The term ‘security poverty line’ was coined back in 2011 by Wendy Nather. It describes organizations who are under-spending on IT security in terms of maintaining an effective level of security or even reaching compliance with regulations.
For many organizations, more money spent on IT staff, consulting, or hardware means fewer resources actually going towards their purpose or the product/service that brings in revenue. Security may not even be considered until an organization reaches a certain level of maturity. These organizations may outsource these resources and are thus dependent on third-parties to define their level of security.
Today’s cyber security products are divided into two camps: traditional and next generation. If you are already under-spending in IT, let alone information Security, you probably have the traditional, preventative technologies like definition-based antivirus and firewalls. The cutting-edge technology that can allow an organization to be proactive with more responsive security are simply out of reach. Bad practices can hurt even more than bad products. Organizations relying on switched networks (compared to a hub that broadcasts) to secure the data instead of actually encrypting the data are putting their information at risk of interception.
Security may get less priority than just keeping systems running. IT Pros may be less trained on security best practices or may not be given the resources to keep systems running the latest operating systems and software versions. Even implementing best practices like “separation of duties”, “mandatory vacations”, and “job rotation” can be costly to implement if you do not have enough staff or time to train other staff. You also have account management concerns to ensure applications and end-users are following the principle of least privilege. If you only have a few IT Pros, it may be tempting to give all individuals admin privileges so your IT time is not wasted running around installing applications and updates. Instead, their time may be consumed tracking down who deleted somebody else’s files and uninstalling malware that somehow got on the computer again.
Some non-profits, educational institutes, or government organizations may receive discounts from vendors but it still keeps much of the technology out of reach. With the license approach to many products, this means growth comes at a cost. The higher that per-person cost, the more the growing pain impacts the organization. Personally, I would prefer the money I donate to a non-profit go towards its cause but I also do not want to be donating to an organization that will be breached and compromise my personal information. This is actually the strength of regulation. By defining the minimal acceptable level of security, for example with PCI, many organizations will not be handling credit cards without the proper safeguards in place. This then restricts either how they can accept donations or means losing a percentage of amount raised in processing fees to a third party, that also decides their own security posture.
The security poverty line can rear its head again when you start talking about in-house software development. Developers need to be given enough training, time, and resources to ensure security is included from the start with their applications by following OWASP or other principles. Developers may also avoid including security or other departments in the planning stage because it slows them down and causes them to miss deadlines. This just increases and passes along the technical debt with each project. This technical debt indirectly ties to a financial cost and will have to be paid at some point, making it even more difficult and costly to bring the organization into compliance further down the road.
How does one bring themselves above the security poverty line? Without a new source of revenue or perhaps priority in budgeting, it will be difficult to reach an acceptable investment level in security that is not just treading water. The culture of the organization can certainly help a lot though. Reinforcement from the top that security best practices will be followed, despite the delays that it may introduce, and that all will comply can make a big difference in succeeding with policies to implement best practices. If software development is performed by the organization, training to share knowledge of good security practices and prioritizing properly secured applications can change the expectation from tasks being done as quickly as possible to them being done correctly.
Should there be a welfare to fund organizations to above the security poverty line? How do you determine that enough of the budget is being spent to secure the organization and its data? What do you trade-off in order to invest more in security? Will the situation naturally improve over time as more developers are trained with security in mind and operating systems include a better baseline?