What is the security poverty line? It is a baseline of a company not implementing the correct security controls to mitigate their risks. Simply put, most companies do not invest enough effort in determining what their ‘real’ risk is and instead buy into vendor ideas and concepts.
For example, about 20 years ago many companies used to have significant capital budgets to purchase equipment for their businesses. Since then, many companies started to use leasing vehicles to gain control of costs to capital expenditure. As with all business, it is about making a profit and as such security has always seen a barrier to increasing that bottom line.
Security is equated to sizeable expense the organization cannot possibly take on. It is better to be compromised and pay the ransom and loose customer confidence. It might be a small impact if we just spend more money on marketing to cover it up. These are the cost trade offs that are being made in business globally. Some are waking up to it, but many are not.
I believe we have been asking the wrong questions of our companies and executives. Many executives get freaked out when the topic of cyber security is raised. Many are scared of this elephant in the room and they chose not to make a decision — which in itself is a decision. The question should become: What can I do to ensure the company I run will remain operational and relevant after a cyber incident?
What many executives and managers fail to realize is they are responsible for protecting their client and employee information. As such, they are putting their organization below the poverty line.
The poverty line characteristics that companies should have as a minimum to protect their organization:
a. Quantifying the cyber risks for the organization.
b. A policy and procedure base that reflects the quantified cyber risks.
c. A risk management process that deals with ongoing risks.
d. A review process to ensure the controls deployed are adequate to protect against the current risks as they do change over time.
e. Management’s belief that security is important to protecting the overall health of the organization.
If you look at that list, firewall or other technologies were listed for good reason. They are a control. You must determine why the firewall is there and what it is protecting you against. Once deployed you must make sure it is configured correctly or it provides no protection against threats and provides a false sense of security. This happens way too often. This can be said about many of the security solutions sold, many are misconfigured to not protect against the risk that was presumed.
When you look at the corporate landscape, most companies live below the poverty line. Many do not even do the bare minimum as they believe it is too difficult to overcome and scoff at their chances of being targeted. We have already seen the number of executives who had this same mind set and now are unemployed. Living below the poverty line puts your organization and staff at significant risk and we need to start doing something about it.
I believe the only way this is going to change is if the our governments start to regulate mandatory security controls in all organizations regardless of size or sector. We had change our mindset for seatbelts in the 70’s to protect vehicle occupants, now it is cyber security and unfortunately it is only path forward.