September 8, 2022 By C.J. Haughey 4 min read

In cybersecurity, there are the haves and have-nots. For the latter, improving their security posture to defend against threats is rarely straightforward. While attackers become more high-tech, the gap between ‘the cyber 1%’ and those companies below the ‘cybersecurity poverty line’ grows wider. That poses a threat to all companies.

What is the cyber poverty line? Why does it matter to your business, and what can you do to protect yourself?

What is the cyber poverty line (CPL)?

The cyber poverty line (CPL) is a threshold that divides all organizations into two distinct categories: those that are able to implement essential measures well and those that are unable.

Wendy Nather, head of advisory CISOs at Cisco, first coined the concept in 2011. Since then, Nather’s theory has been widely adopted as the benchmark for acceptable cybersecurity posture. Chris Krebs added the concept of a ‘cyber 1%’ in a talk at a Gartner conference in 2020.

The cyber 1% are the most capable and actively able to defend against threats, regardless of their industry. These companies possess the resources, culture and structure to maintain an elite security posture well-matched with attackers.

For other companies, getting above the cybersecurity poverty line should be the minimum standard. If they don’t, they remain exposed to a breach and the damaging impact of such an attack on their data security, budget and company reputation.

The difference between the cyber 1% and the rest

To understand what separates those on either side of the line, let’s consider six key factors:


Thriving enterprises are attractive targets for attackers, even more so those in the financial sector (for obvious reasons). However, there is no hard and fast rule here. Attackers also target smaller businesses with more modest revenues.

  • The cyber 1%: Tend to have larger revenues, enabling greater investment.

  • Those below the CPL: More modest revenue, with smaller profits.


Without a sufficient IT budget, you will run into problems. Regardless of your revenue and profit, it’s essential to invest enough to build robust security programs and train teams to manage them.

  • The cyber 1%: Spend heavily on recruitment, training and employee training, as well as investing in the latest tech and infrastructure.

  • Those below the CPL: Tend to make do with aging software and hardware, often run by overstretched teams that don’t have enough time or resources.


“It really takes a village to make progress,” explains John Hammond, a senior security researcher at Huntress. “We know that attackers are collaborating and sharing threat intel, so the industry should, too.”

  • The cyber 1%: Aims to increase diversity in the company skillset so they can leverage the threat intelligence of multiple seasoned workers.

  • Those below the CPL: Face regular challenges due to knowledge gaps or skills shortages.


A security operations center (SOC) assures your company round-the-clock protection. However, not every organization has the resources to build its own or even manage a credible freelance SOC.

  • The cyber 1%: Develop an in-house SOC that is customized to their needs — including seasoned SOC analysts and powerful tools like SIEM.

  • Those below the CPL: Lack the resources and structure for an in-house SOC. Even if they outsource it, some may struggle to stay one step ahead of attackers.


The chief information security officer (CISO) is the executive leader who oversees information and data security.

  • The cyber 1%: Has a CISO to manage the IT budget, oversee security training and awareness programs and ensure the company can safeguard against known attacks.

  • Those below the CPL: Lack a CISO or experienced security professional to drive IT investment or correctly prioritize the allocation of cybersecurity resources.


If employees are more aware of the threat landscape, they will be less likely to fall prey to attacks.

  • The cyber 1%: Nurtures a company-wide culture of security by training employees on best practices.

  • Those below the CPL: Don’t openly share and talk about cybersecurity, which means employees have less power to contribute.

How to rise above the cybersecurity poverty line

While budget and investment are huge factors in whether a company can reach the cyber 1%, those with limited capital can still develop a healthy posture that puts them above the CPL.

Here are five steps to improve your standing.

Invest more

As your revenue grows, try to allocate more of your budget to safeguard your data, infrastructure and financial accounts. Small steps can have a big impact, like these:

  • Make multi-factor authentication and virtual private networks essential on all devices
  • Develop reporting systems so everyone can flag issues at an early stage
  • Conduct regular meetings to share information.

Empower every employee

When attackers look for entry points, they can exploit any credential or device. Every single endpoint is a potential chink in a company’s armor. To combat this threat, every employee must become their own line of defense.

Some ways you can help your team:

  • Provide training on how to spot common attacks, like phishing emails
  • Encourage safe browsing best practices, such as using a password manager
  • Send a company-wide email newsletter with tips on personal security.

Tailor training delivery to suit your needs

The challenge for many companies is the lack of time or resources to educate employees. Trying to upskill teams while running a business can lead to burnout.

Here’s a flexible solution that you can use if you can’t afford to hire security workers with specific skill sets:

  • Focus on your current team with a rotation approach to training
  • Train one team for short bursts, like a few days or a week, while other teams continue with day-to-day business
  • Continue to rotate, so there is always one team focused on upskilling. As you rotate training groups, the company’s awareness and defense capabilities will grow.

Adopt user-friendly tools

The mission becomes easier when you have the right tools:

  • Choose unified software platforms rather than a large stack of point solutions
  • Look for intuitive programs that are easy for end-users to set up and learn
  • Avoid complex software that requires specialist personnel to operate.

Embrace zero trust

The zero trust framework assumes your business is always at risk. With this approach, companies implement strict rules for authentication, authorization and validation for all network traffic. In turn, this model offers greater protection for corporate data.

Bring people, processes and technology together

Jeetu Patel, Cisco EVP for security and collaboration, says cybersecurity measures will soon reach human-rights issue status. For now, organizations must focus on what they can do internally to get above the security poverty line.

The critical thing to realize is that cybersecurity poverty doesn’t just impact organizations with low cash flow. Simply providing money will not address other underlying factors, like a disconnected tech stack or siloed company structure that doesn’t openly discuss security issues.

In the end, a strong culture of security education and teamwork underpins the success of a company’s approach. Even if you lack the financial resources of the cyber 1%, astute investment in uniting people, processes and technology can help you establish a clear framework for cyber resilience.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today