"We can't Change it Overnight": Understanding Industry Perspectives on IoT Product Security Compliance and Certification

Regulators and standards bodies have recently proposed several security compliance initiatives for IoT products. These emerging standards and regulations seek to bring security assurance to IoT products by way of compliance certification. However, even certified IoT products exhibit common vulnerabilities, which suggests the presence of latent challenges in the certification ecosystem. This paper performs the first qualitative, interview-based study (n=17) with IoT practitioners to understand industry perspectives and experiences of IoT product security certification, in order to uncover the latent factors and challenges obstructing effective IoT product certification. Our reflexive thematic analysis of the interview transcripts leads to 16 key findings that uncover critical factors affecting compliance enforcement in practice. We distill these findings and our observations into 4 major themes which represent critical gaps that must be addressed for product certification to be viable for IoT.