IoT devices are a normal part of business and personal life. In enterprises, it is estimated that there are between six and 10 IoT devices for each employee, ranging from long-standing devices, such as printers and cameras, and industry-specific devices like warehouse scanners and medical infusion pumps to modern air quality monitors and soil moisture sensors. Because these devices often have limited resources and localized security functions, protecting these devices has been a low priority, and these devices were deployed throughout the enterprise infrastructure. The Mirai botnet in 2016 was the first broad-scale cyberattack that compromised IoT devices and leveraged the compromised devices to launch a massive distributed-denial-of-service attack. Since then, organizations have made protecting these IoT devices a higher priority, and vendor solutions have emerged to address these needs.

We just completed our inaugural Forrester Wave™ on IoT security solutions for the enterprise. This Wave included customer reference interviews, executive briefings, and IoT security solution vendor demos, identifying these three trends:

  1. Asset discovery is only one of the core functions of an effective solution. Few security leaders can say with certainty that they have a complete picture of all the devices within their organization. One Wave customer reference told us they had discovered over 2 million devices and were certain that there were still more unaccounted devices. Discovering IoT devices across your organization, properly identifying them, defining the communication flows, categorizing the devices effectively, and uncovering the device’s security is simply one step in addressing IoT security effectively. Security leaders need a complete security platform that starts with discovery but also provides the tools to establish security processes that protect them from compromise.
  2. Addressing vulnerabilities and risks is hand-in-hand work. Every device, no matter the age, no matter the size, no matter the OS or firmware, will have vulnerabilities within them. For IoT devices, remediating vulnerabilities is more difficult, as no two device models handle addressing vulnerabilities the same, nevermind different device classes. And for certain devices, you can’t even deploy updates or patches because the devices have passed their end-of-support date. These vulnerabilities create risks for your overall infrastructure configurations, your IoT infrastructure, and your business. Effective IoT security solutions provide analysts with the tools to understand the vulnerabilities within their deployed IoT devices, expose the risks facing the enterprise within the IoT environment, and deliver resolutions and mitigations to address the vulnerabilities, thereby improving the overall security posture of the infrastructure.
  3. Protecting IoT devices from threats is no longer relegated to your edge equipment. Asset discovery, device vulnerability and risk management, and network segmentation are all key components of IoT security solutions, but the effectiveness of those functions improves if the solution also understands the threats that are targeting your IoT infrastructure and current malicious activity. Modern IoT security solutions are monitoring threat data, generally on the network, but are expanding to do this locally on devices and providing options for security analysts to make access adjustments (manually or automated) as the risk posture of the devices change. As we discussed in The Future Of IoT Security report, AI is starting to be utilized in these threat management functions based on known good behavioral analytics collected through the solution.

I encourage Forrester customers to read The Forrester Wave™: IoT Security Solutions, Q3 2025. If you are interested in learning more about IoT security solution providers, the people and processes supporting them, or IoT security in general, please schedule an inquiry or guidance session with me.