The real impact of the cybersecurity poverty line on small organizations

The financial constraints many smaller organizations face often cast shadows on their ability to fortify defenses. In this Help Net Security interview, Brent Deterding, CISO at Afni, delves into the realities and myths surrounding the cybersecurity poverty line, exploring the role of budget, knowledge, and leadership.

Challenging popular notions and offering actionable insights, Deterding reveals how organizations can rise above financial limitations to safeguard their digital assets effectively.

An organization’s modest budget restricts it from acquiring the right people, processes, and technology for cybersecurity. From your experience, how pronounced is this financial challenge for smaller organizations?

The ‘cybersecurity poverty line’ is real! That said, I don’t believe people, processes, or technology are limiting factors because significant risk reduction is simple (technology), easy (people/process), and cheap. Bluntly, many organizations aren’t ‘brushing their teeth’ in cybersecurity.

China isn’t targeting 99.9% of organizations, and ransomware isn’t advanced – things like ‘100% of people use strong MFA’ is the most cost-effective thing most organizations can do to reduce their cyber risk dramatically.

I think the cybersecurity poverty line relates to knowledge/leadership. Appreciate that Maslow’s hierarchy of needs applied to cybersecurity dictates that revenue trumps security.

We have a responsibility to steward finite resources, and the fact is that most organizations can be adequately secured with a very modest budget. The limiting factor is knowledge/leadership – what to do, when, and why.

Aside from the financial aspect, knowledge plays a crucial role. How often do you come across organizations that, despite being well-funded, are ill-informed and hence vulnerable?

I’ve been surprised at the disparity of outcomes from different security teams, even when the organizations were nearly identical. ‘Security Team A’ is 5 people, catches bad guys early in the kill chain, and has no apparent stress. ‘Security Team B’ is 10 people and is constantly stressed with incidents. Why? We might call it knowledge, but I would more accurately ascribe it to leadership.

I am very suspicious of the things that ‘everyone knows’ or ‘everyone does.’ Common advice leads to common and poor outcomes. Here’s a hypothetical example. ‘Everyone knows’ that when you are a CISO, you first do a risk assessment against a framework. This takes X months, costs Y dollars, and involves many discussions with the IT and security folks. I’d rather take a few days to talk to the various executives to understand the business and see where I can massively reduce risk while enabling the business. This takes half the time and half the money.

If an organization with limited funds decided to invest in a risk assessment and suite of policies, would that be a step in the right direction, or are there other areas they should focus on?

Emphatically, don’t write policies or spend much time on a risk assessment as a first or second step. A quick risk assessment that heavily focuses on understanding the business is appropriate. That looks like more time with the finance or operations people than the IT or security people. The outcome of the assessment is a roadmap of prioritized projects that reduce risk in a cost-effective manner.

What actionable strategies can organizations, especially those with limited budgets, adopt to become more resilient to cybersecurity threats?

Focus on those things that can plausibly cause material impact. At the top of the list are things like MFA (everyone!), EDR (everywhere!), rapid (<72 hours) patching of externally facing assets, and an incident management retainer. For any project, challenge yourself to tell a plausible story where not doing this costs the organization a substantial amount of money. If you can't easily tell that story, think long and hard about doing it.

Considering the financial and knowledge barriers, what is the most effective way to lower the cybersecurity poverty line and bring more organizations above it?

The easy answer is to hire and listen to a full-time or part-time CISO who talks about enabling the business. This is very indicative of their overall approach. Many organizations below the poverty line would be well-served by a solid vCISO (part-time CISO).