PSA Certified report highlights significance of upcoming security regulation as 64% of businesses say it will have bigger ramifications than GDPR

Connected device security spend accelerates as three quarters (75%) of businesses report that security has become a bigger business priority in the last 12 months

7 in 10 aim to gain an edge over competitors by aligning early with upcoming regulation

Firms are taking action to increase security robustness and plug perceived skills gaps, and 53% view certification as key way to demonstrate best practice, a 21% year-on-year increase

CAMBRIDGE, England--()--The PSA Certified 2023 Security Report – now in its third year – today reveals how investment in connected device security has accelerated as upcoming legislation affecting the sector becomes more front of mind. It also reveals a noticeable difference from last year’s report in the extent to which industry customers and crucially consumers now demand it.

The annual barometer of industry perceptions and intentions around connected device security surveyed 1,240 technology decision makers worldwide, and found that three quarters (75%) of businesses report that security has become a bigger business priority in the last 12 months, and they are spending on average 15.3% more in security related areas in 2023 compared to 2022. The average spend per company on both continuous security investment and building security into products have both risen by 12%. Spending on external validation is also on the rise, with the spending on third-party lab testing and evaluation rising by 24% and spending on security certification by 14%.

Exploring the reasons behind the increased investment, a significant factor is the desire to align with upcoming regulation worldwide, particularly EU legislation, which will have a big impact on businesses both inside and outside the European Union. Around half (49%) of those asked globally are monitoring and actively trying to adhere to the EU Cyber Resilience Act, 40% say the same of the EU Radio Equipment Directive (RED) and 39% say the same of the UK Product Security and Telecommunication Infrastructure (PSTI).

Industry has reached regulatory crossroads: companies acting now to stay ahead of compliance

Regulatory compliance was cited as a top three priority by 75% of respondents. Despite the pain points associated with ensuring compliance, 71% welcome new regulation and 69% are aiming for ‘first mover advantage’ by aligning with regulation ahead of time to gain an edge over competitors. Particularly notable is that 68% think they are already ahead of what’s required.

To put this development into context, almost two-thirds (64%) of those surveyed say they consider upcoming regulation, such as the EU’s Cyber Resilience Act, to be even more significant than GDPR (The EU’s General Data Protection Regulation, which has had a major impact on how data is shared globally). Referencing again the pull of consumer demand for more assurance over the security of connected devices, 65% of businesses think regulation will positively impact their bottom line.

However, uncertainty remains, as 69% of business leaders in the space say regulation still needs better definition and 64% say they need more guidance on how to comply.

David Maidment, senior director, Secure Devices Ecosystem at Arm (a PSA Certified co-founder):

“As security standards and regulations have evolved, ensuring trust is built into devices is front of mind for industry leaders. The value of having certified security in trusted components has been firmly established, and businesses predict it will only increase once buyers see it become law. Consequently they are motivated to stay ahead of the curve and align with regulation now.”

There are also clear signs that buyers are becoming more savvy and demanding a higher level of security. Almost two-thirds (65%) look for security credentials when buying connected products as a consumer, and they are willing to pay more for it: over two thirds (69%) say they are happy to pay a premium for built-in security. From a business perspective, the main reason respondents see security as beneficial to the bottom line is increased public trust in the company leading to greater sales (64%). On the flip side of that, loss of customers is the outcome cited as having the greatest impact on respondents’ businesses if a product were to suffer a security failure (at 29%), above reputation damage (27%), cost of paying damages (19%) and regulatory fines (11%).

As a result, nearly all (96%) tech decision makers see device security as a benefit to the bottom line.

Maidment continues: “In PSA Certified’s last report, we called 2022 a turning point for connected device security, as it was becoming a key pillar of technology strategy. Awareness has only increased since then; this year’s report finds that customers now demand it. This is where the dial has really shifted: public engagement with the topic has grown, and as a result expectations of security standards have increased. Investment in security features, experts and certification is no longer optional and must be prioritized.”

Firms take action to prove security robustness, but more is required to ensure best practice

Organizations are also increasingly adopting robust security measures to reduce risk and liability. More than half of those polled say a security certification is useful in proving robustness to customers (53%) – a 21% year-on-year increase.

Currently, the major obstacle businesses feel they face in achieving best practice security is having the skills to implement it. Lack of security specialists (29%) and complexity (25%) were the top barriers cited to implementing stronger security.

With this in mind, businesses are moving to address the issue head on: a significant number of surveyed businesses plan on upskilling their current team on security skills (51%) and adding headcount (44%) in the next 12 months. While there is a need to upskill internal teams, it’s well-recognized that there is a shortage of security experts globally. So, it’s unsurprising, that 72% also recognize that industry-led guidelines and processes are key for helping the industry to scale resources and reducing the need for large security teams to be deployed.

Maidment comments: “These are positive signs for jobs and opportunities in the sector, but skills alone won’t solve the security threat. A scalable solution built with pre-certified trusted components combined with recognized standards and external testing are essential and there is growing industry consensus around this. The issue needs to be solved in a smarter, scalable way through the entire supply chain.”

Read the full report at https://report.psacertified.org/

****

Notes to editors

The core findings in this report were drawn from a survey conducted among 1,240 technology decision makers and consultants in North America (Canada and US), Europe (Denmark, France, Germany, Italy, Netherlands, Norway, Sweden, UK) and APAC (China, India, Japan, Korea, Taiwan). The interviews were conducted online in April 2023 using an email invitation and an online survey.