The Great CSO & CISO Challenge

There is said to be an ancient Chinese curse that goes, “May you live in interesting times.” Well, we have all been cursed. According to the Spiceworks 2016 IoT Trends, about 90 percent of those in corporate IT positions asked said, IoT would result in security and privacy issues in the workplace. In addition, the study found that 84 percent believed new network entry points were the most concerning issue related to all of the IoT connected devices. Some 70 percent also believed that some IoT manufacturers were not taking security seriously enough when developing hardware. That paints a very clear and troubling picture of what every CSO and CISO is about to experience and have to deal with.

Given all that current information, CSOs and CISOs must discover the plethora of devices that are connecting to their networks and quickly move to assess the proper level of security needed to protect the device as well as the data the device generates. Now for the difficult part. While that should be done before the device connects, that probably won’t happen. So that means the detection, assessment and security action must take place in near-real time. Every second that device and the data it generates is not properly protected increases the risk of compromise. We are all too familiar with what happens at that point.

Stop and think for a moment about the big picture. That picture includes 50 to 200 billion devices in the next 4 to 7 years. One CSO put it well, “Today, I have a total of 1763 doors (aka direct connections) to the Internet. Based on what I am told our IoT strategy is and what it includes, that is likely to need a zero added to the end (17,630).” Yes, that is a ten-fold increase in that organization’s cyberattack surface area. Substantial implications are sure to accompany that kind of an increase.

Now, let’s look at the data that all those IoT devices are likely to generate. I am told that it is nearly impossible to estimate the average amount of data all those devices will generate, but many say that it will be a substantial part of the “zettabytes” (1 000 000 000 000 000 000 000 bytes) or “yettabytes” (1 000 000 000 000 000 000 bytes) of internet data expected in the same 4 to 7 years. The issue does not stop there. What about all the new equipment (storage and processing) and people that will be needed to design, develop, test, implement, operate, analyze and maintain all those resources.

I am sure now you get a feel for the size of the challenge that awaits all of us. Looking at that challenge we must begin immediately to look at this and analyze how our organizations are likely to be impacted by all of this and put together our strategies to deal with it. There are those that firmly believe we are already too late or at lease behind the curve. I would go out on a limb and suggest that the vast majority of us do not have ANY of this in our budget projections for the next couple of years. Now for the real shocking stat. Gartner has stated that they believe to address the new security challenges related to the Internet of Things will increase security costs from less than 1 per cent today of annual security budgets to 20 per cent by 2020. This has to be concerning to every CSO and CISO. By all accounts, budgets are already tight. Going to management and asking for an increase of this magnitude will surely be met with significant resistance. I would recommend the following three steps to help ease the shock.

1. Team with technology and business strategy groups and brief management at all levels you can about what IoT is all about and the number of opportunities it will create for your organization.
2. Regularly update them on critical IoT metrics so they get a firm feel for the rapid growth and advancement.
3. Team with technology and business strategy groups and create a map that graphically depicts an incremental approach to IoT within your organization.

Once they understand the IoT movement, what it means to their organization, at that point you can deliver the security costs. So My recommendation is to include the proposed security estimate along with step 3 or shortly thereafter. Clearly this is something you need to prepare your organization for!