Most people don’t understand the impact of connected technology on privacy, and the services that harvest our behavior to provide us services. These services can be extremely positive and benign, or they can be misused to mislead, nudge, and influence our behavior. We have to address that openly as an industry and in society, and in front of the adoption, or we risk implementing a system that puts revenue ahead of privacy.
I had the pleasure of interviewing Haydn Povey, CEO Secure Thingz, and General Manager Embedded Security Solutions, IAR Systems
Haydn is the founder and CEO of Secure Thingz and General Manager for the division Embedded Security Solutions at IAR Systems, with a focus on developing and delivering next-generation security technology for the IoT and other connected systems. Haydn is also a current member of the Executive Steering Board of the IoT Security Foundation. Haydn has a background in senior management at leading global technology companies for over 20 years, including 10 years in senior marketing and business development roles at Arm. While at Arm, Haydn looked after the company’s strategy and product roadmaps for security within IoT and M2M marketplaces, and he led the development and introduction of the Cortex-M microprocessor family.
Thank you for joining us Haydn. Can you tell us a story about what brought you to this specific career path?
I trained as an Electronic Engineer, but I’ve always existed on the boundary of the physical world and the computer electronics world. I spent nearly a decade working for National Instruments Corporation on the interface between the real and cyber worlds, which was incredibly interesting. I worked in Texas for a few years and then moved back to England where I was lucky enough to be headhunted by ARM Holdings to run their microcontroller (MCU) product management, first as Senior Product Manager and then as a Marketing Director within the Processor Division. This was ARM’s first initiative to move into the cyber physical world, and my team took them from having no presence to becoming the dominant architecture for microcontroller. Along with MCUs, I owned the processor core business for bank cards.
One day, the Chief Operating Officer of ARM came to my office and told me he wanted me to look after security across ARM’s processor families. There was a bit of a problem with one of ARM’s major consumer electronics customers in Japan. I was told to, “Go sort it out.”
That was my introduction to security. I spent the second half of my time at ARM focused on security, which was extremely fortunate. I gained tremendous experience on cyber, physical, and security systems. This gave me a unique skillset and perspective. And, it’s what set me on the course for the work I’ve done at Secure Thingz and at IAR Systems, where we’ve been able to bring security to the heart of the Internet of Things (IoT).
Can you share the most interesting story that happened to you since you began your career?
I believe our career paths are made by certain moments. For me, the most interesting moment was when the COO of ARM explained how a major project for a tier one consumer electronics company had gone “sideways” and directed me to fix it. It marked the point where I moved from someone who was interested in security to someone who owned the problem for a major company. It caused me to look at things differently and to truly consider at how we value security.
One important lesson I learned about security is that consumers must have a reason to value it. You cannot dictate security to consumers, you have to bring them on the journey and offer them value; as with any feature.
About 10 years ago Digital Rights Management (DRM) was a big issue as people were using PCs to rip music and movies. DRM was supposed to be the solution, but asking consumers to pay more for something that they saw as fundamentally undermining their rights, simply didn’t work. Then Apple introduced iTunes and the iTunes Store, and gave consumers an easy way to manage and access media while protecting copyrights. Apple changed the game by making technology accessible and removing many (but certainly not all), of the reasons people were circumventing DRM.
A close second to this moment goes back to working National Instruments. Over my history with NI I have had more sub-machine guns pointed at me than I can count. My work bought me into contact with many agencies of the UK Ministry of Defense, including the Atomic Weapons Establishment, Defense Research Agency, the Chemical and Biological Defense Establishment, and so on. It was all incredibly interesting and sometimes challenging, especially where heavily protected facilities meant I faced machine guns on every visit.
Can you tell us about the “Bleeding edge” technological breakthroughs that you are working on? How do you think that will help people?
Without a doubt these come and continue to come from my work on the IoT, an area I’ve lived in for the last 15 years. In early days it was called Machine-to-Machine connectivity and allowed direct communication between devices using any communications channel, including wired and wireless. In its basic form it provided controls, such as turning lights on and off from a mobile phone, but overall there was a clear definition within the system of each operation and application.
The IoT is more far complex and virtually limitless in terms of what can connect and where the value lies. The potential is fantastic. For example, consider a connected Baby Grow or baby vest. My eldest child who is now 21, was born prematurely and weighed only three pounds. He was in Special Care Baby Unit for many months, which used a baby mat to monitor his breathing. We continued to use this at home, and it provided a great sense of comfort. Today, Baby Grow products can monitor breathing, movement, and body temperature among other things. And while that’s an improvement, it’s still limited.
With the IoT, however, the Baby Grow could connect to any number of Things. So, if the baby stops breathing in the middle of the night, the bedside alarm clock would wake up a parent and the room lights would go on so the parent could focus quickly on their child. Before the IoT, this would have been unimaginable. With the IoT, the Baby Grow has the potential to become the most critical, powerful, and wonderful alarm system you’ll ever own as a parent.
The ability to provide a service that combines Things (physical devices) is where the value of the IoT lies. The Things are an embodiment of the value, not the value itself. The Baby Grow, the lights, the alarm are just Things that enable the service to operate. The value is that they wake up someone who can save a baby’s life.
The crucial factor and foundation for every IoT service is security that prevents it from being compromised by a third party.
The work I am doing today enables chip developers to implement foundational security into every design without ever knowing where the chip will be used or in what application. Designing security in this early in my opinion, is the right approach. We call it Security From Inception. Not only does it provide a secure foundation for any application, but it saves the costs of upgrading or redesigning applications to add security features. Making security part of the DNA in every chip means they can be used in virtually any Thing. No one can predict what apps will be hot in the future, be we do know they will require security.
How do you think this might change the world?
The concept of Security From Inception is changing the world, and it is the only way to build Things that will connect to the IoT. By building-in security from the point of imagining the solution, or inception, we are providing an essential capability that won’t control or constrain how customers use embedded devices.
Secure devices can be integrated into a million different systems from consumer and industrial electronics, to Smart Cities without concern. Security has the potential to engender a whole new industrial revolution of connected systems. Fundamentally though Security From Inception sets innovation free.
Keeping “ Black Mirror” in mind can you see any potential drawbacks about this technology that people should think more deeply about?
There are a number of examples where IoT technology without security has, and can, go wrong. People have hacked into cameras and recorded activity in people’s homes. Smart speaker devices continually monitor, collect, and transmit conversations, requests, and environmental sounds to the companies who designed them, for product monitoring and improvement.
In some cases this capability is a good thing, for example in investigating criminal activity. However, even then it can be considered a violation of privacy. Personally, I find it somewhat Orwellian. The challenge is protecting our data and our privacy. If we don’t rise to this challenge now, we may accidentally end up in a dystopian nightmare and then, people will stop adopting new technology and systems. If that happens, technology, instead of freeing us, will constrain and challenge society.
Was there a “tipping point” that led you to this breakthrough? Can you tell us that story?
There are a few notable tipping points that led to this breakthrough including the growth of smart devices, external threats, and a shortage of cybersecurity experts.
IDC predicts that there will be 200 billion IoT smart devices this year, an increase from 2 billion in 2006. This breathtaking growth is expected to continue at an even faster pace. That’s about 26 smart devices for every human on earth. Most of these will be used in factories, businesses, and healthcare, but they will touch your lives in many ways.
For example, when I left ARM I consulted to Renesas Electronics, a Japanese chip company who had recently announced a new platform to support applications like smart electric metering. Electricity has a strong cash equivalent, and if someone can hack the meter to get free electricity, the chances are they will. This was especially true if they used power for illegal activities, such as cannabis production. In addition, without proper security smart meters are vulnerable to attacks from malware that turns connected devices into remotely controlled bots that can be used as part of a large-scale network attacks.
Smart meters are also potentially prone to ransomware attacks like those carried a number of global corporations in 2020 including steel manufacturers and water treatment facilities. These attacks disrupted service, caused revenue and job losses, and drove stock prices down.
Even as the need for security becomes more evident, Gartner report that there is a global shortage of 3 million cybersecurity experts. This is an impossible number to educate our way out of, there are simply too few cybersecurity experts bring trained to impact the market Instead we must build in Security From Inception with tools that abstract and simplify the process, making security a part of a Thing’s baseline DNA, and enabling all developers to implement security in their normal development flow.
What do you need to lead this technology to widespread adoption?
We need to change the mindset. Widespread adoption requires a profound change in perception and action.
Right now, security is viewed as an expense; and hence negatively. A security risk, breach, or attack is perceived as theoretical threat — until it happens. Then companies ask, “Why didn’t we do something about this before?”
This needs to rapidly change. C-level executives must accept that security doesn’t only protect against malware and other attacks, but it can protect Brand and Intellectual Property (IP) — an organizations core values — from cloning and counterfeiting, which the OECD (Organization for Economic Co-operation and Development) estimate as a $500 billion dollar a year industry.
Chief Information Security Officers (CISO) must expand their roles from responsibility for just information security, to include the security in their products. They need to define the risks and impact of a product attack, or work with experts who can inform them.
Finally, we need global legislation. This is coming. It started in the UK, then moved to the European Union (EU), and now California, Oregon and other states have passed laws in the United States. Legislation will define a set of best practices and require a reasonable level of security for every connected device, from robotics and fitness devices, to cars and washing machines.
What have you been doing to publicize this idea? Have you been using any innovative marketing strategies?
I have been working on a fundamental level with the organizations driving the legislation. I am on the Executive Steering Committee of the IoT Security Foundation (IoTSF), the preeminent security NGO. We developed a standard set of best practices that includes a minimum level of hygiene and reasonable level of built-in security, including authentication, the ability to patch, update and protect, and a requirement to inform people of flaws and vulnerabilities.
These best practices have been adopted as standards by the UK , EU, Singapore, Japan, South Korea, and California and Oregon. There are potentially steep penalties for those who do not meet these legal requirements, for example, the attorney generals of California and Oregon can levy unlimited fines at their discretion. In the EU it is expected that the fines will be equivalent to General Data Protection Regulations violations, a minimum of 10 million Euros. If there is an egregious flaw, the fine doubles to 20 million Euros. For larger companies, the fines can be up to 4% of gross revenues. These fines are designed to cause people shipping into these countries to understand the value security from the Board level to manufacturing.
Our involvement in driving these standards has become an integral part of our marketing strategy.
None of us are able to achieve success without some help along the way. Is there a particular person who you are grateful to who helped get you to where you are? Can you share a story about that?
I am grateful to the IoTSF and the opportunity to work closely with the people who were setting this up including John Moor, the managing director. He made it his mission to drive the stabndardisation and legislation processes and to change the way industry think about security. The IoTSF has evolved from the NMI (National Microelectronics Institute), now TechWorks, in the UK to working closely with the National Cyber Security Center (NCSC) and governments around world to drive standardization and legislation that makes it safer to connect to virtually any Thing.
How have you used your success to bring goodness to the world?
Again, it comes back to working with the IoTSF. It has been a force for good, for education, for driving cybersecurity up the agenda in governments around the world, and ultimately to ensuring that privacy is a key component of connectivity.
I studied the book 1984 by George Orwell in school and it described this dystopian society where everything listened to you. The crazy thing is that back then the government had to place the bug. These days we are convinced to go out and buy devices like smart phones, thermostats, doorbells, and assistants — all of which listen, and put them in our homes ourselves.
Most people don’t understand the impact of connected technology on privacy, and the services that harvest our behavior to provide us services. These services can be extremely positive and benign, or they can be misused to mislead, nudge, and influence our behavior. We have to address that openly as an industry and in society, and in front of the adoption, or we risk implementing a system that puts revenue ahead of privacy
What are your “5 Things I Wish Someone Told Me Before I Started” and why? (Please share a story or example for each.)
Everything takes twice as long as you think it will — everything, even when you are being a bit pessimistic. This means you really need to think about the resources you have, the money you spend, the time it takes to get to market, and the promises you make to people. Stuff will take time; it’s just life.
The second truism of any product from MCUs to security is that consistency of messaging beats technological innovation every single time. Consumers can only consume so much technology. It’s easy to out-innovate an industry. We’ve seen this with security. You can build extremely strong security but if people aren’t ready for it, it doesn’t matter. It’s all about timing, just like good comedy. At ARM, for example we developed MCUs and it was a grind at the start to popularize them. People couldn’t imagine needing a 32-bit MCU. They weren’t thinking ahead or about the time it takes to scale. It’s similar in security. Boards of Directors don’t care until they get hacked. Once it happens, they expect a solution overnight. That can’t happen if a device wasn’t developed with built-in security capabilities.
Nobody cares about security until after the car crash. We see this repeatedly. There are a number of books about getting minimal viable products to market. Security is always in version two of a product because it’s seen as an expense. That is absolutely wrong. Security will save you when something goes wrong. Security will protect the product or service you are selling. It will enable you to patch, update, and remediate your devices when they are compromised. The reality is that every device that can be built, is one a bad guy can compromise. Every connected device in the world either has been, or will be, compromised. It’s as simple as that.
Focus on profitability NOT revenue. You can have large revenues but zero profits. It comes back to understanding your value proposition. As a start-up it is truly important to be profitable, not to chase after the big check. If you have to employ lots of people and increase your costs to complete a project, despite the size of the check, it turns into a loss. You must understand your margins, what customers are prepared to pay, and your pricing policy instead of just chasing the dollar. It’s often the right thing to fire your customer if you are not making enough money. But it’s a hard lesson and one which very few people think about their first time around.
This is one I learned, but it took awhile. You can’t do things alone, whether as a company or individually working inside a company. Ecosystem and partner alignment are critical to success. You have to choose your partners carefully, so you find the right ones, and you have to line up an ecosystem to support your products. This is crucial. You can have a ground-breaking technology and product but if on its own, it just won’t work. Apple is a good example of doing this right. The iPhone is a success because there is a huge ecosystem of people creating applications so it can be everything and anything you want it to be. Similarly, in the security dominion, we need to have a strong ecosystem around silicon partners, distributors, programming houses, and internal resources.
You are a person of great inﬂuence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger.
It would be the ability to query, the ability to think past the obvious. So, taking the example of SmartSpeakers, Alexa, and other similar products, we need to ask people to think about what is really happening with their data. Why is it that Google (Alphabet) can monetize their data to become one of the biggest companies in the world? Is it ok that Amazon sells you things while gathering an incredible amount of your information? With all the data they gather, many of these organizations know you better than you know yourself. This leaves you are open to manipulation.
I would ask people to think about their data, especially those who have grown up with technology. People live online and leave footprints that companies monetize. On one level it’s fine as you are getting service for free. People need to understand that they are engaged in a transaction when they conduct an online search, they just pay for the information with their data instead of money. It is still a transaction, but the currency is your personal information. It is even more important as we move into the IoT that people understand these transactions are happening, that they make a decision to participate.
Right now, I don’t believe that people think about these transactions. That’s one thing I’d like to change.
Very few people — less than one percent of the population — understand what’s going on behind the curtain. Apple is on one end of the spectrum with their belief in privacy protection and Google is on the other, saying, “Here’s a service, I want to mine your data.” The reality for most of our interactions lies somewhere in between: I want a service and will share my data, but you need to ensure me that you won’t surrender my privacy, leak or share my information.
We also have a right to be forgotten. That doesn’t mean only what someone posted online. It has to go deeper.
If I live in a connected house, that house will garner my personal footprint — when I leave in the morning for work, when I switch on the lights, when I open my curtains, when I go to work, what I eat, how often I do my laundry, and more. So, what happens to the data when I sell the house? Does it go with me to my new house? Who has access to it?
The IoT is a fantastic thing and will enable huge amounts of innovation. But, to avoid the Orwellian risks we must be certain we are in control of own data and destinies.
In Western democracy we have some legal protections. This is not the case in all counties, for example, what happens in China, in Saudi Arabia, or North Korea? Even in Western democracies the ability to track and connect data can leave someone vulnerable. What happens when someone is living with an abusive partner? Their partner can monitor when they leave the house, when they are at work, in fact every movement they take any time of day. How can they ever get free?
The movement I want to inspire is in part around privacy, but it’s also around the transactions that form and inform us as we move forward. It’s about being consciously aware of each transaction we make and its potential long-term impacts.
Can you please give us your favorite “Life Lesson Quote”? Can you share how that was relevant to you in your life?
I have two favorites, an ancient one and a modern one.
Socrates: “The only true wisdom is knowing you know nothing.”
I feel this is very true today. There is so much going on behind the curtain. How much do I know about what Google or Amazon or my bank, for example, knows about where I spend money, how I spend my free time, and so on? The reality is we don’t know enough about what is happening and we probably never will. This is why we need to have security legislation and frameworks.
Winston Churchill: “It’s no use saying you’re doing your best, you have to succeed at doing what is necessary.”
This is true of startups. Doing your best not enough if you aren’t making deadlines. You just have to make it happen. That’s the difference between a successful entrepreneur and someone who is playing. It’s going to be painful at times, but you have to deliver. That’s the only way you’ll be successful.
Some very well known VCs read this column. If you had 60 seconds to make a pitch to a VC, what would you say? He or she might just see this if we tag them.
Security is the foundation of all value. If you cannot secure it, you are giving it away. In a world which is moving to value being based on services, and brand identity, you have to protect the services you deliver and your brand value. If you can’t your competition will be able to copy you, compete with you, and ultimately put you out of business. Security has to be done right. Security has to be done from the point of inception.
How can our readers follow you on social media?
The Future is Now: “Security From Inception” With Haydn Povey of IAR Systems was originally published in Authority Magazine on Medium, where people are continuing the conversation by highlighting and responding to this story.