The massive growth of Internet of Things (IoT) devices over the next one to three years should give us pause. As companies rush to get to market first, are we seeing a \u201cdumbing down\u201d of basic device principals that we have been working with for years, particularly enhanced security and privacy. With so many distinct applications, device scope and diversity represent a unique security challenge that so far has not been met.\nI estimate that 85 percent or more of current IoT devices deployed in the real world do not have adequate security installed, and it\u2019s likely that the vast majority of those will never be upgraded (or are not even capable of being upgraded). That means not only do current devices being installed pose a risk, but over the next one to two years, the vast majority of devices that will be deployed also pose a risk.\n\nIt\u2019s a bit better in the Enterprise of Things (EoT) world, where devices generally are more costly and able to be enhanced for manageability, reliability and security. But in the price-sensitive market for consumer IoT devices, there is a real lack of security focus.\nBuild security into IoT devices, don't add on later\nThe real challenge, whether EoT or IoT, is going to be deploying devices that are designed using platforms that have an inherent security capability built in \u2014\u00a0not one of adding security after the device has been created. The add-on approach has never worked well in the past, and this market will be no exception.\nWhat are some of the key security components needed in any platform?\n\nTrusted execution environment at the hardware level\nSecured UI (if used) to prevent hacking\nSecured storage to keep data encrypted\nFirmware and OS-secured lifecycle management\nProtected communications capabilities and connections, including VPN\nKey management and provisioning of device ID and login\nEcosystem of development tools and methods that enable good security design practices\nCase-specific profiles and recommendations for best-of-class implementations\n\nWe have gone through all of this before in the mobile world, especially in the enterprise market, and unfortunately many IoT vendors have not learned that lesson. It will be critical that emerging devices, whether consumer- or enterprise-focused, be able to show a clear security and privacy capability or face ultimate rejection in the marketplace.\nIt will be critical that emerging devices be able to show a clear security and privacy capability or face ultimate rejection in the marketplace.\nIndeed, devices that add a secure platform will have a major competitive advantage. And those that don\u2019t will face market backlash and potentially legal consequences for any security breaches.\nAdding security to IoT devices adds value\nSome have argued that adding security components will make IoT unaffordable in a price-conscious market. I estimate that a truly secured capability adds a marginal amount (5 to10 percent) to the cost of hardware, and, therefore, cost should not be a primary inhibitor to adding secured internal infrastructure to any IoT device, particularly ones that are mission critical and\/or are not priced as throw-away consumer devices.\nSo, it\u2019s more philosophy and not understanding the importance of security that causes some makers to not take security seriously. The added cost is trivial compared to the value it adds.\nUpping the security of IoT\/EoT is not that hard. Most current-generation IoT devices are built using commodity microcontrollers that are not inherently designed with the security components built into mobile phone-derived SoCs (e.g., trusted execution \u201cvaults,\u201d encryption engines, VPNs). With a long history of security enhancements over the years and a compelling need to compete in security features, it\u2019s much more appropriate to utilize \u201cdownsized\u201d mobile SoC technology than trying to reinvent security in software on chips not inherently designed with the same number of security subsystems.\nAs a result, downsized mobile SoCs have both a competitive advantage in system capability, even if they may cost somewhat more, and have already-proven security features that microcontrollers generally can\u2019t match. This gives them a major advantage in the next generation of security-conscious IoT devices. And I expect that most new IoT, and especially EoT, designs will incorporate one of these as the platform of choice rather than simpler microcontrollers.\nIoT device makers can't ignore security lessons\nBottom line: We\u2019ve learned much over the years designing smartphones and making them far more secure. And we should not ignore those lessons as we move on to the next phase of mobility \u2014\u00a0IoT and EoT. Leveraging all of the capabilities in hardware designs and software from smartphones makes the most sense if security is to be taken as seriously as it should.\nWith the many varied and growing number of reference designs using platforms designed as modified smartphone chips making it to market, I expect a surge of these devices to be powered by a more secured environment. And this is to the benefit of all of us being affected by IoT\/EoT. Anyone building or deploying such technology should make sure they are built on one of these smartphone-derived platforms and not on a simpler and less-secure device.