Today’s device manufacturers not only face vulnerabilities and costly security breaches, but the growing potential for government regulation as well.

Hackers are finding new ways to gain access to internet of things (IoT) products and weaponize them for attacks, even as manufacturers create new products at a scale that makes manual security processes impractical. The vulnerability in Log4j’s code is just the latest to dominate cybersecurity headlines and affect hundreds of millions of devices. As Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly said, “It is one of the most serious I’ve seen in my entire career, if not the most serious.”

All the more serious because, for various reasons, manufacturers often don’t know what vulnerabilities their devices might have. According to a survey we recently conducted with the Ponemon Institute, only half of manufacturers test products before deploying them. Sixty-two percent of respondents say they lack resources to properly secure their products, and 60% say they lack in-house expertise.

Despite the challenges, something has to change. Fifty-nine percent of respondents say security concerns have cost them sales. And while only 12% say the government should be responsible for ensuring the security of IoT devices, inaction could force regulators to step in, especially if cyber-physical attacks grow in severity and scale.

Most manufacturers would prefer to avoid government regulation, but at least for those in the private sector, there could be another option.

The government began establishing regulatory frameworks with an executive order in May, 2021. Among the mandates is a requirement that federal agencies adopt zero-trust architecture, but there isn’t much assistance to get them there. Unless something changes, the current path of IoT breaches leads toward more government regulation for device manufacturers.

For some, this is unavoidable. In our study with the Ponemon Institute, 36% of respondents say government regulators already require their organizations to provide details about the components of devices or attest to their security.

But government regulations aren’t as responsive as they could be. Regulations could be imposed by people who lack deep knowledge of the issues that the regulated sector is facing. Mandates made reactively, in response to attacks, tend to be implemented quickly.

You can have a much more responsive and flexible framework for security requirements when they come from a private, non-government regulatory body. There’s a national council of Information Sharing and Analysis Centers (ISACs), each of which creates security standards within its sector. The idea is to make sure that the industry has enough self-set regulations that government regulations aren’t necessary.

For example, the IT-ISAC is a non-profit, limited liability corporation formed in 2000 by members of the information technology sector. IT-ISAC touts that “members have access to tens of thousands of threat indicators each week,” and “can help a company manage risks through trusted analysis, collaboration and coordination and drive informed decision making by policy makers on cybersecurity, incident response and information-sharing issues.”

Other ISACS that are active in the IoT world include the Automotive ISAC, Communications ISAC, Healthcare Ready, Health ISAC, and Water ISAC.

Through private regulation, organizations have better visibility into how and why the rules are created, and are likely to have more of a say in what they are. Public regulation doesn’t typically have that transparency or insight from anyone outside the governing body.

Device manufacturers are responsive to their customers’ needs, which is one reason that product security is becoming more important. According to the survey, 73% of respondents noted that customers’ device security concerns had a high impact on the length of the sales cycle. Additionally, 55% of respondents’ sales teams put pressure on those responsible for product security to attest to their security.

A clear set of regulations would make the target easier for those product security teams. While end users might not understand the details of what’s in a device, it’s far more reassuring to know that security standards are created by experts in the field rather than politicians.

If a manufacturer abides by private regulations, it can instill customer confidence that there’s a well-thought-out prescription for security, and that the device was deployed with quality in mind.

Jeanette Sherman is senior director of product at Finite State.