Why platform security?

            Hardware  and  firmware  attacks  are  difficult  to  detect  and  expensive  to  fix,  providing  a  stealthy  and
            persistent foothold into IT infrastructure and networks. This has been driving investments and interest on
            the attack side and makes device security an increasingly important layer of the IT stack to achieve
            resiliency.

            A core challenge with device security at the hardware and firmware level is that it is very hard, if even
            possible, to address with software alone. This is why it is key for manufacturers to invest in security by
            design from the hardware-up, including building the necessary manageability capabilities for a modern
            hybrid workforce.

            Device security should be considered from the procurement stage, but it is usually ignored in favor of
            short-term gains, such as reduced costs.  In fact, 68% of ITSDMs say hardware and firmware security is
            often overlooked in the evaluation of the total cost of ownership (TCO) for managing device security
            through its lifecycle. It is important to remember that purchasing a device is a security decision, with the
            wrong choice having far-reaching implications that can weaken security posture or increase infrastructure
            security management costs for years to come.

            Organizations need to develop the capability to set requirements for device hardware and firmware, as
            well as the necessary lifecycle management processes to ensure that devices can be trusted to operate
            as  expected  throughout  their  lifetime.  This  requires  an  end-to-end  approach,  considering  platform
            security across the entire device lifecycle.



               1.  It starts with suppliers

            Taking control of device security starts with supplier selection. Too often, procurement teams work alone
            to source devices, without the expertise of security and IT teams to evaluate vendors and guide security
            requirements that may have long term security and manageability implications across the fleet. In fact,
            more  than  half  (52%)  of  ITSDMs  say  procurement  rarely  collaborates  with  IT  and  security  to  verify
            suppliers’ hardware and firmware security claims.

            Collaboration between IT, security, and procurement is key to ensuring that procurement requirements
            appropriately serve the long-term security posture and digital strategy of an organization. This includes
            setting procurement requirements for device hardware and firmware security capabilities, and articulating
            standards to audit supplier security governance. The latter is not broadly practiced, but our findings show
            that  34%  of  organizations  that  do  audit  suppliers  have  had  a  PC,  laptop,  or  printer  supplier  fail  a
            cybersecurity  audit  in  the  past  five  years.  Almost  a  fifth  claim  the  failure  was  so  serious  that  they
            terminated their contract.



               2.  Onboarding and configuration go off track

            The risk of hardware or firmware tampering exists at every stage of a device’s lifecycle. While a device
            is in transit, or simply unattended, it could be tampered with to insert malware or malicious hardware





                                                                                                            171