.svg){kind=spacer}
June 15, 2026
In brief
The article argues that firmware has become a major but often overlooked enterprise security weakness as attackers increasingly move below the operating system layer. While organizations have invested heavily in endpoint, identity, cloud, network, and application security, many still lack visibility into the embedded code running in devices such as BMCs, IoT equipment, medical systems, industrial controllers, and office hardware. The article warns that firmware is frequently outside the CISO’s traditional remit, poorly covered by standard scanning tools, and often not inventoried or patched with clear ownership.
It recommends that CISOs bring firmware into the audit perimeter by starting with device inventories and software bills of materials, then reviewing controls such as secure boot, signed updates, rollback protection, disabled debug interfaces, memory safety, cryptographic implementation, and exposed network services. The article also explains that existing frameworks, including NIST SP 800-193, NIST SP 800-147, IEC 62443, IEC 62304, and ETSI EN 303 645, can help translate firmware findings into board-level and regulatory language. Its broader message is that firmware security no longer belongs only to engineering teams, because connected devices, long hardware lifecycles, supply-chain exposure, and regulatory pressure have made embedded code a strategic cybersecurity risk.
Source: Cyber Management Alliance
