Panellists at the recent Secure Horizons event, L-R: George Dunlop (Quantum Dice), Anıl Doyran (Cyberwhiz), Joe Hill (Digi), Haydn Povey (SCI Semiconductor) and Malcolm Kitchen (EPS Global) together with John Moor (IoTSF).
Five insights from the IoTSF frontlines
At the January 2026 ‘Secure Horizons’ event held at the Duxford IWM, I was invited to host a panel constructed from speakers of the day – most of whom were IoTSF members.
It was a great opportunity to reiterate many of the key messages about IoT security, together with forward looking statements. It was also an opportunity to question the wisdom of relying on regulation to fix what is widely broken or dysfunctional.
Whilst regulation has its place, it is the position of last resort and impossible to get right, in my opinion. Whilst it remains an essential hurdle to overcome for business reasons, we must be careful not to take our eye off the real goal: fitness of purpose and resilience in operation – i.e. not merely a ‘compliance’ tick.
It is with this in mind that the IoTSF Executive Steering Board (ESB) has set a new direction that moves beyond Secure by Default and Security by Design. We believe the most effective solutions will come about by introducing a complementary third element which adds extra emphasis on the application and market needs: Security by Demand.
As someone who lives by ‘the power of 3’ (you’ll see this echoed in many of our comms if you look closely), it is therefore fitting that we now have 3 x SbD’s:
– SbD1: Secure by Default
– SbD2: Security by Design, and now, for 2026 and beyond, we’ll be adding more emphasis on;
– SbD3: Security by Demand
And as we set forth toward this new horizon, let me start by reiterating the key takeaways from Duxford – as I laid out myself, and what I heard our experts say.
Security is an immune system, not a vault
In 2015, the Internet of Things sat atop the ‘peak of inflated expectations’ promising a hyper-connected utopia. Since then, we’ve tumbled through the ‘trough of disillusionment’ and are only now emerging on the ‘slope of enlightenment’. Having been on this journey since that time, this accords with what I refer to as many ‘epiphanies of the obvious’.
One such epiphany is this: security is not a trophy you win or a vault you lock, it’s a living immune system. It’s a relative state of managing risk, not an absolute end-state of ‘secure’.
For years, we treated IoT security as a technical hurdle to be cleared – it’s much more than that. Today, we recognise it as a ‘wicked challenge’ – a movable feast where the goalposts shift every time a new vulnerability is discovered or a new regulation is drafted.
Takeaway #1: Security is not a finish line, it’s risk management
There’s no actual endpoint with cybersecurity – it’s constantly moving. It’s not really about winning – but in one sense, what you’re actually trying to achieve is to… ‘not lose’.
Organisations, therefore, must resist thinking in binary terms (secure vs insecure) and shift to the new paradigm and think in terms of acceptable risk. This requires answering four fundamental questions for every product and system:
- What are we trying to protect?
- From whom are we trying to protect it?
- By what means?
- At what cost?
By focusing on these metrics, security stops being an unreachable ideal and starts becoming a pragmatic operational business strategy. And the goal isn’t ‘perfection’: the goal is an accetable level of risk that doesn’t jeopardise the mission or the balance sheet.
Takeaway #2: From ‘Security by Design’ to ‘Security by Demand’
As noted above, in 2026 we are announcing the birth of SbD3: Secure by Default, Security by Design, and the most powerful newcomer, Security by Demand.
While marketing brochures tout security features, they rarely move the needle of the global supply chain. The real ‘pull-through’ effect happens in the procurement office.
Requests for Quotation (RFQs) are more influential than any marketing campaign. As one of our panellists at the event asserted, if the National Grid, a major Distribution Network Operator (DNO), or a military prime refuses to buy hardware that lacks memory safety or a root of trust, the entire supply chain is forced to adapt or die.
Purchasing power is the ultimate lever: when the market demands resilience as a condition of sale, security moves from a ‘technical debt’ to a ‘commercial win’.
Takeaway #3: The regulation paradox – Why laws might make us less safe
There is a growing, skeptical consensus that ‘tick-box compliance’ might actually be the enemy of true security. This is the regulation paradox: when laws like the EU’s Cyber Resilience Act (CRA) create a compliance ‘floor’, companies often treat that floor as a ‘ceiling’.
Worse, we are seeing the risk of ‘regulatory flight’. Large corporations outside the EU are already questioning if the cost of lifecycle management and the threat of massive fines make doing business in the EU a losing proposition. There is also the ‘competitive disadvantage’ argument: if one company invests heavily in robust security while a competitor does the bare minimum to pass an audit – and isn’t penalised – the market breaks.
As I have said on more than one occasion now – “I could write a case for why regulation will create weaker security. I’m absolutely convinced about that.”
If the faux-goal of regulation diverges from actual security outcomes in favour of bureaucratic checklists, we aren’t building more secure devices: we’re just building more expensive paper trails.
Takeaway #4: Cybersecurity belongs to the CFO, not the CISO
Is it time to evict cybersecurity from the server room and move it into the boardroom? Many would (and have been saying) “it is”. In high-stakes environments, this is no longer an IT problem: it is an audit committee responsibility.
The CFO and the Company Secretary should ‘own’ the cyber risk because they are the ones tasked with keeping the C-suite out of jail and the company’s accounts signed off. This shift is being accelerated by the cyber insurance sector.
Insurers are the only ones who truly understand risk because they have to price it. Their premiums are becoming the most honest metric we have for a company’s security posture.
When the CFO realizes that poor security hygiene leads to uninsurable risks or existential fines, the budget for resilience suddenly appears.
Takeaway #5: The supply chain is a ‘wicked challenge’
In other engineering disciplines, we have standards that prevent us from ‘cobbling things together’. In software, frankly, the current state is crap. We accept levels of fragility in software that would be grounds for a lawsuit in civil or mechanical engineering.
The stakes in IoT are kinetic. A software mistake in a camera or a car can ‘ruin someone’s life’. Yet, the supply chain remains opaque.
Many brand owners outsource their entire production, slap their logo on a device, and have zero visibility into the underlying code. Although I’m not fully familiar with the precise details, the discussion we had suggested that the recent Jaguar Land Rover/Tata example is a haunting case study: they put their cybersecurity up for bid and chose the cheapest vendor. The result? Systemic failure.
IoTSF ESB member and SCI Semiconductor CEO, Haydn Povey, is vociferous: The inflection point must be architectural. By adopting memory-safe architectures (like CHERI), we can eliminate up to 98% of critical vulnerabilities at the hardware level. We must stop trying to patch human error and start building architectures that make those software exploits impossible.
In the interest of balance, I must add that other ‘memory safety’ approaches are available – the key point for us at the IoTSF is to raise awareness that ‘memory safety is a thing…’ again, as I have been saying for several years. Accept it – and find your preferred solution.
Conclusion: SbD3 is the new frontier of IoT security
The message from the frontline is clear. True progress demands more than regulation and good intentions – it demands that the market insist on security that actually matters. The IoTSF is committed to making that happen.
The Secure Horizons discussions at Duxford marked a moment in time to reflect and look forward, we’ve come a long way since the peak of inflated expectations in 2015.
IoT security is not a one-time achievement but an ongoing risk-management discipline of the entire, adaptive, immune system. Regulation provides a necessary baseline but risks creating bureaucratic tick-box complacency, uneven enforcement, and even weaker outcomes when compliance becomes the goal rather than a tool.
This is why the IoTSF ESB is now prioritising the third pillar: Security by Demand (SbD3), alongside Secure by Default (SbD1) and Security by Design (SbD2).
While the first two embed security at the product level, SbD3 leverages the market’s strongest lever – purchasing power. When major buyers make security requirements non-negotiable in RFQs, the entire supply chain responds faster and more effectively than any mandate or brochure ever could.
In 2026 and beyond, the IoTSF will intensify efforts to promote Security by Demand – we hope you’ll join us in that cause as we believe this is the only sure way to achieve fitness of purpose and resilience amongst all the noise and distractions.
John Moor – Managing Director, IoT Security Foundation