Increasing connectivity and IoT device adoption has exposed embedded systems to new security threats that could severely hinder business operations and risk the safety of humans or embedded devices. These threats are forcing OEMs to actively address security as part of development and are guiding the creation of new practices. VDC’s latest report takes a closer look at the portion of OEMs’ in-house labor expenditure that is consumed by vulnerability mitigation efforts.

While more OEMs recognize the escalating repercussions of software security vulnerabilities, action to mitigate these risks has been minimal or, in some cases, non-existent. Even among those who rated security as “extremely important,” nearly 8% of their organizations were taking no action to address these potential risks. Still, a growing number of companies are setting aside money from their budgets to find, fix, and prevent systems vulnerabilities.

Data from VDC’s IoT and Embedded Engineer survey confirms that a significant portion of OEMs’ existing in-house labor cost is already dedicated to addressing security. “These expenses are rising much faster than the overall cost of development, which reinforces the criticality of including security-related labor in budgetary planning,” said Andre Girard, senior analyst of IoT and Embedded Technology at VDC.

The report states that the worldwide embedded engineering labor spend specifically associated with security was $11.6B in 2017. This represents almost 8% of the overall cost of embedded engineering labor. “Security-related spending is accelerating rapidly as awareness of the scope and severity of potential vulnerabilities rises, and the growth in IoT deployments increases both the quantity of possible targets and the volume of attack surfaces,” explained Girard.

On a broader level, VDC states that the urgency of providing robust software security necessitates wide-ranging organizational involvement. “Proactive steps must be applied across the full development lifecycle by a larger pool of stakeholders to manage an increased pace of software releases and more complex code bases,” said Girard.

“OEMs should include knowledge of security vulnerabilities and risks in the training of all engineering teams so that it can influence decisions and actions made throughout the design and development lifecycle.”

The full report investigates, quantifies, and forecasts OEM in-house labor spend that is directly committed to addressing the security of systems under development. It provides data segmentations by major industry and technology communities of interest, including target vertical market, engineering role, and development lifecycle stages.