintenance strategies.

The Automation Imperative

One of the most interesting insights from the conversation was the crucial role automation plays in achieving compliance. As Matt Wyckhouse pointed out, the complexity of modern IoT supply chains combined with the frequency of software updates makes manual compliance tracking virtually impossible. This is where companies like Finite State come in, offering automated tools for SBOM generation, vulnerability detection, and compliance monitoring that become the cornerstone of scalable and sustainable IoT security practices.

Moving from Reactive to Proactive Security

Perhaps the most valuable takeaway from the discussion was the emphasis on transitioning from reactive compliance to proactive security. While many organizations initially approach regulations from a compliance-first perspective, the key to success lies in "shifting left" - implementing security measures earlier in the development process and spreading security responsibilities throughout the organization. This proactive approach not only simplifies regulatory compliance but also mitigates risks earlier, fostering long-term resilience against cyber threats.

Looking Ahead

The interview at CES 2025 made it clear that IoT security regulations are not just another bureaucratic hurdle - they're driving a fundamental transformation in how we approach device security. As these regulations continue to evolve, manufacturers who embrace automated tools and proactive security measures will be best positioned to succeed in this new regulatory environment.

The industry is on the cusp of a positive transformation, one that promises better protection for end users and a more structured, globally aligned approach to IoT security. Don’t get left behind! 

Ready to implement automated security tooling? Book a demo to discover what Finite State has to offer.