We Don’t Want IoT Cybersecurity Regulations

8669833474?profile=original

It simply makes no sense to call for IoT devices to be certified safe-and-secure.  Before you get bent out of shape, hear me out. 

Regulations are unwieldy blunt instruments, best left as a last resort.  Cybersecurity regulations are not nimble, tend to be outdated the day they are instituted, and become a lowest-common-threshold for an industry to follow.  This stifles security innovation and the application of best practices.  On the upside, regulations do force industries that have ignored basic security practices to meet a common standard.  But history has shown those industries rarely go any farther than the regulatory requirements.  All the data breaches we see in the news every week, almost all of those organization are compliant with regulations, yet they are losing data records by the billions.  Compliance does not equal security!

Yet some are pounding the government drums, advocating for IoT certification regulations.  I find their beliefs to be shortsighted and premature.

Regulations are definitely needed in some situations, but only for narrow applications to accomplish specific goals.  Protecting privacy of children online, securing sensitive healthcare records, or requiring controls around credit card transactions are all codified to some extent in regulations.

I am a passionate security advocate, some would even go so far as to say a fanatic, but I don’t like this idea of requiring IoT devices to be certified safe and secure.  It is simply too broad and undermines the economic model which is driving rapid innovation. 

We don’t require such certification for phones, tablets, personal computers, or servers.  So why would anyone think requiring certification for low powered IoT devices is a good strategy? 

Certification adds significant costs and time to product development.  IoT devices are emerging for a vast variety of uses and tend to be less expensive than fully-featured computing systems.  The scale of validation is another problem as the number of IoT devices will soon exceed over 50 billion.  The process to determine who will certify entirely new classes of devices and what criteria will be accepted is a political nightmare.  Operationalizing such requirements will be expensive and a nightmare at such a massive scale.  The bureaucracy and costs will add tremendous friction to the market, pushing out many companies and products. 

There is no doubt IoT needs significantly more security, but recommending overly broad regulations is very premature and likely damaging to everyone that benefits from smart devices.  There are many other options and solutions that could deliver much better protection at a lower cost and not catastrophically impede innovation, competitiveness, and healthy market cycles.  Establishing standards, best practices, for design and validation is a great start.  Driving the consumers, to recognize and value secure designs, creates a competitive advantage for manufacturers to challenge each other.  Open bug bounties, public security research, and sharing of penetration testing certifications would drive better processes for the IoT industry.

If such practices fail to be adopted or are not sufficient, then we should discuss regulation.  But first, we must pursue more optimized avenues to establish safety and security in partnership with the IoT industry, so the ecosystem can become more adaptable to evolving threats, support innovation, and be trustworthy for the benefit of all users.  Let us not rush to a model of inflexible regulations, as they should only be considered as the last option.

 

 

Interested in more? Follow me on LinkedInMedium, and Twitter (@Matt_Rosenquist) to hear insights, rants, and what is going on in cybersecurity.

Votes: 0
E-mail me when people leave their comments –

CISO and Cybersecurity Strategist

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (bi-monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

Fireside Chat With Rick Doten (VP - Information Security at Centene Corporation)

  • Description:

    We’re excited to bring you an exclusive fireside chat on "A CISO’s Guide on How to Manage a Dynamic Attack Surface" with Rick Doten (VP - Information Security, Centene Corporation) and Erik Laird (Vice President - North America, FireCompass). In this session, we’ll explore how top CISOs are tackling today’s rapidly expanding attack surface and what it takes to stay ahead of evolving threats in a cloud-first, AI-driven world.

    As…

  • Created by: Biswajit Banerjee
  • Tags: ciso, attack surface management, rick doten, ciso guide

CISO Meetup at BlackHat Las Vegas 2025

  • Description:

    We are excited to welcome you to the CISO Meetup during BlackHat USA 2025 in Las Vegas! Join us for an exclusive networking, meaningful conversations, and community building with top CISOs and cybersecurity leaders from around the globe. 

    Meetup Details:

    Location: Mandalay Bay, Las Vegas …

  • Created by: Biswajit Banerjee
  • Tags: ciso, black hat, black hat 2025, black hat usa