September 8, 2022 By C.J. Haughey 4 min read

In cybersecurity, there are the haves and have-nots. For the latter, improving their security posture to defend against threats is rarely straightforward. While attackers become more high-tech, the gap between ‘the cyber 1%’ and those companies below the ‘cybersecurity poverty line’ grows wider. That poses a threat to all companies.

What is the cyber poverty line? Why does it matter to your business, and what can you do to protect yourself?

What is the cyber poverty line (CPL)?

The cyber poverty line (CPL) is a threshold that divides all organizations into two distinct categories: those that are able to implement essential measures well and those that are unable.

Wendy Nather, head of advisory CISOs at Cisco, first coined the concept in 2011. Since then, Nather’s theory has been widely adopted as the benchmark for acceptable cybersecurity posture. Chris Krebs added the concept of a ‘cyber 1%’ in a talk at a Gartner conference in 2020.

The cyber 1% are the most capable and actively able to defend against threats, regardless of their industry. These companies possess the resources, culture and structure to maintain an elite security posture well-matched with attackers.

For other companies, getting above the cybersecurity poverty line should be the minimum standard. If they don’t, they remain exposed to a breach and the damaging impact of such an attack on their data security, budget and company reputation.

The difference between the cyber 1% and the rest

To understand what separates those on either side of the line, let’s consider six key factors:

Revenue

Thriving enterprises are attractive targets for attackers, even more so those in the financial sector (for obvious reasons). However, there is no hard and fast rule here. Attackers also target smaller businesses with more modest revenues.

  • The cyber 1%: Tend to have larger revenues, enabling greater investment.

  • Those below the CPL: More modest revenue, with smaller profits.

Investment

Without a sufficient IT budget, you will run into problems. Regardless of your revenue and profit, it’s essential to invest enough to build robust security programs and train teams to manage them.

  • The cyber 1%: Spend heavily on recruitment, training and employee training, as well as investing in the latest tech and infrastructure.

  • Those below the CPL: Tend to make do with aging software and hardware, often run by overstretched teams that don’t have enough time or resources.

Skills

“It really takes a village to make progress,” explains John Hammond, a senior security researcher at Huntress. “We know that attackers are collaborating and sharing threat intel, so the industry should, too.”

  • The cyber 1%: Aims to increase diversity in the company skillset so they can leverage the threat intelligence of multiple seasoned workers.

  • Those below the CPL: Face regular challenges due to knowledge gaps or skills shortages.

Operations

A security operations center (SOC) assures your company round-the-clock protection. However, not every organization has the resources to build its own or even manage a credible freelance SOC.

  • The cyber 1%: Develop an in-house SOC that is customized to their needs — including seasoned SOC analysts and powerful tools like SIEM.

  • Those below the CPL: Lack the resources and structure for an in-house SOC. Even if they outsource it, some may struggle to stay one step ahead of attackers.

CISO

The chief information security officer (CISO) is the executive leader who oversees information and data security.

  • The cyber 1%: Has a CISO to manage the IT budget, oversee security training and awareness programs and ensure the company can safeguard against known attacks.

  • Those below the CPL: Lack a CISO or experienced security professional to drive IT investment or correctly prioritize the allocation of cybersecurity resources.

Culture

If employees are more aware of the threat landscape, they will be less likely to fall prey to attacks.

  • The cyber 1%: Nurtures a company-wide culture of security by training employees on best practices.

  • Those below the CPL: Don’t openly share and talk about cybersecurity, which means employees have less power to contribute.

How to rise above the cybersecurity poverty line

While budget and investment are huge factors in whether a company can reach the cyber 1%, those with limited capital can still develop a healthy posture that puts them above the CPL.

Here are five steps to improve your standing.

Invest more

As your revenue grows, try to allocate more of your budget to safeguard your data, infrastructure and financial accounts. Small steps can have a big impact, like these:

  • Make multi-factor authentication and virtual private networks essential on all devices
  • Develop reporting systems so everyone can flag issues at an early stage
  • Conduct regular meetings to share information.

Empower every employee

When attackers look for entry points, they can exploit any credential or device. Every single endpoint is a potential chink in a company’s armor. To combat this threat, every employee must become their own line of defense.

Some ways you can help your team:

  • Provide training on how to spot common attacks, like phishing emails
  • Encourage safe browsing best practices, such as using a password manager
  • Send a company-wide email newsletter with tips on personal security.

Tailor training delivery to suit your needs

The challenge for many companies is the lack of time or resources to educate employees. Trying to upskill teams while running a business can lead to burnout.

Here’s a flexible solution that you can use if you can’t afford to hire security workers with specific skill sets:

  • Focus on your current team with a rotation approach to training
  • Train one team for short bursts, like a few days or a week, while other teams continue with day-to-day business
  • Continue to rotate, so there is always one team focused on upskilling. As you rotate training groups, the company’s awareness and defense capabilities will grow.

Adopt user-friendly tools

The mission becomes easier when you have the right tools:

  • Choose unified software platforms rather than a large stack of point solutions
  • Look for intuitive programs that are easy for end-users to set up and learn
  • Avoid complex software that requires specialist personnel to operate.

Embrace zero trust

The zero trust framework assumes your business is always at risk. With this approach, companies implement strict rules for authentication, authorization and validation for all network traffic. In turn, this model offers greater protection for corporate data.

Bring people, processes and technology together

Jeetu Patel, Cisco EVP for security and collaboration, says cybersecurity measures will soon reach human-rights issue status. For now, organizations must focus on what they can do internally to get above the security poverty line.

The critical thing to realize is that cybersecurity poverty doesn’t just impact organizations with low cash flow. Simply providing money will not address other underlying factors, like a disconnected tech stack or siloed company structure that doesn’t openly discuss security issues.

In the end, a strong culture of security education and teamwork underpins the success of a company’s approach. Even if you lack the financial resources of the cyber 1%, astute investment in uniting people, processes and technology can help you establish a clear framework for cyber resilience.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today