Survey Discovers Just 36% of Organizations Allocate Sufficient Resources to Product Security

COLUMBUS, Ohio — Oct. 13, 2021 — More than half (59%) of executives with cybersecurity decision-making responsibility at large and mid-sized companies say that their organizations have lost business due to product security concerns for connected devices and embedded systems, according to a new survey. The results highlight a growing need to strengthen supply chain security by securing connected devices, including those connected to the Internet of Things (IoT). 

Nearly half of respondents’ customers (45%) want detailed information about the components of their devices, but only 11% of organizations have high confidence in their ability to respond to those requests. The research, published today by Finite State, the product security leader for connected devices, was conducted by the Ponemon Institute.

The survey found that visibility is low into potentially impacted systems: only 27% of respondents say their organizations conduct software composition analysis (SCA) for all connected products’ software and only 30% say their organization can easily generate a software bill of materials (SBOM) for each product.

“Hackers are finding new ways to exploit IoT/connected device vulnerabilities, and this data shows the troubling realization that many organizations are not prepared,” said Matt Wyckhouse, CEO of Finite State. “It can be easy to overlook the risk, which many companies do until they face a breach or cyberattack. But, the data here shows that security concerns affect organizations’ bottom lines, and a more serious approach to protecting devices is imperative.”

Organizations are finding obstacles to developing secure products. Respondents point to a lack of resources (62%), lack of in-house expertise (60%), and lack of industry standards (46%) as main reasons they’re having trouble, and only 21% of respondents report that their organization has a security supply chain policy.


Other key findings include: 

  • Only half of respondents report that their organizations assess the security of its products before shipping to customers. 
  • There’s little consensus about who’s responsible for security, with 40% of respondents saying third-party vendors are most responsible, 31% saying it's the manufacturers, 15% pointing to end users, and 12% choosing the government.
  • 74% of organizations either have or plan to hire a Chief Product Security Officer (CPSO) within the next two years.
  • Only 10% of respondents report having full confidence their organizations know all vendors in the supply chain for each of its devices.

Read the full report on the survey’s findings.


About Finite State

Finite State empowers organizations to gain control of product security for their connected devices and supply chains. Backed by a team of seasoned experts, our automated product security platform arms our customers with the actionable insights, critical vulnerability data, and remediation guidance necessary to mitigate product risk and protect the connected attack surface. For more information, visit

Matt McLoughlin
Gregory FCA on behalf of Finite State
Phone: 610.996.4264