IoT devices have security issues because they’re built to be as cheap as possible. The hardware required to provide adequate security is expensive, large, and consumes a lot of power. IoT devices stay ‘in the field’ for a long time and the business model of most vendors does not incentivise them to produce security updates.
Produce a threat model and a risk analysis before you do anything else. Most devices do not need strong security.
Figure out what sort of hardware you have. This will dictate what security controls are available to you. The vast majority of IoT devices in the field are not capable of strong security.
The pinnacle of IoT security is the modern iPhone. By learning about its security measures, you will learn a lot about what is required to produce a secure IoT device. It’s difficult and expensive.
If your device controls something of value, you should assume that your device will be compromised. Plan accordingly. Design the device to minimise the impact of a breach.