Surviving Below the Cybersecurity Poverty Line

Recently an article came out titled “How to Survive Below the Cybersecurity Poverty
Line” which raised some interesting points for small to mid-sized businesses. The cybersecurity
poverty line is defined as the point at which an organization does not “have the means and
resources needed to achieve and maintain a mature security posture and protect data”. Ian
Thornton-Trump points out this is the point where “doing more with less” becomes “can’t do
anything because we have nothing”. It is the point where “the cybersecurity leadership has
abjectly failed”.

You will be forgiven for seeing words like poverty and resources and immediately thinking in terms of money and expenses. Plenty of businesses spend a great deal of money on their IT systems, including expensive cyber-security response software or security firms, yet still fall below the cybersecurity poverty line. Because while the organization spends money on outside resources, they have failed to develop their internal and non-technical resources. The issue, as pointed out, is failure of leadership.

The danger of course is increasing tech and security debt. Issues pile up and critical controls are missed. When, not if, an incident occurs, organizations who are failing to secure their system are more likely to suffer significant financial losses. Operating below the baseline increases the risk your business will not survive a security incident.

Rising above the poverty line is less about the amount of money spent, and much more about identifying and implementing the “essential” security controls. Essential controls will vary from organization to organization. What separates a successful security posture from an unsuccessful security posture is having the expertise, whether internal or external, to identify and manage the essential functions and controls that permit the organization to run and generate revenue.

In an environment where every dollar counts, it is critical that security spending have the greatest impact possible. Identifying and protecting your essential functions streamlines IT spending, lowering your overhead, and freeing up resources to protect what truly matters to your business.

Cyber-Security, Future, IT Security