Modernizing Embedded Security - Let's not reinvent the wheel

Feb 02, 2026

Modernizing Embedded Security - Let's not reinvent the wheel

As IoT devices move from simple sensors to critical infrastructure components controlling power, water, and industrial management, the "security by obscurity" mindset is no longer an option.

This article is based on a recent conversation on The IoT Show, featuring Window Snyder, CEO & Founder of Thistle Technologies. Snyder has seen the evolution of digital security from the front lines, with a résumé that includes securing OS X at Apple, and serving as CSO at Intel and Square.

The discussion offers a point of view on why the embedded space has lagged behind general-purpose computing in security, the hidden costs of building your own defenses, and why the upcoming AI boom makes device resilience non-negotiable. Here are the most important takeaways.

The "air-gapped" era of embedded development is over

A recurring theme in embedded development is the legacy mindset of the silo. Olivier Bloch noted that for years, embedded engineers didn’t have to worry about encryption because devices simply weren’t connected.

Window points out that this luxury no longer exists. We now take devices, attach them to physical systems, and connect them to the same networks as our servers. They have the same exposure and face the same threats, but often lack the defensive investment seen in general-purpose operating systems.

The gap wasn't caused by a lack of knowledge. "It wasn’t so much that we didn’t know what to do to secure these devices, we absolutely did," Snyder explains. "It simply was really hard to do." The diversity of hardware and the difficulty of implementation created a barrier where security was often sacrificed for speed.

Security features shouldn’t take 18 months to build

When asked why companies struggle to secure devices, Window provides a reality check on the economics of engineering. Implementing a fundamental feature like Secure Boot isn't a weekend project; it can take an engineering team 18 months to two years to build, test, and deploy reliably.

"Key management is the core problem of pretty much every security problem, it’s an absolute nightmare," Snyder says.

This heavy lift forces companies into a difficult position: delay the product by two years to build plumbing, or ship with vulnerabilities. Thistle’s approach is to treat security as infrastructure – handling the "undifferentiated heavy lifting" of firmware signing, key management, and updates – so that device makers can skip the 18-month build cycle and get straight to deployment.

If you can’t trust the boot, you can’t trust the AI

The conversation shifted to the hottest topic in tech: Edge AI. As companies move large, expensive models from the cloud to the edge, the security paradigm shifts from protecting code to protecting decisions.

In traditional deterministic systems, if the code is correct, the result is correct. In AI, the output is probabilistic. If you cannot verify that the model on the device is exactly what you deployed, you cannot trust the result.

Window highlights that once an AI model is deployed to the edge, "it is out of your control." Without robust encryption in storage and transit, and a secure boot process to validate the execution environment, your intellectual property and the integrity of the device's decisions are compromised.

The regulatory clock is ticking toward 2027

Looking forward, the pressure isn't just technical; it’s legal. The European Cyber Resilience Act (CRA) is set to enforce strict security standards by 2027.

While this is a positive step for consumer safety, it poses a logistical crisis for manufacturers. If a security implementation takes two years to build in-house, companies that haven't started yet are already behind schedule. The market is moving toward solutions that can be integrated quickly, allowing teams to meet compliance deadlines without derailing their product roadmaps.

As Snyder puts it, the goal is to make it easy for teams to "leapfrog" the manual labor of security and get these capabilities in place before the regulations (and the attackers) catch up.

Watch the full episode 👇