Beyond the current attack trends and getting the basics right, as outlined in Part 1, there is also what Wendy Nather from Cisco calls the security poverty line. 

This, she explained, is the line below which an organization cannot effectively protect itself, or lacks the essential resources needed to do so. These resources include money, but also extend beyond it into three other arenas as well, namely the lack of expertise, capability and influence. 

The most evident component that contributes to the security poverty line is financial, namely whether a business can afford the cost of the tools and people they need to enact effective cybersecurity measures. This will vary from one business to the next.

Nather gave the example of a retailer with a small profit margin, noting that they cannot realistically be expected to spend as much on security as a larger organization. While large organisations have bigger budgets and are more likely to have a team of IT professionals, smaller businesses are no less vulnerable to new, emerging and evolving attacks; and a cybersecurity breach can ruin their business virtually overnight.

‘’The security poverty line is not limited to small organisations; large ones with large budgets can also find themselves below this line,” she added.

It is also exacerbated by the fact that there is no clear way to define how much an organization needs to spend – or what solutions they need to put in place – to absolutely guarantee they will be safe from a potential breach.

The essential need for expertise

Then there is the question of expertise. She explained that this encompasses whether the business knows what essential security is for their business, and even if they do, whether they have the expertise on hand to implement and manage it. Beyond that though, Nather explains that in her view, ‘’expertise is the experience that goes together with skills and knowledge to be able to respond to the unexpected.’’

The problem with a dearth of skills is well documented. Globally, cybersecurity skills and expertise is still highly needed, with demand far exceeding supply.

From a South African context, we know that skills shortage across the board is a major problem that the country, and many industries within it, are grappling with. A perfect case of point of how far reaching a poverty of expertise can be is Eskom. Lack of expertise has been a demonstrable – and well achnowledged - component in the myriad of failures and power outages that has affected individuals, small and large businesses alike and made doing business considerably more challenging.

Nather explained that one possible way to address the problem of expertise poverty is by designing software and cybersecurity solutions that are easier to implement and manage; recalling her earlier example of creating security solutions that are as easy to use as a spoon. Making cybersecurity easier would reduce the need for specialized expertise, at least to some extent. However, we expect that there is no getting around the fact that until the supply of expertise is on hand to match the ever shifting and expanding cybersecurity threat landscape, organisations will still remain vulnerable to being ‘’security poor.’’

The capability conundrum

Another contributing factor to the security poverty line is capability. Nather continued that even when an organization knows what to do to secure themselves, they may lack the capability to do so, because they are constrained by the company culture or industry itself. For example, a hard and fast maxim in the hospitality industry is that you must never under any circumstances disrupt the guest experience, because that would cost the provider their business.

“This means that if there are any security controls that disrupt the guest experience, they will simply not be implemented,” she elaborated. This belief hinders the implementation of security measures that a hotel, restaurant or airport for example, may well need.

Our recent experience travelling overseas bears out Nather’s point. It is shockingly easy to connect to an airport Wi-Fi, but airports are renown for being extremely unsecure places as far as cybersecurity goes, and fantastic hunting grounds for hackers to gain anonymous access into an unsecured device joining the airport’s network.

It is also a mistake that many organizations may fall prey to. After all, being customer centric and ensuring the customer has the best experience possible is a valid argument. This is especially true as businesses emerge from the stresses induced by the pandemic and concentrate on making their digital transformation strategies pay off with generating loyal customers, and greater success.

The real influencers

The final consideration that contributes to creating a security poverty line is the degree of influence a company has, and whether or not they can influence their suppliers to do the right thing from a security point of view.

“While large multinational organisations generally can, the same does not hold true for smaller ones,” she added.  

What the security poverty line reveals is that the ability to rise up and meet the challenges of a constantly changing cyberthreat landscape is not a simple one. That acknowledgement may well be the first, and a critical, step, towards winning the battle.

For more on the security poverty line, Cisco's executive vice president Jeetu Patel explains it in regards to business resilience in the video below (at the 11.10 mark), and in our interview with him earlier this year.