Crossing the Cybersecurity Poverty Line

In times of economic instability, the cybersecurity poverty line becomes ever thicker. Dan Raywood takes a look at what it is and offers economically viable advice for cash-strapped businesses on how to stay secure

The term ‘cybersecurity poverty line’ was initially conceived by Wendy Nather, then research director for security within 451 Research’s Enterprise Security Program and now head of advisory CISOs at Cisco. The concept behind the term is that there is a metaphorical line which divides those who can put measures in place to achieve a mature security posture and those who cannot. Let’s simplify this further: some businesses can afford to secure themselves, and some can’t.

According to the Atlantic Council, the term “principally refers to organisations that struggle with security usually because of insufficient IT budget, expertise, capability, or influence.” Naturally, this would likely apply more commonly to smaller businesses where there is a reduced budget for security technologies and staff and less finance to ensure training for staff and technology updates.

Of course, large enterprises are not immune by default. Those with low margins are also vulnerable to falling below the cyber poverty line, including those where safety considerations far outweigh those for security. For example, one former retail CISO pointed out that for their stores, the company would prioritise ensuring fittings are safe and not going to fall on someone’s head, rather than invest in cybersecurity technology.

Brian Honan, CEO of BH Consulting, says that the danger of being below the cyber poverty line means you are beneath a certain security baseline, which many companies are, and therefore “more likely to have a security breach.”

 A line to be crossed

In a keynote address delivered at a cybersecurity event in 2022, Nather told a story of how she went from the role of chief information security officer (CISO) at a Swiss bank, where she had a large budget, to a similar position at the Texas Education Agency, where her request for $2,000 (£1,622) funding was refused entirely. She says that in this situation, “so many dynamics come into play where an organisation cannot effectively protect itself.”

Speaking to Assured, Nather argues that the cyber poverty line is still very much a ‘thing’ and isn’t yet understood enough to be adequately addressed. “More and more, the cyber poverty line affects us all, and we’re starting to recognise it. Deciding what to do about it is the problem,” she argues.

“The cyber poverty line affects us all, and we’re starting to recognise it. Deciding what to do about it is the problem” Wendy Nather

Nather contends that the majority of those working in cybersecurity operations believe they do not have enough budget for their needs and that there’s a qualitative difference depending on what they do and which vertical they operate in.

“If you are working for a convenience chain with one percent profit and need to secure a whole network with geographically distributed sites but with no one on-site, you’re trapped by controls,” she says. “It is not that organisations are lazy or stupid or cruel, or anything external people ascribe to them, but there are some things you cannot do. It is a complex problem.”

James Packer is a security practitioner and Top 100 IT leader. He says he is “yet to work for a company who say they can’t do something because of budget” but admits that he is also yet to work for one where they have got everything they need. “As security teams cannot predict what is coming next, they often don’t know what they need.”

Larger companies deemed to “take security seriously” are also larger targets for cyber attackers. Conversely, smaller companies, adds Packer, are unlikely to have security as such a priority “so it [security investment] is negligible.”

When considering the things that might make businesses loosen the security purse strings, headline-grabbing security incidents like the WannaCry ransomware attack (Remember when the NHS systems were taken offline?) from 2017 can be a driver for more budget. However, Packer says CEOs “are way more focused on insider threat and data loss than systems being down”, adding that regulatory fines are more of a concern.

Nather says that for most companies, the peak of hiring cybersecurity team members and approving increased security budgets comes within 18 months post-breach. Beyond that, she says, companies will start reducing staff levels to once again trim costs. In an ideal world, she argues, you’d be able to add additional staff and resources to deal with each incident. However, the reality is that no company can predict when security incidents will occur, and thus you need suitable layers of defence all the time.

“CEOs are way more focused on insider threat and data loss than systems being down” James Packer 

Attributing a monetary value to the cost of being secure is challenging, to say the least. Nather explains that it’s hard to know what security actually costs, so determining a specific amount to spend to ensure you’re cyber safe and above the cyber poverty line is arguably impossible.

Small budget, big challenge

So, what is best practice for an organisation with a smaller budget to haul itself over the cyber poverty line? Packer indicates that working with a managed service provider is one potential answer. The ability to lean on that partner for IT support and advice can be invaluable, he says.

Nather says that if a company is fortunate enough to have a modernised infrastructure that is cloud-based and centralised, “you statistically have the best chance of reporting security outcomes and a good security refresh practice.”

She adds that security-poor organisations require a helping hand to “modernise legacy security infrastructure” and set them up for more success in security. “It’s not an express lane, it will take time,” she contends. Likewise, Packer says security tools are commonly built into Office 365 and more available than most users realise.

Advice like “do more patching” doesn’t get you very far if your “scanner is so old it cannot hold any more patches,” says Nather. Instead, she recommends looking for an easier architecture for users to update and maintain. “If it’s modern and centralised in the cloud, the easier it is to get positive outcomes,” she says.

“It is easy to say ‘use this tech’, but I prefer to say ‘set up processes for better IT management’”.

As Atlantic Council says, escaping cyber poverty is more complicated than just securing funding. “The required system transitions can be prohibitively complex—even with assured resources—and knowing how to deploy funding is not straightforward.”

Despite changing global factors, the cyber poverty line exists, and many businesses consider themselves below the line. Potentially more concerning is that many CEOs and senior staff don’t consider the line at all, and frankly, may not know it even exists.

CEOs often assume that the simple act of assigning the reins for cybersecurity to a dedicated staff member places them above the cyber poverty line. However, if you ask a CISO where they sit in relation to the line, you’re likely to hear that they deem themselves below it, often due to the belief that they could use more budget.

So what’s the solution here? Nather suggests that there could be some sort of “Cyber Peace Corps, where people step in and do cybersecurity [pro bono],” but as Atlantic Council said: “Simply providing money or free expertise does not necessarily address poor technological designs, poor market incentives, misaligned sociocultural attitudes towards security, or other barriers.”

For a more secure world, we need to empower more organisations to climb over the cyber poverty line and away from the challenges it brings.