CIOs Spend a Third of Their Time On Security

StewBeans writes: Much has been discussed about the potential security risks of an Internet of Things future in which billions of devices and machines are all talking to each other automatically. But the IoT market is exploding at a breakneck pace, leaving all companies scrambling to figure out the security piece of the puzzle now, before it's too late. In fact, some experts believe this issue will be what separates the winners from the losers, as security concerns either stop companies from getting into the IoT market, or delay existing IoT projects and leave the door open to swifter competition. That's likely why, according to CIO Magazine's annual survey, CIOs are spending a third of their time on security. Adam Dennison from CIO said, "If IT leaders want to embrace the sexy, new technologies they are hearing about today—the SMAC stack, third platform, Internet of Things, etc—security is going to be upfront and at the center of the discussion."

One third of their time?

[NotQuiteReal]

Is that more or less than the percentage spend on porn?

Re:One third of their time?

[davester666]

Wrong security. It's on dealing with security guards, creating plans for escorting people to the exits, while hiring H1Bs and/or people overseas, as well as physical building security, and personal security for executives, because sometimes the riff-raff get uppity.

Already solved

[Jack+Griffin]

I'm already using the most robust security model for the Internet of Things. I call it Things. My fridge doens't need an internet connection, nor does my light switch. My Smart TV thinks it does, but based on recent information I am in the process of removing that privelege.
I think the difference between the winners and losers will be the CIO's that don't feel the urge to jump onto flavour of the month hype and connect everything to the Internet.
The entire concept breaks the first rule of Engineering. Keep it fucking simple you fucking fucktards.

Re:Already solved

My fridge doens't need an internet connection, nor does my light switch.

You're quite correct, it doesn't.

But you will buy and use an internet connected fridge and lightswitch and garage door opener anyway. Wanna know why?

Because eventually you will need a new fridge, lightswitch, and garage door opener, and the only models sold will be IoT models. "I"ll just not connect them", you think. But they will refuse to operate if they can't phone home. We're already seeing the start of this trend today.

Either you will go without a fridge, or you will use a connected IoT fridge with a software stack you are given no control over or ability to replace.

Re:Already solved

[AHuxley]

+1 Sneaker net anything needed to the smart TV. Use the functions offered per file but keep it away from any networking. If networking is needed, do it with a device that only works well for its own network, brand and then unplug. Too many devices phone home over years of usage.

Re:Already solved

[geekmux]

I'm already using the most robust security model for the Internet of Things. I call it Things. My fridge doens't need an internet connection, nor does my light switch. My Smart TV thinks it does, but based on recent information I am in the process of removing that privelege. I think the difference between the winners and losers will be the CIO's that don't feel the urge to jump onto flavour of the month hype and connect everything to the Internet. The entire concept breaks the first rule of Engineering. Keep it fucking simple you fucking fucktards.

They will keep it fucking simple. As a consumer in the near future, you will no longer have the privilege of "removing" said privilege, so you won't have to worry about "options" anymore. You will either connect your IoT device properly and never be offline, or the device will not fucking work.

They will also keep it fucking simple by not worrying about any of that complex security bullshit, because there will be no security.

Our future is rather fucked when it comes to security, but really, it's no different than today.

No different.

Re:Already solved

[lucm]

time spent on security management jumped from 24 percent in 2014 to 31 percent in 2015.

Wow! 24% of their time WAS spent on "security" and yet we read about breach after breach after breach. I'm sure that adding those additional 6 percentage points will make all the difference.

I guess the missing 1% in your calculations got lost in one of those breaches you keep reading about

Re: Already solved

[Zero__Kelvin]

"Just like you can go buy a car from the 60s, you can continue to buy old fridges and pay for maintenance if needed."

Just as very, very few people do that (and indeed if many people wanted to they couldn't because there simply aren't that many in supply) very few people will do so with refrigerators. As you point out, it costs a lot of money to go that route as well, so again, very few people will be able to do it. I don't think this is a bad thing. I also can't easily acquire a TI/99-4A and cassette tape drive to develop software with, but I'm totally OK with that :-)

Re:Already solved

[Zero__Kelvin]

"I think the difference between the winners and losers will be the CIO's that don't feel the urge to jump onto flavour of the month hype and connect everything to the Internet."

"You mean the ones that still hand out Blackberrys?"

You seem to have confused avoiding the urge to jump onto the flavour of the month with being an out of touch dinosaur.

Re:Already solved

[roca]

It turns out that you do not need to connect a fridge to the Internet for it to do its job well. Internet connection might make certain activities slightly more convenient ... at the cost of an increase in hidden complexity that you'll pay for down the line, e.g. when your fridge is recruited to a botnet.

A horse is actually far more complicated and difficult to maintain than a car, so that analogy fails. Cramming cars with needless gadgetry is indeed making them dangerously complex and we're going to pay for that later.

Re:Already solved

[Zero__Kelvin]

"A horse is actually far more complicated and difficult to maintain than a car, so that analogy fails. "

But it wasn't simpler to "create", at least for us humans. I also totally disagree that a horse is more difficult to maintain; you just have somebody else do the hard part for a fee, unless you are telling me you rebuild your own engines and own horses, I call bullshit on your claim (one can as easily outsource horse maintenance, and car maintenance is far more complicated.

"Cramming cars with needless gadgetry is indeed making them dangerously complex and we're going to reap the benefits of that later."

FTFY. All gadgetry is needless gadgetry. Even if you were born 20 years ago, you have to at least heard rumors that humans survived without 99% of the gadgetry we all rely on today. We rely on all the gadgetry because it improves our quality of life, and the gadgetry added will further do so, or people won't buy it. It's called the free market.

Re:Already solved

[Zontar+The+Mindless]

I'm glad you can spot a typo and feel smug about it whilst completely ignoring the content of the message. Oh well, at least you didn't get your knickers in a knot over "flavour", so perhaps there's hope for you.

Back on topic--I'm already on record as not being particularly anxious to connect my stove to the Internet, have it fall under control of the first trojan or script kiddie that comes along one step (I'm being generous here) ahead of any security updates (now I'm being even more generous), and come home to a tempting dinner of roast flat, thanks very much.

One wonders how long it'll be before the insurance companies add questions about your home's IOT status along with the standard ones about having locks on all doors/windows and such. I have a hunch that telling them you're full-on IOT is not going to reduce your premiums.

(FYI, not all spell-checkers are created the same. For example, mine really wants me to capitalise "trojan".)

Re:Already solved

[Zontar+The+Mindless]

You still have to feed a horse, even if you don't plan to ride him anywhere today.

And I think that "avoid unnecessary complexity" and "avoid unnecessary dependencies" are good rules for engineers to follow, even if you don't.

Re:Already solved

[Zero__Kelvin]

You truly are mindless. I never suggested that that "avoid unnecessary complexity" and "avoid unnecessary dependencies" are not good rules for engineers to follow. That isn't what was said. The non-rule I contradicted was ". Keep it fucking simple you fucking fucktards.", which is an entirely different thing. Of course, everything we develop is technically "unnecessary complexity" so it really comes down to what you mean by "unnecessary", and matters of degrees. Now off you go ...

Re: Already solved

[Iamthecheese]

Where there is demand, capitalism supplies. Quite simply if enough people want a refrigerator that doesn't phone home, someone will sell such refrigerators.

Re: Already solved

[TheRaven64]

I bought a new fridge about 5 years ago. I moved house and worked out that the difference in power consumption between the old fridge I had and the new one that I bought meant that the new fridge paid for itself in 2-3 years. Newer utilities are significantly lower power than ones from even the '80s and '90s. I bet that the next set of low-operating-cost white goods will all have some kind of Internet-related insecurity as standard.

Re:Already solved

[FAB10]

It's much better to KISS. KIFSUFF is overcomplicated.

Re: Already solved

[Zero__Kelvin]

Agreed. Of course, enough people won't want that anymore than enough people want Wordstar on DOS today.

Re:Already solved

[roca]

Horses need to be fed, watered, cleaned-up after, and groomed. They sometimes get sick with a huge variety of different ailments, which need to be cured in lots of different ways --- you can't just swap in a new part. They have personalities and moods. They grow, get old and die. Outsourcing all that is not really practical because most of it happens where they're stabled; if you outsource that then it's comparable to a taxi, not a personally owned car.

Some gadgetry gives much better cost-benefit than others. ABS braking seems like a high payoff. General-purpose OS running an entertainment system connected to the CAN bus, not so much.

Re:Already solved

[Zero__Kelvin]

Cars need to be fed / watered (gasoline), cleaned-up after (they get dirty), and groomed (maintained with regular checkups at the garage.) They sometimes break down for a variety of different reasons. You can't always just "swap in a new part", and even when you can it is often cost prohibitive. I could go on, but the point is clear. For every claim you can make about the cost and effort of using the horse, I can draw a parallel to the car.

Re:Already solved

[Jack+Griffin]

Yes, and I have the most secure home on the planet because I'm homeless!

But that isn't secure. A homeless person suffers more illness, diseases, assault and death than people who own their own homes. If you are going to make a point try and make one that actually makes sense.

You also don't need a toilet as you can shit in a bucket. It's simpler. You do shit in a bucket right? Tell me you don't violate your own principle on a daily basis!

Again, functioning plumbing is relatively simple ( I have a 70 year old house with mostly original plumbing that still works. Please show me a computer with the same record), and it a lot simpler than a bucket and water that has to be refilled and dumped each time. It is also much cleaner making me more secure from disease and discomfort. Again your poorly though-out analogy fails.

That isn't even close to a rule of engineering at all. Can you imagine if it was?

Hand in your geek card

Engineering VP: "So Johnson, how are you going to design a system that will get us to the moon?". Johnson: "I don't know boss, but unless I can find a simple way to do it, I'm not going to bother! That would violate the first rule of Engineering!"

Yet more stupid analogies that don't actually work. Simple means the simplest solution to get the job done. ie a Fridge is a sealed box, with a door and a compressor. It's simple, it works. Why the fuck do I now need to add a TV and Internet connection?

Re:Already solved

[Jack+Griffin]

All gadgetry is needless gadgetry.

I take it you've never been to a hospital...

Re:Already solved

[Jack+Griffin]

The non-rule I contradicted was ". Keep it fucking simple you fucking fucktards.", which is an entirely different thing.

No it isn't. That was my creative paraphrasing of the well understood principle of Keep It Simple Stupid (KISS). If you haven't heard of this before then you need to hand in your geek card now.

Re:Already solved

[Jack+Griffin]

For every claim you can make about the cost and effort of using the horse, I can draw a parallel to the car.

The car is cheaper and easier, and does more for less effort which is why people choose cars over horses.
Samsung make a Internet enabled fridge right now, today. How many people do you know that choose this IoT version over the simplified version?

Re:Already solved

[Zero__Kelvin]

Don't you think that is a pretty frigging stupid question? How about, how many have they sold? That is a meaningful metric. Your just insisting someone come up with an answer that can't be found. Nobody could possible know how many had the opportunity and turned it down.

Re:Already solved

[Zero__Kelvin]

KISS has it's place, but is by no means the number 1 rule.

Re:Already solved

[Jack+Griffin]

Nobody could possible know how many had the opportunity and turned it down.

Er, can't you just ask them? Seriously, next time you're out for drinks, at a BBQ, or around the water cooler at work, ask your friends who thinks an Internet Fridge is something they're thinking about buying.

Re:Really?

[Darinbob]

It seems CIOs spend 10% of their time actually working, the rest of the time they're shmoozing with all the other entitled execs.

spend 1/3 stock price

[turkeydance]

2/3 on anything else except security.

Re:Not true - some spend no time at all

Where Im at they solved the problem by

1) Outsourcing security to a 3rd party vendor.
2) Giving everyone in security full admin rights on all the servers and network equipment.

When he was asked Why? He responded that by doing so, if anything happens, it is the 3rd party vendor who is to blame and not him.

So we have security through "It's not may fault"

This time will be DIFFERENT!

[khasim]

And we really, really mean it this time! Security all the way!

No. It won't be different. And they do NOT spend 1/3 of their time on security.

Most of them don't even know what security is. Or why you cannot buy it. It's just another item on a checklist for them.

Re:This time will be DIFFERENT!

[Tablizer]

And they do NOT spend 1/3 of their time on security. Most of them don't even know what security is.

Those are not necessarily mutually exclusive. They could spend 1/3 of their time going, "duuhh, why is my ass posted on Facebook?"

Easy answer

[penguinoid]

If the CIO of an Internet of Things company is spending 1/3 of their time thinking about security, yet is still so incompetent... maybe they would be better off paying 1/3 of a CIO's salary to a random slashdotter for 5 minutes of their time.

Of course, no matter how long they take thinking about security, they're still going to sacrifice security for usability every time, so I don't know what purpose thinking about it has.

Re:Easy answer

[lucm]

It's tough being a CIO. He looks like he's up there, but the CEO, CFO, COO and all other cool CxOs all look down on the CIO and make fun of him in his back, they don't even invite him to join them at the cool people's table at the office Christmas party. He sits at the loser table, with the head of HR and the head of facilities, and instead of hearing the good stories about coke parties and hookers, he hears about groupons and vacations in Punta Cana.

People, give a break to your CIO. He's a reject and a commodity like everyone else in IT, and sooner or later they'll replace him with someone from that Indian company where he outsourced your job.

Re:Easy answer

[Zero__Kelvin]

" they're still going to sacrifice security for usability every time"

One could reasonably categorize a security professionals job as sacrificing security for usability, but deciding exactly how to best do that and still cover as much of the security landscape as possible.

Re:Easy answer

[Buchenskjoll]

Me, me! I'm Random Slashdotter...

It's a survey: answers are what we want to hear

[davecb]

If I was surveyed (and I have been), I'll report what I worry about the most. That may or may not be what I actually get to spend time on. If I was a politician (and I'm not), I'd strictly answer what the questioner wants me to worry about the most.

Re:It's a survey: answers are what we want to hear

[lucm]

I stopped trusting surveys after watching a few episodes of Family Feud.

CIOs will be rewarded for getting security wrong

[roca]

Many CIOs will dive head-first into IoT, get a lot of good PR, stock prices will rise and they'll be rewarded. Then their companies will discover the IoT security nightmare, get lots of bad PR, stock prices will sink and the CIOs will blame it on someone else. Result: happy CIOs and IoT vendors and an absolute disaster for everybody else.

CUt back on extra features...

[matbury]

I believe in better security by cutting back on extra, unnecessary features; all they do is provide more surfaces for finding vulnerabilities. I recently bought an IoT washing machine and have stripped back the extra features, like wash, rinse, and spin cycles, so that all it does is send SPAM messages and participate in DDoS attacks.

There ya go

[kelemvor4]

If CIO's are only spending one third of the time, it's obvious why things are so insecure in general. Pffft.

Re:There ya go

[Zero__Kelvin]

How much time do you expect them to spend. I would say 1/3 is pretty damn good, and if you don't then you probably have little experience with executives and their responsibilities. I don't actually believe they are spending that much time on it, but if they are it is a pretty damn good number.

1/3rd?

[Ol+Olsoc]

Oh CIO - as the inexorable IoT takes over the intertoobz - you will fondly look back on the days when only 1/3rd of your time was spent on security. Just wait until the CEO calls because his Android penis pump won't shut off because a rival company hacked it.

except those who quit after breaches

And particularly those who said Windows is unsecurable. I remember the days when UNIX ruled the business landscape, was on the Internet, and generally a medium sized shop could use a large UNIX box and run all services with 99.9???% uptime. Was stunned people believed Microsoft and tried replacing the UNIX boxes with a single or a few Windows NT boxes. Laughed when I heard how NT apps would crash the whole OS and so all the other services/apps so they started putting one service/app on a Windows NT server. ROFLMAO hearing how they then doubled those numbers to try and get close to 99% reliability with these redundant servers. There is a _great_ snake oil salesman out there going by the initials Bill Gates.

Re:Really?

Shmoozing with other execs, both within their company and outside it, is a very large part of the job description.

Security is not a priority. Never has been.

[geekmux]

"...leaving all companies scrambling to figure out the security piece of the puzzle now, before it's too late."

This statement is made as if companies themselves do not control the design and development of their own damn products. The simple fact is they do, and they'll either choose to do the right thing and prioritize security, or they'll choose to do the greedy thing and rush to market.

Of course, we all already know what they will choose. Otherwise we wouldn't be having this discussion.

"...security is going to be upfront and at the center of the discussion."

Might as well stop throwing this kind of bullshit around until you look back through consumer-throwaway-product history and try and find where the hell they ever brought security to the center of the discussion.

As I said before, we already know what greedy capitalists and their investors will choose.

CIO time on security not related to IOT

[Tony+Isaac]

Sure, CIOs (should) spend a lot of time on security. But it has almost nothing to do with the "Internet of Things." The refrigerators at the office may be a security risk, but it has more to do with food security, than network security!

Which Is To Say

[Greyfox]

A third if their time coming up with new corporate password rules, a third of their time architecting the Citrix solution that is going to propel the company into the brave future of 1998 and a third of their time requiring their employees to get training on whatever the bandwagon buzzword of the month is (This quarter it's Rally/Agile/Scrum.) You know, honestly, the company would be a lot better off if a freak software error caused that guy to fall down an elevator shaft.

Re:Which Is To Say

[dbIII]

architecting the Citrix solution that is going to propel the company into the brave future of 1998

Don't knock it, many software developers haven't made it to where they should have been in 1998. We're still knee deep in 32bit single threaded applications. Fortunately most applications no longer need admin rights to run so at least they've made it to 1992.

A ol' fogie's view

[Tablizer]

As much as it's proven orgs are overall lax on security, security concerns do complicate IT greatly. It used to be a lot easier to "hook things up": different servers and boxes all talking to each other doing a different part of the job.

Now it requires diddling with black boxes because nothing exposes helpful info about what it is in the name of security.

Perhaps if "they" designed systems right, things would be easier, but humans are imperfect and build imperfect things. An appeal to idealism falls flat.

These extra layers and precautions are "job security" such that perhaps I shouldn't complain, but I miss the days where it was easy to connect different things in an almost Lego and Tinkertoy way to get results fast. Now the Tinkertoys always ask, "Hark, who goes there?" I don't like red tape.

Kids even need a password to get OFF my lawn.

Re:Not mine!

[lucm]

do you work at Apple?

Re:Really?

[MyAlternateID]

Shmoozing with other execs, both within their company and outside it, is a very large part of the job description.

Yes. From a sane viewpoint this is called cronyism, but in the current business environment this is called "networking".

Re:Security is not a priority. Never has been.

[Zero__Kelvin]

"This statement is made as if companies themselves do not control the design and development of their own damn products. The simple fact is they do, and they'll either choose to do the right thing and prioritize security, or they'll choose to do the greedy thing and rush to market."

Companies don't controll other companies development, and therein lies the problem.

You speak as if security and time to market are mutually exclusive polar opposites, but they aren't. You furthermore speak in terms of a single company, rather than a hierarchical array of companies interacting, which is what we really have. The fact is that every company will make a trade off - time to market vs. security out the door (and how much will be added/improved with updates later.) Some will make better choices than others, and each companies choice may have an impact on other companies in the same market. The first to market will likely not be the one that wins in the long run if history is any guide. It will be something like the first (or second, or third) company to make the right choices with regard to trade-offs and learn from the mistakes made by the trailblazers.

In the case of IoT security I have no doubt that many, many will try and very few will succeed. This is basically the pattern for all software products in my experience, but it will be on a grander scale as security will be a much more real issue than it has been in the past once things are involved.

Pretty obvious that is not nearly enough.

[EzInKy]

At least considering all the security breeches over the last couple of decades. Trust breeds trust.

Re:Pretty obvious that is not nearly enough.

[Zontar+The+Mindless]

Security breeches? So the folks at Levi's are getting in on the IOT bandwagon as well?

Re:Pretty obvious that is not nearly enough.

[EzInKy]

Bottom line in today's world, you just can't trust people who don't take security seriously. 99% of their time should be spent on keeping both themselves and their clients secure.

Re: Agreed: "Less is More = Good Engineering"

[nullchar]

If you could provide a rest api for the host file, many would appreciate it. The same many of us don't have the time to download a Windows package (which we don't use) and extract it.

The effort to curate a hosts file is extraordinate. Thank you for your generous time, but it doesn't help us.

Access Denied is Success

[jader3rd]

Remember, in security, Access Denied is success.

No, they do not

[WindBourne]

If they did, they would quit outsourcing. Seriously, when you outsource the code to another nation in which you are paying software engineers 8-10,000 / year, what do you think will happen which China or Russia offers one of them 100,000 to leave a back door in the code? Then once the black hats get on the system, they put in a new back door and remove the one that was put in the system so as to not point back to the original person.

If the CIOs at places like Target and Home Depot REALLY cared about Security, they would quit outsourcing to weak coders that make horrible money and are then easy targets for this.

Correction Re:A ol' fogie's view

[Tablizer]

Correction: "An ol'..."

Re: Correction Re:A ol' fogie's view

[Lije+Baley]

Don't worry, I'm sure the usage of "an" will soon be on the way out just like our dear, departed "are".

A totally pointless article ..

[nickweller]

A totally pointless article full of content-less quasi-technical sounding waffle ..

Re:Not true - some spend no time at all

[AK+Marc]

I've been there. The CIO golfs with the CEO. They fired everyone in the IT department except the CIO, and he repeated the mistake, but it hadn't blown up on him again by the time I'd left.

Re:Not true - some spend no time at all

Where I work the CIO spends no time at all on IT Security.

Makes sense. That's why there is the CISO. .. Or is there?

There is no security

[bankman]

Seriously, it's not even an afterthought. I have worked on a publicly funded research project covering smart home and living crap. While some of it may be interesting from a tinkering with stuff point of view, most of it is creepy surveillance type of shit, like smart metering. When I raised the question of security people stared blankly at me for a second or two and suggested that it wasn't a problem at all and if ever will be fixed later, maybe.

My point is, CIOs do not make relevant security decisions when it comes to product design. No one does. It's all about marketability and cost efficiency, security is neither because it is complex and costs a lot of money. And who care? Honestly, who cares about security? It's not the vendors and it's definitely not the consumers who constantly carry their rarely-if-ever-security-updated-listening-in-and-tracking-devices and provide the world with current information about the vacancy of their homes. So again, who cares? Eventually the insurance companies might care, when some cracker remotely burned down a kitchen or flooded a bathroom or two or ten thousand.

Re:Not true - some spend no time at all

[bigtomrodney]

The CISO is a much more recent office and typically reports to the CIO. By default the duties of the CISO have fallen to the CIO and only more recently in relative terms been parted out to the CISO.

Security vs Productivity

[140Mandak262Jamuna]

They spend 33% of their time in security. The spend the remaining 66% of the time making sure their developers can not do any legitimate work. They run stuff like Bit9 or real-time process whitelist etc and when it catches any build process that uses the same .Net API or MFC class header that was used in any malware their signatures match and the build process gets killed. Developers play this demolition derby testing whether their code changes and pull requests can get past all the hurdles thrown in by IT.

The motto of IT seems to be "Ironclad security is what we strive to deliver. If that reduces productivity to zero, it is not our problem."

Re:Wrong security

[Errol+backfiring]

I think they spend that much time on their job security.

Re:Really?

[ranton]

Shmoozing with other execs, both within their company and outside it, is a very large part of the job description.

Yes. From a sane viewpoint this is called cronyism, but in the current business environment this is called "networking".

I remember the moment in my 30's when I matured from someone who thought he was above politics to someone who realized no one is. I had been in the corporate world long enough to know that being capable of creating the best technical solution to a problem is not nearly as important as being able to persuade a company to enact those solutions. Not even close to as important.

Since then I have made sure that my career growth is as much on the business side as it is on the technical side of my industry. If I really felt my goal was to provide the most positive impact on companies I worked for, I needed to stop stubbornly thinking that being technically competent was my primary skill set. It is perfectly fine for an employee to decide they just don't want to venture from the technical aspect of their career, but that is a conscious decision to not be a significant decision maker.

Technically competent people do not enact change (or at least very rarely do). Those with the business acumen to shape policy within their organization enact change. Those people may or may not also be technically competent, but that is of secondary importance.

Re: Really?

[Lije+Baley]

The problem seems to be that too many people make that career decision too early and (here it comes) endeavor to drive the car without knowing what the wheel and pedals do, and what the rules of the road are.

Re:Not mine!

[lucm]

At least they stop paying

Re:Not true - some spend no time at all

[kmoser]

Where I work the CIO spends no time at all on IT Security.

Makes sense. That's why there is the CISO. .. Or is there?

I first read that as "CISCO". And it made perfect sense.