On this week’s episode of Security Nation, we had the pleasure of speaking with Wendy Nather, the head of of advisory CISO services at Duo Security (now part of Cisco). Our podcast highlights guests who have taken on a challenge that has advanced security in some way, and Wendy’s work on the security poverty line is a perfect example of this.
What is the security poverty line?
The “security poverty line” refers to organizations that lack the budget and/or resources to be able to effectively implement the cybersecurity measures they need. In Wendy’s opinion, it’s one of the biggest challenges in security. She first experienced it when she went from working in security at a Swiss bank where she had a budget of around $60 million to a state agency in Texas where she had a budget of zero. As you can imagine, building a security program with no budget is quite difficult—and even if you do have a budget, you likely can’t do all the things you should be doing.
Who is affected by the security poverty line?
Security teams do not like to admit that the security poverty line is a problem they have, but more industries and companies are affected by it than we think. It can be impossible for organizations to get approval to pay for things like software and hardware upgrades, especially in the public sector, where every purchase goes through the scrutiny of taxpayers. Speaking from experience, Wendy explained that taxpayers expect organizations to use something until it stops working and only then can they make the case for something new. This is why many government entities wind up running ancient hardware and old operating systems.
Those lucky enough to be aware of the security poverty line will often wonder why affected companies don’t patch or update as much as they should, but it’s far more complicated than that. Simply put, there are a lot of dynamics to security poverty.
The information poverty line
While many companies have a hard enough time with security due to budgetary issues, nearly every company experiences some level of information poverty. By this, we mean a lack of understanding about what to do or buy to have an effective security program. When Wendy worked for 451 Research, she asked security pros what a new CISO on the job should buy first. No one gave the same answer twice, and most said, “It depends.” Some people listed four technologies as a starting point, others listed 31.
So, if we can’t agree on what we need for security, how can we begin to understand what we need and what it will cost, let alone get approval on these things from non-technical stakeholders?
The four aspects to the dynamics of security poverty
Clearly, the issue is multifactorial. Wendy explained that it comes to four dynamics:
- Budget: Is there money available to afford the things you want to do, regardless of whether you are in control of buying or approving them?
- Expertise: Wendy pointed out that as an industry, we talk too much about awareness and not enough about expertise. You can’t simply tell someone about security and think they can immediately go out and do something about it. Expertise comes down to knowing what to do.
- Capability: Even if you have the budget and expertise, can you actually get it done? Let’s say you’re a state agency and need new hardware, but taxpayers or the legislature turn you down. Or, let’s say you don’t run your own network so you can’t put in network-based controls when you want to. Or, perhaps you have approval to get something done but don’t have enough people to pull it off. In each of these examples, you lack capability.
- Influence: This dynamic is often underestimated. If you’re a big company, you can go to your suppliers and say, “Hey, you need to fix this,” and they’ll do it. But if you’re a small organization, they’ll either say, “Well, you’re the only one complaining about this, so we’re not going to fix it,” or, “Well, we’ll fix it, but only if you pay us.” Influence plays a huge role in whether you can get things fixed, and many companies living below the security poverty line lack the influence to get things done, thus perpetuating the issue.
Are these issues nonexistent in the Fortune 500?
This discussion begs the question, do the one-percenters (the large Fortune 500 companies with substantial security budgets) not face any of these security poverty line issues? In our research through our Industry Cyber-Exposure Reports (ICERs), we discovered that even the most well-resourced organizations still get cybersecurity basics wrong, regardless of budget. We looked at things like the adoption rate of DMARC and were surprised to find out that most companies could not reliably implement or use this anti-phishing technology. This is a free software, so it’s not a budgetary issue—what it comes down to is expertise and capability.
These companies were also still exposing Telnet on the internet and missing other basics. Almost everyone has heard of WannaCry, yet we are still seeing the effects of it out there. This leads us to conclude that awareness alone is not enough—not by a long shot. As we discussed in the podcast with Wendy, just because the basics are basic doesn’t mean they’re easy. That means we can’t look at a company’s security posture and say, “I don’t understand why they’re not doing it,” because what that actually means is that we just don’t understand. If you pull on that thread a bit more, you’ll often find there are many well-intentioned reasons behind organizations’ decisions to do (or not do!) something.
Leveling the playing field
So, if the people at the high end of the market are still getting things wrong, how can we expect small, under-resourced organizations to get it right? This is not to say that just because something is hard or a Fortune 500 company can’t do it that you shouldn’t bother. It’s just that we can’t write off or criticize a company for not doing something or having something in place simply because we’ve heard it’s a best practice. The problem is often more complicated than we think it is.
Another important factor is knowing what your risk model looks like and starting there when implementing a security program. To do this, we recommend looking at things like:
- What do you need to protect?
- What is the likelihood that people are going to come after you?
- What are the kinds of people coming after you?
From there, you can make informed decisions about how important security is. Many under-resourced companies are forced to go as long as they can until the threat becomes real enough that they need to start spending money on it or the threat happens to someone else and hits close enough to home that they finally take action.
There is still a lot more to be done to address this large and underserved issue. Wendy says it’s as big of a problem as healthcare reform. And while it’s partly a technology issue, there are also economic, political, and societal sides to it, too. The word “empathy” often gets a bad rep in security, but if we can at least try to understand the context of what someone needs and figure out how we can help them (whether through information, resources, or money), we can start to put the right support in place to combat the security issues all of us face.
We’d like to thank Wendy for bringing this important topic to light and inspiring others to take on security challenges like this one that can positively impact the world.
To hear Wendy’s interview in full, be sure to check out our latest episode of Security Nation, and if you like what you hear, please subscribe! We release episodes every other Friday, each featuring someone who is advancing security in their own way.