I bet that cynical part of your brain is in overdrive right now, thinking “Really? I don’t think my buyers care much about security at all! They certainly don’t ask for it”. That’s probably true, but bear with me. Security is a major concern for your buyers and with the increasing frequency of cyber breaches, it will continue to be even more critical!
For many product managers, addressing the cybersecurity of their devices feels like tackling the big, grey elephant in the room. Everyone knows it’s there, everyone knows it’s a massive issue, but no one wants to deal with it, or even really knows how to deal with it.
What’s more, it’s all too easy to justify not dealing with security because in your user feedback loops it almost never comes up. When your users aren’t asking about the cybersecurity measures that have been installed on a device, those features naturally get relegated to the back of the list. Furthermore, why would you risk opening that can of worms? Asking your users about cybersecurity, may risk alienating them from your product as you make them more aware of potential threats.
Security is at the center of purchasing decisions
Problem is no one can really afford to disregard the security of their connected device. The three factors that most influence purchasing decisions for connected devices are functionality, price, and aha, security. A global survey conducted by CIGI-Ipsos, found that overall security ranks as the top factor influencing the decision to buy a connected device at 26%, followed closely by price at 24% and functionality at 20%. In fact, the study found that for a product worth $1,000 a global citizen was willing to pay on average 30% more for better product security.
So, why aren’t they asking for security?
For many consumers security ends up being an important afterthought and a major consideration in subsequent purchasers. A survey conducted by Carnegie Mellon University found that while most interviewees had not considered privacy and security prior to purchasing their IoT device, they were more concerned after their purchase. Only after having used their device, they acknowledged the necessity to be aware of privacy and security information before making their next IoT purchase. For the interviewees who were concerned about privacy and security before their purchase, many reported difficulty finding useful information about it, making their purchase decision more difficult.
Cyber threats are a barrier to IoT device purchase
You may have gotten away with ignoring cybersecurity five years ago, maybe even two years ago, but with the proliferation of IoT devices and the conspicuous frequency of attacks, buyers are becoming aware of the cyber risks, raising their concerns when they purchase. While the practical benefits of IoT devices are a huge draw card, cyber concerns are a drag factor that’s pulling down adoption rates. In another IoT customer survey by Internet Society, 35% of people who don’t buy connected devices aren’t buying because of cyber concerns. And for those still willing to buy, they see cyber threats as much of a barrier as cost.
Buyers want security and they’re willing to pay for it
As the consumer market is increasingly aware of the risks of connected devices, and view security as a factor equal to price and functionality, they are willing to pay more to avoid the risks. Depending on the cost of the device, buyers are willing to pay 30% more of the original price for better product security, while almost 25% of consumers are willing to pay 50% more. As to how much extra a buyer is willing to pay for cybersecurity really depends on the type of data the device collects. Devices that collect sensitive information, like images and PII, there is willingness to pay more. For example, security cameras which are known to collect sensitive data, buyers are willing to pay 40% more of the product price while devices like a thermostat, that don’t collect any sensitive data, can only raise their retail price by 14%.
The day of security standardization is fast approaching
Irrespective of how brands like the idea of embedding security mechanisms into their IoT devices, we are quickly approaching a reality where it won’t be a choice, but a bar to market entry. A recent Executive Order released by the Biden Government has tasked the Director of NIST to develop a labelling program that educates the consumer public on the security capabilities of IoT devices. NIST is determining the criteria of grade levels that correspond to increasingly comprehensive cybersecurity that have gone into testing and developing a connected product. Manufacturers, brands, and developers will be incentivized to participate as the labelling program will change the way people shop for smart products, similar to how they shop for energy efficient products.
How security labelling could work
Rather than seeing security labelling as another hurdle to market, IoT device brands could benefit from an activation and expansion of the market. 77% of consumers said that information about privacy and security are important considerations in their buying decisions, but much of the time that information is not available and it’s causing them not to purchase. On the converse, when a brand does provide visible security certification, 91% of consumers say they would prefer those products. Security labelling will provide brands with another feature on which to compete – other than price, a feature that not only sells, but fosters building brand trust.
Cybersecurity as a Feature (CaaF)
Moving forward buyers are going to want security on their devices and it will increasingly influence their purchasing decisions. Product managers wanting to grow their profit margins will have to address cybersecurity and embed a proactive IoT solution that will keep their products beyond the grasp of hackers. Yet those product managers who will really blow out their sales targets, will be the ones who have figured out how to monetize their cybersecurity features. Not just embed security, but build their product branding and marketing around prioritizing the privacy and security of their users.
Now, who the hell cares about security?