Product security concerns have cost real dollars to nearly six of every ten organizations surveyed by the Ponemon Institute in 2021.
__
Increasingly, product security concerns are influencing the buying decisions of companies looking to purchase connected devices—and those concerns can materialize into lost sales and hits to your bottom line. In its 2021 survey of over 600 IT security professionals, the Ponemon Institute learned that 59% of organizations report losing sales because buyers have been concerned about product security.
The connection between product security and the sales that feed the bottom line has never been clearer. Here are six ways that product security affects the financial performance of your company:
1. Product Security Has Become Part of the Buying Decision
Ignore product security and risk losing sales. Buyers are adding product security to the checklists they use to make their buying decisions and they’re increasingly pressuring sales teams to show that products are secure. Those sales teams, in turn, are pressuring product security teams. 55% of respondents to the Ponemon report say that sales teams now want product security teams to attest to the security of their product so they can, in turn, present that attestation to customers.
Software Bills of Materials (SBOMs) can show buyers exactly which components make up a product when they buy it and can provide peace of mind down the road when stakeholders want to see whether their product is susceptible to a newly discovered vulnerability.
2. Product Security Influences a Manufacturer’s Reputation
Buyers are now realizing that, if they buy a cheap, off-brand connected device, they also may be buying into a list of security risks. Product security costs money, but, when a buyer stares at a set of security cameras, for example, they’re increasingly considering a manufacturer’s reputation when they decide which proposal to accept when they sit down to begin the purchase order process.
A manufacturer’s reputation may serve as a buyer’s first indicator regarding a product’s security and whether it can be trusted. “Firmware is sometimes not able to be updated by consumers/customers,” Deloitte stated in a recent whitepaper. “... Organizations today have an expectation to produce secure products off the assembly line.”
3. Product Security: More than an Expectation, It’s Often the Law
Product security has entered into the strategic discussions of enterprise and industrial organizations, especially in the energy sector, critical infrastructure, and others directly linked with national security. The very rigorous assessment processes for product security, in place already, promise to become even more strict with time.
In some cases, product security has become a point of legislative efforts, such as in new and upcoming regulations like EO 14028, NERC CIP 013, EIC 62443, WP.29, and others, which mandate security standards. Additionally, the awareness of licensing risks for open-source inputs grows as legal departments exert pressure so they can understand the components of a company’s products and their licensing requirements and exposures.
Those complex, and sometimes opaque, supply chains challenge businesses whose customers demand proof of product security and look to product manufacturers to be both knowledgeable of and proactive about compliance requirements.
4. Embedded Device Technology Is Proliferating
At Finite State, whether we’re talking with stakeholders in healthcare, connected vehicles, government, enterprise, or energy and utility, it’s a common picture we see in every network. More and more, a higher percentage of products contain embedded components, and the importance of these devices in critical applications becomes clearer and more common with each new year.
As IEEE Spectrum points out in a June 2021 article, the number of microprocessor-based electronic control units (ECUs) in a car has grown from 100 in the high-end cars of 2011 to 150 or more today. The once-luxury features supported by those millions of lines of code have found their way even to today’s low-end vehicles, which may now have as many as 100 ECUs themselves.
5. Product Security: A Differentiator
Enterprise security teams often have no control over what’s going on inside an embedded device, where you can’t install endpoint security. That’s one of the critical differences between embedded devices and more traditional endpoints. But, embedded devices still live on networks just like any other device—like a laptop or a server.
Because enterprises can’t look inside embedded devices and see if they’re under attack, they’re forced to do more evaluations upfront—and exert more pressure on device manufacturers to prove that they’ve implemented adequate product security measures. When device manufacturers can provide that peace of mind, product security can rapidly evolve into a differentiator.
6. I Invest in Product Security Now. Save Costs Later
Shifting left in your product security, or investing in security earlier in the development lifecycle, can help reduce costs later. Being proactive can not only save your organization time and resources, but can also greatly reduce the risk of vulnerabilities being present later in the development process or even after deployment.
The cost of remediation, damage to your reputation, and even fines for noncompliance can easily eclipse any savings realized by skimping on product security measures during the manufacturing process.
It Makes Sense to Invest in Product Security
The Finite State Platform helps organizations steer through the uncertainties of their road toward improving their product security. Whether you’re concerned about your connected device or its supply chain, our intuitive, automated platform provides the actionable insights you need to identify and begin to mitigate critical vulnerabilities and reduce your product security risks.
Shrink your connected attack surface by shining a light into the connected devices that lay lurking and mysterious on your network. Let us help you make that next step toward improving your product security. Talk to the Finite State team today!
