In this episode of the Futurum Tech Webcast, Interview Series, I’m joined by David Maidment, Senior Director, Secure Devices Ecosystem at Arm for a conversation about IoT security and why and how it’s so quickly become a priority for organizations. We’ll also touch on the role PSA Certified is playing on that front, as well as why 2022 is predicted to be a significant turning point for IoT security.
David and I discussed the what organizations are facing today when it comes to IoT security and what to think about when developing an IoT security strategy. Our conversation touched on the following:
- Why security is becoming more of a priority for organizations and leaders today, especially as it relates to the IoT.
- What the research shows about the biggest perceived threat to successful digital transformation (hint: it’s security) and how organizations can avoid the pitfalls of the past when it comes to digital transformation moving faster than security can keep up.
- How the industry can overcome, and is overcoming the barriers around cost and expertise that continue to stand in the way of best practice security implementation?
- The role that trust plays in the whole equation: trusted components, trusted partners, and the value of certification.
- A dive into PSA Certified, of which Arm is a founding partner, and what the organization strives to do for its partners, along with the important role the organization is playing globally as it relates to IoT security.
We talked about some personal highlights from PSA Certified’s newly released 2022 Security Report, which is linked here if you’d like a deeper dive (and we hope you do!).
You can watch the video of our conversation here (and subscribe to our YouTube channel while you’re there):
Or listen to my interview on your favorite streaming platform here:
Don’t Miss An Episode – Subscribe Below:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
Shelly Kramer: Hello and welcome to the Futurum Tech Webcast. I’m your host, Shelly Kramer. Today, we are talking about an increasingly relevant topic and one very near and dear to my heart, IoT security. My guest today is David Maidment, Senior Director Secure Devices Ecosystem at Arm. Hello, David. Great to have you.
David Maidment: Hi, Shelly. Thank you very much. Great to be here.
Shelly Kramer: This is a conversation I’ve been looking forward to all week. Some backstory here, to say that 2022 will signify a year of change for IoT security is not only accurate, I believe personally, that it’s a long overdue turning point with a number of connected devices expected to hit 55.7 billion within the span of about the next three years. A focus on security is no longer nice to have or when we get to it we’ll do it. Today, I believe that security, it’s a part of your business strategy and security should be a foundational part of that business strategy.
We’ve had all kinds of security alarms and alerts and things like that. It is cybersecurity should be on the top of mind for everyone, especially in the IoT space. David and I are going to talk today about what organizations are facing when it comes to IoT security and what’s involved in the development of an IoT strategy. David, let’s go. I can’t wait to dive into this topic.
David Maidment: Thank you. Looking forward to it. It’s a great and very relevant discussion. Maybe to give a bit of background and by way, of an introduction as well. I’m the senior director of the Secure Devices Ecosystem at Arm. Arm is a company that licenses intellectual property into the chip industry, into the semiconductor industry. We’re really at the heart of kind of digital devices, everything you can imagine, actually. It’s incredible this sort of utterly surrounded by miniature computers these days that’s really managing everything we do in our day to day lives. At Arm, what we kind of thought about and realized, actually, it was probably about five years ago is that security is at the center of compute.
Shelly Kramer: It is.
David Maidment: No matter where compute happens, security is the center of it. And so, five years ago we set up something called the platform security architecture. It’s a way of driving what we consider to be best practice in security. It’s a way of working with the chip industry in order to get them to design in to effectively trusted components security. We kind of live in a world where, I think with our laptops and our PCs and our phones, we’re used to security being a software update. It’s like, “Oh, I’ve got to download a patch. It’s a bit of a drag. I’ve been it for a few days and it keeps hassling me.” Actually, security is much deeper than that. The software update is critical, but actually the underlying chip architecture, the underlying computer chips where all of this software is running really plays a critical role in security. It’s the combination of the two. It’s the combination of hardware and software that’s really important.
On the back of that, we founded PSA Certified and we just had our third birthday. And so, my group within Arm is the sponsoring group of that activity and we founded it in an independent way. The whole market contributes. Arm is a co-founder. We steer that activity. We work with leading cybersecurity labs in order to drive certification and to validate best practice. A lot of information, we can come on to talk about some of that, but I think to answer some of the points that you’re mentioning at the beginning, first of all, 55 billion connected devices in a couple years is time, wow, that’s a huge number, 55.
Shelly Kramer: It is.
David Maidment: But maybe as a counter to that, there are estimates that cybercrime damages will be over $10 trillion by 2025. You’ve kind of got this growing the number of connected devices, but also growing that we call it an attack footprint, that ability for bad actors to compromise that for financial gain or political gain, or there’s lots of reasons actually why those things happen.
Shelly Kramer: And I think the thing that sometimes escapes people is that when we talk about IoT security, and, of course, you and I are immersed in the cybersecurity space, we think about these things all the time, but in many instances, ordinary average people don’t and they think, “Oh, connected devices and that doesn’t really apply to me or whatever,” but the reality of it is we are all from a business standpoint and from a personal standpoint, surrounded by connected devices. We are immersed to some degree or another in a world driven by connected devices, whether it is the routers that we use at home, which are a huge entry point for threat actors, by the way, the printers that we use, our TVs, our refrigerators, our doorbells at home, in the workplace, all kinds of IoTs driven things in terms of temperature regulation and lighting in rooms and video conferencing systems and all that.
We are truly in… and, oh, by the way, we’re all walking around with an IoT connected device right here. We are all at risk all day, every day from a personal standpoint, from a business standpoint, and even extrapolated out a little bit more. I used to write about this a lot. I have 16-year-old twin daughters and I’ve been writing about IoT security for the last seven or eight years when I started seeing IoT connected toys, and the dangers that can present and the things that parents aren’t thinking about when they buy this cool little thing or this cool doll or whatever. It does touch all of us. It does present risk to all of us and from a business standpoint, it can present significant risk.
David Maidment: It can. Absolutely. I think what’s been happening is that over time, we’ve transitioned from what we would traditionally call a devices market, where you buy your device and the device is the product to a services market. The examples you were giving like in the consumer world, like your doorbell, or your [inaudible] or your children’s toys, those toys have connectivity inside, they connect to the cloud, they connect to a service, they share data, they consume data. And ultimately, what you’re doing is you’re protecting a service, at the end of the day.
By protecting that device, you are sort of effectively building in trust into the device, and as a consumer, I think that we are in a process of education at the moment so that consumers can understand that device that they’re allowing into their world, that they can trust it. They can trust how that device behaves. They can trust how the data is shared and consumed. And if you turn that round the other way from a business continuity point of view, without trust, you can’t scale the internet of things. You’re kind of building on sand without trust.
The thought that you are deploying a network with tens of thousands, probably millions of devices and that you are running a business, a service based on those devices, actually, it’s pretty simple to reach the conclusion that you need to trust those devices. First of all, you need to trust devices what you think it is, that it’s not somehow a spoof device that has found its way on the market. You need to trust that you’re talking to what you think you’re talking to that it hasn’t been intercepted, it doesn’t have malware on it, that you’re able to manage its life cycle. You can update its software. If something’s going wrong with it, you could perhaps remotely take it off the network in order to avoid risk.
There’s lots of good practice really that we, as the electronics industry, need to build into those products in order to allow those massive services to happen, which… Then new economies, we talk about digital transformation and actually is an extension to that. Everybody’s talking about the metaverse now as well and this idea that your physical world and your digital world interacts, that’s really at the heart of a lot of what we’re looking at with device level security. It’s kind of trust the device, trust the data, trust the service at scale. And of course, it’s not just consumer, that’s kind of the typical-
Shelly Kramer: Absolutely.
David Maidment: We’re looking at smart factories, you look at smart energies, smart grids.
Shelly Kramer: Smart cities, all of it.
David Maidment: Everywhere. It’s very similar themes that you have millions of devices connected to the cloud forming operations that are ultimately part of a much bigger service.
Shelly Kramer: Well, and speaking of, as we’ve extrapolated out and we talk about industry, we talk about utilities, critical infrastructure, cities and how a smart grid powers cities in many instances and then you step back and you read any news article anywhere and threat actors are targeting critical infrastructure the world over. And so, this is critically important. And I think that for me, there’s no such thing as too many conversations about this topic, and to get developers and organizations to understand that security must be foundational, security must be a part of everything that we build and we have to test and we have to retest. And I think that to me, we haven’t really touched much on PSA Certified yet, but to me, the beauty of what the PSA Certified group has done is that we’re making it easy for you. I mean, that’s what this is.
David Maidment: Exactly.
Shelly Kramer: That doesn’t mean that it’s simply a hit of an easy button, but it is when you’re involved in the PSA Certified organization and there’s certification steps that you can go through and there’s all kinds of education and you’re truly able to learn best practices from some of the biggest companies out there, working in this space, developing in this space, business leaders like you, who are immersed in this space. And so, you don’t have to reinvent the wheel and I think that, to me, is an important part of the message as it relates to IoT security and the value that PSI Certified brings to the table. It’s like, “We are doing the heavy lifting. Just work with us because it’s going to kind of change everything.”
David Maidment: You’re talking my playbook. It’s perfect. I don’t need any encouragement to talk about the benefits, PSA Certified and let me explain why. What you’ve touched on perfectly sets it up. It’s all about collaboration and that’s why I was at pains at the beginning to explain that although Arm is a co-founder, what we are doing is the whole of the market, the electronics industry. The electronics industry is fiercely competitive. Of course, it is. It’s a huge market, but actually, the electronics industry is also incredibly efficient at working collaboratively where it needs to, so that the market is better for everybody. And that’s exactly what we’re doing through PSA Certified. As I explained, it’s founded with six of the leading cybersecurity labs. We have Brightsite SGS. We have UL, Riscure. We have CAICT and plus ECSEC.
It’s global coverage of these big cybersecurity labs. The compliance is independently verified. It’s not Arm marking the homework, it’s independently verified through these labs. It’s all about collaboration. It’s about democratizing that security knowledge. We work with the biggest chip companies in the world. We have people like ST and the NXP and Infineon and Silicon Labs and the list goes on. We have huge chip companies that are all certified so we have close to 100 certifications now in the scheme after just three years and it’s ramping quickly.
Those companies deliver certified components into the market that people can build products with. And so, if you are a relatively small product developer, you can benefit from all of that security goodness into your product. It’s about collaboration. We’ve done a PSA Certified annual report where we look at the state of the market and we get a couple of very strong feedbacks and we can kind of drill into that, but most of the decision makers that we’ve interviewed have come back and said that digital transformation is moving quicker than IoT security and we can’t allow that to happen.
And also, they’re struggling to invest in security. What we’re doing is democratizing that ability to get access to security, so building trusted components with partners across the industry, getting them certified, and then making them available to OEMs who build those end products with their certifications and then deploy them into the market. That collaboration model is incredibly powerful and it’s a core part of the passion that… It’s a privilege to be actually working within that and driving it in that kind of ecosystem way.
Shelly Kramer: I love the PSA Certified report. And again, I’ll admit to being a data geek and a cybersecurity geek, but some of the things that came out of the report that resonated with me were things like 96% of survey respondents said that they were interested in an industry-led set of guidelines on IoT best practices. The desire for best practice guidance is high. I mean, we are at a time where we have higher competition, greater competition than ever before for tech talent. We are innovating at an incredibly rapid pace, and that’s not going to slow down any…
One of the things that I talk about with my colleagues is that as fast as it feels like that the last five years have gone, the next five are going to move even more rapidly. And so, to me, I thought that it was encouraging to see that respondents are saying, “We want this. We need this guidance.” And that was up the last time that PSA Certified did this report, that number was 84%. We’ve gone from 84% to 96%, which shows to me how overwhelmed people are.
I think another talking point that came out of the report that I thought was interesting is that 94% of the survey respondents said that they’re somewhat satisfied with the level of security expertise within the employees in their company. Somewhat satisfied is not we’ve got this, we’ve nailed it. don’t go to sleep at night and worry. And by the way, I can’t imagine the stress of being a CISO right now.
David Maidment: Exactly.
Shelly Kramer: And how much it would be, but only 31% of those respondents on that same question said that they’re very satisfied. There are concerns about in-house security expertise. It is still considered a very big barrier. The world economic forum estimated there’s a gap of more than 3 million security experts worldwide. And by the way, as a parent, I will tell you, I preach to my teenagers all the time. Please understand the opportunities that are available to you in technology.
David Maidment: Exactly. But if we unpack some of that, because there’s a lot of great statistics in there and it’s fascinating, because of the way that PSA Certified is structured, we are at the center of that devices industry. We have that ability with the electronics industry to go out and ask those kind of questions. And I think that what has come back is that that lack of security specialization is sort of in the top three barriers.
Shelly Kramer: It is.
David Maidment: That’s the feedback that we’re getting and that’s a problem. That’s a problem because you can’t… There’s several approaches to that I think. One is, obviously, education and that’s in terms of growing obviously the next generation of security status, but there’s a certain speed that that happens. The other is around this kind of democratization model that I’ve spoken about before, where the goodness that is developed by, for example, the chip industry is then shared with the rest of the industry.
I don’t know how easy that is for people to visualize that, but effectively, the way that the electronics industry is working is that you kind of have a few of the chip industry companies are able to invest heavily in that area and then make that available through their products that then the device manufacturers can then pick up and build into their end products.
And so, that democratization journey is very important. The way that we support that within PSA Certified is through the ability to reuse certifications. At the base of a device is your chip, your processor. Inside that processor, you have a Root of Trust. Just to be a little bit technical to explain to the audience, a Root of Trust is, at a very simple level, it’s where you perform all of your trusted on operations.
That could be that you store your secrets in there. It could be that you perform your cryptography in there. It could be that you sign your certificates to do your software updates in there. That part of the chip is very secure and it’s hardware protected and it’s built inside the chip. We certify that. It goes to a lab and PSA Certified gives us certification for that. Just by doing that, we give a language, we give a language, a way for people to discuss it, and a Root of Trust is already a language.
And then, the secure operations that it performs, the way that it’s measured, so we have a level one, level two, level three, depending on the level of robustness that you need. For example, does it have to protect against software attacks? Does it have to protect against hardware attacks where people can physically get hold of the device and tamper with it?
We’re giving the giving industry that language for them to be able to describe security. Security is a really hard thing to describe.
Shelly Kramer: It is.
David Maidment: It’s not a thing that you can pick up. It’s not an object. It’s a very complicated thing to describe and collaborating and working in that way where PSA Certified can give you that language is important and that’s part of the education. And then the people that manufacture the equipment, they buy those chips. They buy those chips with a Root of Trust inside. That then means they understand what they’re buying and they understand how that will affect their end product.
If you’re buying a chip and it’s going into your doorbell, or if you’re buying a chip and it’s going into, I don’t know, a wind turbine, is that, is that the same for security or is that different? It’s a very complicated question. From a PSA Certified point of view, this kind of democratization phrase that we use, it merely means that we’re able to have a language for the industry to be able to talk about that and to be able to consume those trusted components and build them into their products.
Then the final part that I think is important in that journey is the end market. And we work with… We track very carefully and we align and work with government regulation, for example. In the US, NIST is doing a lot of work with IoT, cybersecurity requirements. Here in Europe, ETSI, very similar process. There’s a lot of regional activities and we align with that as well, because clearly if you’re building something and it’s actually being deployed to market, there are growing… These things affect government. These things affect how products and services are delivered. In the end, there is a regulatory environment as well that the OEMs have to conform to. There’s a lot of information in there, but effectively, the answer is we have to do all of it. We have to do-
Shelly Kramer: We do.
David Maidment: Our kids need to become cybersecurity experts and we need the industry to talk the same language and we all need to understand how to describe security. We have to understand how to deliver trust components and build products with them and deploy them. That’s a lot things to bring together in the chain which is where PSA Certified sits across that kind of part of the ecosystem.
Shelly Kramer: Absolutely. One of the things that I wanted to touch on, now, it does seem like over the course of the last few years, security is becoming more of a priority for business now. To my way of thinking, that shouldn’t be something that just happened based on all of the breach incidents that we know about just in the last five years or so, but in any instance, in the last couple of years, the last few years, it seems like there’s been a shift in priorities. What do you think has driven that?
David Maidment: I think what’s driven it is effectively the, as I’ve described before, it’s across all sectors is the digital transformation agenda. And like we said before, whether that’s consumer, whether that’s industrial, whether it’s healthcare and the reason for that is because by delivering devices that are smart and connected, you deliver new levels of efficiency and actually enable new business models.
That’s very profound. These are highly sophisticated mini computers that have incredible ability. They have complex software. They have a life cycle. They need to be able to accept software updates. They need to have secure keys stored. They need to be trusted. And so, it’s fundamentally changed go-to-market for everybody because you can’t just sort of ship and forget, if you like, with the product. If I sort of build a thing and sell it, that thing, I’m deliberately using a very general term, but that object has a life cycle, it’s fulfilling a purpose.
And so, as we saw in the report, the growth of interest of businesses caring in that security is a direct response to that. An OEM building an electronic product, their customer will be using that product to support a very valuable service probably. And so, if those products are compromised or if there’s an issue, it affects them in many ways. It can damage their brand. It can result in legal proceedings. It can result in financial losses. Actually, we’re seeing requirements trickling down from the top as well from the kind of organizations that run the services and depend on those products and that creates obviously, a great pull for initiative like PSA Certified.
Shelly Kramer: Absolutely.
David Maidment: I guess the final part to answer that is the sort of the, in the end, what we’re solving is a business risk. The other part of the ecosystem that we have great interaction with is the cybersecurity underwriters, the insurance companies that underwrite the risk in the same way that you ensure your house or your car. Actually, people ensure cyber risk and that’s a large and growing industry, and you have to be able to measure that risk. And so, again, using certified components, using certified devices that meet best practice is a way for an insurer to understand the risk of the network and the likelihood of a network being compromised. There’s a lot of critical business reasons why security matters so much.
Shelly Kramer: I think that that’s a significant shift over the course of the last number of years, because I believe that a lot of what we’ve seen in the cybersecurity landscape has been a business attitude of I’ve got insurance. I’ll be fine. And when you think about just data breaches, an Equifax data breach, a Sony data breach, I mean, so many more, but those breaches haven’t destroyed a brand and business has gone on. But I think that what has happened is that we’re seeing senior leaders being my much more knowledgeable, boards being much more knowledgeable about the risk to business that these threats present.
And then I also think that we’re seeing cyber insurance companies saying, “Oh, you know what? We are not going to just write a policy for anybody for anything anymore.” And I think that’s where the beauty of, I know that I’ve talked before about this with somebody at the PSA Certified team, but I think now there are even in some instances requirements by insurance companies that in order to ensure you, we’re going to require this kind of a certification or something like that. And if that’s not, I think, is that happening right now? I think it is.
David Maidment: It’s moving in that direction. It’s moving in that direction and we’ll gradually have more to share on that front. I think the analogy I would use is when you insure your car, they want to know do you have an alarm, what model of car do you have, where do you drive, where do you park it. It’s the same, but on a huge scale with cyber insurance. They have to underwrite a risk. And so, as part of that process of underwriting it, they need to assess the level of risk. It’s actually quite hard to do that. We discussed before the difficult to measure nature of security and so, the need to have independent lab verified with a common language that everybody’s using. It reinforces, again, the need to collaborate around a common set of rules and language that the insurance industry can consume and build that into their own risk models.
There’s definitely exciting things happening in that space and I think that the cyber insurance industry sees this as, obviously on one side, it’s a growing market, which is great. And on the other side, it’s sort of a how do they assess that risk? How do they actually turn that into products that they are able to then sort of offer to their clients? I think that best practice security with certification is definitely at the heart of helping them on that journey.
Shelly Kramer: I’m sure we’re going to see more of this as time moves on. It only makes sense. Building a more secure, more connected world, and we’ve touched on this a little bit, but it’s not something that just, you can say, “Oh, David, that’s your responsibility,” for our whole organization. I think it’s something that’s a more, it is a collaborative process. It is something that requires smart partnerships and I think that we see this across, stepping back from the topic of security in general, I think what we’re seeing in the technology world as a whole is smart strategic partnerships are the path forward. That is part of how you fuel your digital transformation journey, which by the way, is never over. It’s a journey that continues on. I think that, of course, there needs to be some accountability that’s part of this process. What’s PSA Certified’s perspective on that front?
David Maidment: On accountability?
Shelly Kramer: Yeah.
David Maidment: I think that the perspective, as we kind of discussed, I think the way that I like to think about it is an audit trail of compliance really. You are able to kind of work backwards and understand the compliance for each part of the value chain and the value chain in IoT actually can be quite complicated. We talk a lot about components. At one level, you’ve got a chip or a processor that has a Root of Trust in, so you have that certified and you have a documentary evidence. You submit that to a lab and they look at it for a month and they do their testing. It’s built around a threat model and that threat model is well-described based on its use case.
And then at another level, you have huge complex system software that goes on top, and you want to see documentary evidence that that system software is making use of that Root of Trust in the correct way, and then it’s not bypassing any of the security features. And then if you go to the next level, you have the OEM. The OEM kind of takes the components. They take the software. They build a product. Then you want to know that they’re implementing those best practices that we spoke about like security update and life cycle management and how that device behaves on the network.
You want to have an audit trail of compliance for all of those things, so that if you are procuring that equipment, you want to know that a product has been developed with that level of diligence to meet… It’s like a layer of an onion is the best way to think of it. And then that product will go through the supply chain with different actors. And in the end, it kind of lands in the market in a particular use case and that supply chain needs to understand that compliance, that audit trail of compliance and for PSA Certified, we do that through, as I said, a lab evaluation and we issue certificates that are held online in a secure way and you’re able to view those certificates and understand that the devices follow that.
I think the that’s where you have a kind of the technical world meeting the business world, because the technical world has the heavy lift of making all that happen. The business world is then procuring that equipment and wanting to see evidence that that process is being followed.
Shelly Kramer: Knowing that you can trust the vendors that you’re buying from.
David Maidment: Absolutely. It’s all about trust-
Shelly Kramer: It’s really what it is.
David Maidment: … at the end of the day. It’s all without trust.
Shelly Kramer: Absolutely. We talked a little bit about the PSA Certified report. It’s the 2022 security report. I’ve touched on a couple of things that were of interest to me. Is there anything in that report that surprised you or that you felt like was just something that we can’t finish up this conversation without hitting on?
David Maidment: Well, I think it’s great to talk about the report and it’s exciting. I guess to explain to the listeners, PSA Certified security report is an annual report. We’re celebrating our third birthday. We’ve done two of these now. We go out and we talk to using a third party to do it in an impartial way. We go out and talk to over a thousand leading decision makers. The kind of the headline that we got back, I guess, is that a third of decision makers are still feeling that digital transformation is moving quicker than IoT security. And for us, that remains our sort of mission statement and problem statement in a way. We need to make sure that IoT security is keeping up with that, 50, 54 billion devices deployment that we’re talking about over the next few years.
And also, a lot of those companies and it’s around a third of those companies, think that the risk of IoT hacks is a reason during… Actually, a lot of that report is based on the pandemic. It’s kind of, we move to a new way of living and working during the pandemic and that’s not just working from home. You have to imagine that’s managing factories and office space remotely as well. There’s a lot of complex operations moved, accelerated digital transformation, which I think is really interesting. I think that has led to this turning point that we’re talking about with the report where we see that companies are now moving into a security first mindset.
Another part of that report, which I think is always interesting and it’s an area that we focus heavily on as the electronics industry is cost actually. It’s managing cost. And I think that actually, rather comfortingly, I think it’s 96% of companies say that having security in their products has positively impacted their bottom line. We’re kind of getting feedback that actually, you benefit from implementing security.
There has been a perception that security is sort of a… it’s a cost add that you can’t monetize, but I think we are working this dynamic in the industry where adding security is obviously an insurance policy against bad actors, but it’s also something that you can monetize. We are seeing evidence that companies are marketing on the back of their security, within their products. And I think as consumers, we’re beginning to warm up to that idea and we value security and I guess privacy as well in a similar context.
I think that’s really interesting feedback that it can aid profit, but then on the flip side, there’s a view that it’s also seen as too expensive to invest in, which is back to what we were talking about earlier. The sort of, well, do I have to have a new department of 300 people in order to have secure products? And I think our vision is that the answer should be no.
Shelly Kramer: Correct.
David Maidment: You can source trusted components. You can benefit this process and that companies invest in the areas that add value to their product. And that’s a big part of what PSA Certified is doing is that each part of the supply chain will add value to their particular part of the product. And so, companies don’t need to develop ground up every time, which is really important because they won’t see a return on that. I think it’s very interesting to kind of get that macro vision of the market actually where security matters. I think a lot of those players are now feeding into connected markets with these cloud-based services and they’re figuring out that sort of how to monetize it and where to invest in order to get the best return on that.
Shelly Kramer: I think that what we’re also seeing happen is I think we’re seeing a shift from a corporate leadership awareness standpoint of the primacy of security. I think that it makes absolute sense to me that this would be something that… I mean, if I were working on marketing branding, I mean that would be something that I would lead with. I mean, we have done the work and this means that what we bring to you is something that you can have complete trust in and we have developed this as part of being PSA Certified and we have the audit trail and this sort of thing. I mean, that’s an important part of a value proposition when you’re making a buying decision. I think what we’re also seeing is I think we’re seeing our buyers are much more educated about the importance of security.
I feel like in many instance, what I see is buyers coming to the table expecting to hear this as part of my sales pitch. I think that it’s a box they are more and more expecting to be ticked. I think that’s really exciting and I think that’s important. I think that it’s important for anyone developing products or making purchasing decisions or anything like that. I think it’s important to be aware of the fact that an organization like PSA Certified exists and exactly why it’s there to help provide that layer of trust, provide the heavy lifting, and I think it’s a game changer. I really do.
David Maidment: It’s interesting because I think we’re seeing evidence that the decision makers, so it’s like nearly 9 in 10 of the decision makers that responded said security is now top three business concerns. Decision makers are tuning into it, definitely. They understand how it affects their business. We’re also saying that, 96% are saying that security can positively impact the bottom line, so they can extract more value from the products they’re building, which is amazing.
I think that the important part of that and where we add confidence is that you have to be very careful to not promise what you can’t deliver in security. That’s where easy to understand measures that have been lab evaluated in an independent way. Don’t promise what you can’t deliver is really important to these companies. If they have an independent lab assessment with an audit trail against an independent measure, then they’re able to promote that with confidence, which is really nice, a really nice upside of what we’re doing. It gives those companies confidence to say, we are, for example, PSA level 3 certified. And they’re proud of that and it’s really good. They’re proud of that and they have their products on the website, they do the marketing, they want to be associated with the brand. It’s very cool that they are proud of that. I think it impacts, in a positive way, it gives them confidence, which is really great.
Shelly Kramer: I agree. It is really great. Well, David Maidment, Senior Director Secure Devices Ecosystem at Arm, thank you so much for taking time today to have this conversation with me and to dive into all things PSA Certified. I never get enough of these conversations because again, from one security geek to another, we get this. And I hope that for our viewers and for our listeners, that we’ve shared some information and some insights that you find valuable, I will include a link to the PSA Certified 2022 security report in our show notes and I encourage you to dive into that because there’s tons of great information in there. David, thank you very much for spending time with me today. It’s been a pleasure and I hope I can get you back on the show sometime again soon.
David Maidment: Shelly, thank you. As a final, if I could just plug a couple of the channels as well.
Shelly Kramer: Absolutely.
David Maidment: You can follow us on Twitter @PSACertified and we’re also on LinkedIn as well at PSA Certified. Psacertified.org is where you can find out more about the scheme. I host my own podcast as part of the education process actually. I think, like you, you have these amazing discussions with people across the industry. We have a podcast called Beyond The Now podcast. You can find it on Apple Podcast or very quick and easy to find. You can go via psacertified.org. Great discussions around how the industry is adopting this as well. It’s been a pleasure to talk today. Thank you.
Shelly Kramer: Absolutely. I’ll get all of that information from you and I’ll put links in the show notes. If you’re listening, you don’t have to remember that. We’ll provide links for you so that you can easily click on and find some more information and stalk David across the internet as much as you would like, because obviously, he’s a wealth of great information.
David Maidment: Thank you so much.
Shelly Kramer: With that, that’s a wrap for our show today. Thank you so much for hanging out with us. Thank you, David, for sharing time and insights with me, and we’ll see you again next time.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”