When we think of the term “security poverty lines,” we rarely think of organizations’ abilities to maintain good hardware and cybersecurity. Yet this is a largely unrecognized problem for many of today’s companies. In a podcast on Security Nation, head of of advisory CISO services at Duo Security Wendy Nather discusses the problem of the security poverty lines and how it can be addressed.
What exactly is this security poverty line?
Organizations fall under the “security poverty line” when they don’t have the budget or resources they need to cover their cybersecurity effectively. One category that is often constrained in this way is non-profit organizations. But this affects more companies than we realize. Small, private organizations operating on low overall budgets are not the only ones that can fall below the security poverty line. Large public-sector organizations often have trouble addressing security needs because of their accountability to taxpayers. When tax money funds the organization’s budget, the people contributing often expect the organization to “drive it till it breaks down.” Therefore, government agencies sometimes end up running old hardware and operating systems with compromised security. And even big Fortune 500 companies can fail at achieving optimal cybersecurity, because poverty isn’t only about money.
Deeper roots: the information poverty line
An issue that goes even deeper than budget constraints is lack of information or knowledge concerning security needs. What should an organization purchase or implement in order to be fully cybersecure? Nearly every company faces information poverty to some degree; security leaders have wildly different ideas on where to start in securing their organizations. For instance, many companies are using platforms that are not secure, such as Zoom, simply because they are free. Many of them could use some good advice on effective cybersecurity measures. Becoming better informed is an important step in improving security.
Factors in security poverty
As we’ve seen, budget and knowledge are two decisive factors that pull companies below the security poverty line. Another one is capability: even with the right budget and expertise, an organization may have other limitations (such as a public agency’s taxpayer or legislative hurdles) that keep it from attaining proper security. Additionally, a smaller organization may not have the influence to make things happen as quickly or thoroughly as they should. Climbing out of security poverty is in part addressing each of these factors as stair steps to a more secure workplace.
Working toward solutions
Nather suggests that, like poverty in general, this is a problem that affects the larger society as well as the parties directly involved. She argues for better awareness of the ways cybersecurity falls short because of these poverty lines. Companies themselves should look at their own risks and create goals to address their deficits in knowledge, budget, influence and capability. And the tech industry as a whole should acknowledge that many companies are struggling with this. Only then can we work on building a support network to help–through information, resources, or whatever we have to offer.
If you feel like your company is falling below these security poverty lines, here are some tips on how to rise above them. And in a broader discussion of rising above unequal footing, see our social statement in support of human equality and justice.