The security poverty line broadly defines a divide between the organizations that have the means and resources to achieve and maintain mature security postures to protect data, and those that do not. It was first coined by cybersecurity expert Wendy Nather in 2011, and the concept is just as relevant today as it was then. It has widely become the benchmark for acceptable cybersecurity, often associated with factors such as company size, sector and disposable income, but also know-how and appetite for recognizing and addressing security inadequacies. Generally, those Above the security poverty line are larger, private-sector businesses with the money, talent pool, and durability required to meet basic but highly important cybersecurity standards. Being below the security poverty line is unenviable for any organization, because it not only means they are likely to either lack the assets to keep data effectively secure or do not have the ability or inclination to do so, but they can also be prime targets for attackers and cybercriminals. I see the cybersecurity poverty line as a mechanism for a reality check in all our industry conversations, Fernando Montenegro, senior principal analyst at Omdia, tells CSO. From practitioners to vendors, service providers, investors, analysts - all of us need to keep in mind that many organizations have, for a variety of reasons, limitations on how they do cybersecurity. This has profound downstream effects on everything from public policy to contract terms, hiring, and more. Cybersecurity poverty line a security Rock bottom. James Bore, security hygienist and consultant, is careful to avoid defining the cybersecurity poverty line as simply where organizations are unable to purchase and use Essential security controls, as Essential varies wildly among organizations, he tells CSO. I much prefer to define it by the expertise available to an organization, since one with an appropriate level of expertise either in-house or available can usually find a way to build appropriate security to their own needs, Bore says. For Will Dixon, global head of cybersecurity consultancy and investment vehicle ISTARI, the cybersecurity poverty line represents the public safety trigger point where governments and other institutions might need to step in to support organizations and ensure they, and those that interact with them, are not harmed. It is a vicious circle where cybersecurity poverty leads to further and wider elimination of resources that could be invested in cybersecurity, thus leading more organizations below the cybersecurity line and a consequent increase in compromises, adds Dr. Vasileios Karagiannopoulos, director, Cybercrime Awareness Clinic, Portsmouth University. The intensification of cybersecurity poverty is bound to result in significant and more widespread compromises that will affect not just other businesses, but consumers and everyday users as well. Karagiannopoulos tells CSO that the cybersecurity poverty line concept has become more crucial in the last year or so, as the world continues to gradually exit the COVID-19 pandemic and start to work in a more challenging hybrid environment, which poses new and wider cybersecurity challenges for organizations and employees. At the same time, the war in Ukraine has generated even more concerns regarding novel cybersecurity threats originating from the conflicting countries and their allies, hacktivist collectives and nationalistic hacker groups, he says. These developments, alongside the consequent energy crisis and the supply chain challenges, are intensifying concerns regarding the capacity of those under the poverty line to eventually make it to the other side, despite government and corporate efforts to bring the topic of cybersecurity more to the fore and even offer free support guidance and tools, he adds. As we verge on the edge of recession, the cybersecurity poverty line will only grow in 2023. It is a rather unique time for the IT landscape and one that past generations have never experienced. He predicts that the cybersecurity poverty line will be defined along three major axes moving forward - ongoing digital transformation, continued migration to the cloud, and the movement towards zero trust. Security teams success will be defined by the forward movement on each of these projects, and whether these environments are properly secured, he adds. All types of businesses and sectors can fall below the cybersecurity poverty line for different reasons, but generally, healthcare, start-ups, small- and medium-size enterprises, education, local governments, and industrial companies all tend to struggle the most with cybersecurity poverty, says Alex Applegate, senior threat researcher at DNSFilter. Critical National Infrastructure firms and charities
This Cyber News was published on www.csoonline.com. Publication date: Mon, 30 Jan 2023 10:02:03 +0000