Digital transformation surges on, with market sectors as diverse as automotive, consumer packaged goods and healthcare unlocking new revenue streams, greater customer insights and deeper connections with consumers. But alarm bells are still ringing around a number of issues – not least cybersecurity, a vital area of commercial concern where attackers only have to exploit one weakness, but defenders have to protect everything.

Digital transformation for physical product companies

In this article, I plan to unpack some of the challenges and complexities associated with wrapping robust layers of security around digital product and service innovation. This conundrum is actually one of many hurdles associated with what we at Cambridge Consultants term ‘Product+’ innovation. There are new technologies to understand, new business models to shape and new development processes that must be adapted to specific business needs. For some broader insight into how physical product companies can overcome these challenges and embrace digital transformation, why not check out the wide-ranging eBook by my colleague Jen Gomez.

As for security, let’s begin with some important user perspective. Consumers around the world have wholeheartedly embraced connected devices of course, but there is increasing awareness of the security implications of sharing data. A consumer study conducted by Ipsos MORI for the UK government not two key points. Not only is there increased use and purchase of consumer IoT and smart devices, but there is also a strong appetite (expressed by nearly nine in ten of respondents) for embedded cybersecurity features.  

More than eight in ten consumers agreed that those involved in the supply chain had a responsibility to make cybersecurity checks and be aware of third-party security features being integrated into their products before they were sold (only three percent disagreed). Consumer bodies such as the UK’s Which? are also increasingly taking cybersecurity into account in their ratings and reviews.

So, it’s clear that to realise the promise and opportunities of the new technologies, the coming generation of devices must be robustly protected from being abused and misused. The data handled by associated services must likewise be defended from malicious activity. Being able to safeguard holistically both product and service is where good cybersecurity practice is essential.

Cybersecurity is hard. This is because of the diversity and variety of devices and services. There are different layers of hardware and software being incorporated, all connected in diverse ways using a range of protocols for countless use cases. Adding the unpredictable spectrum of human behaviour (from opportunistic thieves scamming a single consumer to highly organised crime syndicates intent on breaching major databases) takes us into the realm of spear and shield scenarios. This is what I was alluding to earlier – a malicious actor only needs to hurl a single spear, but the defender’s shield must protect everything.

With cybersecurity, everything is a balance

A sound approach to cybersecurity entails striking a series of balances, including the resolution of conflicting requirements. Harmonising security and privacy is a good example since security requires monitoring which could violate privacy. Another is security and power, because security processing requires some computational overhead. Then there’s security and usability. This is one of the most complex areas of technology innovation, since both involve human interaction with a system – but from different perspectives. 

Historically, the narrative has insisted that that humans are the weak link in security, the ‘problem that sits between keyboard and chair’. But we now know that this is not true, and that human input is crucial to a truly successful security solution. This can be seen in areas such as multifactor authentication where the user is in the loop and very much part of the access control process.

Security is also something that is (and should be) invisible to the consumer. If the security works, then nothing happens, and the customer experience continues smoothly. This also works the other way round. A great deal of effort could have gone into security, but if the user perceives the product or service to be insecure then the invisibility might well be a liability. There’s also the danger that the only security experience the consumer is aware of is negative. Being able to balance these requirements and considerations is a vital aspect to consider.

Systems engineering approach

So here’s the rub. How can your organisation deal with engineering security solutions when there are so many constraining, potentially conflicting factors and balancing acts to perform? Here at CC, we advocate a strong systems engineering approach as well as a policy of applying security principles agnostically. This includes concepts such as ‘secure by design’ as championed by the UK government’s code of practice.

But this is only part of the puzzle. Since legislation can provide certainty around which technologies to invest in, mapping out key pieces of legislation such as California’s Senate Bill no. 327 and the UK government’s proposed IoT security regulation can help form the basis of future product and services strategy.

There are still a number of challenges, including the differences in regulation depending on jurisdiction, the overall relative immaturity of the area and the scale of proliferation of these devices. However, the trifecta of consumer demand, good security practice and legislation represents an opportunity for us to help create products that are trustworthy. This trustworthiness gives a solid foundation for clear differentiation from competitors, removes barriers from markets and ultimately leads to a sustainable business.

Want to learn more?

At Cambridge Consultants we’re busy helping clients to explore the opportunities of digital transformation. Often, we’re working right alongside them to design and develop full systems. In each and every case, we have an unbreakable rule – cybersecurity is considered right from the start. This saves time and money on the innovation journey and ensures the strongest possible system for launch. Please drop me a line if you’d like to continue this conversation. I’d love to chat further about how we can integrate security into your digital transformation projects.

Author
Madeline Cheah
Principal Security Technologist

Madeline collaborates with clients to help enable cutting-edge technologies for their products and services. With more than ten years’ experience in cybersecurity, her focus now is on applying this vital area of technology to protect companies embarking on transformative innovation journeys.