Why the Security Poverty Line Affects Us All—Even the Cyber Elite
Share with Your Network
High profile cyberattacks and data exposures have become part of the world’s day-to-day noise and news cycles. While the big names dominate the headlines—Samsung, U-Haul, and TikTok (despite their denial)—smaller entities are working overtime to stave off increasingly vicious attacks. The rise in attacks, the increasing target types, and the growing number of those impacted, indicates that cybersecurity is the most unstable it has ever been, widening the divide between those who are able to maintain a healthy security posture and those who aren’t.
Head of advisory CISOs at Cisco Wendy Nather, first introduced the concept of a security poverty line or SPL (also known as the cybersecurity poverty line or CPL) in 2011, suggesting that the ability to execute a healthy minimum standard of security divides organizations on either side of this line. Those that have specific capabilities and safeguards in place operate above the SPL, and those lacking operate below it. Chris Krebs added the concept of a ‘cyber 1%’ in 2020, describing top performers who possess the most resources, capabilities, and tools needed to maintain an elite security posture.
As the threat landscape continues to grow more tumultuous and dangerous, a collective goal is emerging; to raise as many as possible above the SPL. Because a compromised security stance to one is a threat to all.
The dangers that lie beneath the security poverty line
Globalization, multiplying endpoints, shared data, hybrid work models, and complex environments have lent themselves to an increasingly interconnected world that relies on the optimum performance of all its parts. The Colonial Pipeline attack and the SolarWinds hack offer well-known examples of how one digital blow can cause a ripple effect through physical and technological chains, wreaking havoc on more than just the impacted parties.
In an interview with The Register earlier this year, Jeetu Patel, Cisco EVP for security and collaboration, pointed out that, “We are living in a holistic ecosystem where the weakest link can break down the entire chain. A small supplier for an auto manufacturer that gets breached could shut down the entire production line of an auto company.”
This warning gives way to a call to action for the cyber 1%, regulators, solution providers, and communities to do what they can to remove hurdles preventing organizations (particularly SMBs) from rising above the SPL. Realizing this vision creates a shared benefit for all. “If we don’t take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you’re above the security poverty line, but you’ll still be exposed,” Patel said.
What separates the haves and the have nots
To understand what separates those across the SPL divide with more granularity, it’s important to consider some key factors.
Resources and budget. While high revenue generators tend to be big ticket targets for attackers, these groups also have more resources to invest in securing their defenses. The cyber 1% benefit from large revenue streams to support well-resourced teams and updated technology investment. Those below the SPL attempt to make the most of their modest revenues, often grappling with understaffed and overworked teams, aging software, and hazardous knowledge gaps.
Capabilities and leadership. Large, well-resourced companies can attract top talent, giving them the opportunity to cherry pick from the sharpest skillsets. This includes the ability to support critical roles such as CISOs, data analytics, risk managers, etc. Without this luxury, those below the SPL are left to navigate without the ability to advocate for security priorities or budget allocation. This also means they are more vulnerable to unknown threats and large-scale disruption, without the leadership or capability to navigate the turmoil of an attack.
Influence and culture. The cyber elite often have a forward-thinking, risk-based culture that drives innovative thinking, higher security priorities, and a nuanced understanding that investment in security resilience is an investment in business resilience. These organizations also understand the importance of instilling healthy cybersecurity hygiene in their employee base with ongoing and engaging learning opportunities. Those below the SPL often do not have the support or company culture needed to prioritize security initiatives, take necessary steps to future-proof operations, and help security matter to all.
Rising above the security poverty line
Even with common constraints felt by SMBs or less supported security teams, organizations can still take steps to improve their security stance and overall resilience.
Leverage wins—no matter how small
Start small. Making the case for security initiatives like risk-based vulnerability management, multi-factor authentication, zero trust, or workflow automation can help kickstart a larger, more holistic security effort. Leverage and building on small wins will drive stakeholder interest and buy-in. Communicating progress regularly and effectively is paramount for long-term success. Cut out the jargon and technical lingo and speak in plain terms so that everyone can be part of the conversation.
Empower your employees
Every endpoint is a potential entry point for an attacker. Instilling a sense of ownership in company security will help fill in defense gaps. Find ways to train or educate your employees on a regular basis. This can be in the form of quick tips shared at company-wide meetings or a friendly monthly newsletter. Encourage the use of a company-approved password manager and provide training on spotting phishing emails.
Upskill on a budget
The ongoing security talent shortage combined with the impact of the Great Resignation is leaving security teams struggling with a lack of mission-critical skills. Implement a rotational approach to training, inviting a team to partake in condensed development sessions while others carry on day-to-day operations.
Adopt simplified, integrated tools
Vendors are just as responsible to step in and help organizations struggling without adequate resources. To make the most of your existing security investments and to drive security efficiency and effectiveness, deploy open, integrated solutions with user-friendly interfaces. Top tier enterprise management vendors offer powerful, automated capabilities that help eliminate manual processes and catch issues before they become a problem. Find a solution with data-driven, risk-based prioritization baked in.
A win for one is a win for all
As the stakes continue to rise, organizations everywhere are bracing for an unpredictable threat landscape. And while establishing security resilience is the overarching goal for any company looking to outmaneuver and outlast future disruption, helping equip others to do the same should be part of that goal. Because our future is only secure if everyone is secure.
Learn how Cisco and Kenna Security are defining a future that’s built on simplified, automated, and democratized security so that every organization can navigate unpredictable change and unknown threats with confidence.