Lifting the world out of the cybersecurity poverty
Why the "trickle-down" cybersecurity strategy is not enough, and what we as an industry need to do to solve the problem
The term “security poverty line” was first introduced by Wendy Nather in her 2013 RSA presentation, “Living Below the Security Poverty Line: Coping Mechanisms”. The idea behind it was that when it comes to cybersecurity, there are the haves and the have-nots, and most individuals and businesses around the globe fall under the latter category.
I have first heard this term from Chris Hughes, President at Aquia, and Author of Resilient Cyber. I highly recommend subscribing to Chris’s Substack, especially if you’re interested in the intersection between cybersecurity and policy, cloud, DevSecOps, and software supply chain security.
In this post, co-written with Chris, we are going to do a deep dive into the problem of the cybersecurity poverty line, discuss its extent and dimensions, and suggest several ways in which we as a society can tackle it.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Lastly, over 2,790 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been distributed to the readers so far.
Security poverty line problem: foundations
The concept of poverty is highly contextual as the poverty threshold, or the minimum level of income deemed adequate in a particular country depends on that country’s GDP and its cost of living. The same is true for security: companies in different industries, different countries, and of different sizes will have different security needs. What follows is that the amount of resources a company would need to allocate to security to satisfy its basic needs varies dramatically. The cybersecurity poverty line is much more than a specific dollar amount required to purchase a basket of “essential” security tools because what constitutes an “essential” security need is dependent on the context.
Every day, we read about the continuing growth of the cybersecurity market, the rising number of breaches, and the ever-increasing demand for security solutions. In all this cacophony of signals, it’s too easy to miss an important but rarely articulated truth: outside of the top 2,500-5,000 enterprises and publicly traded corporations, few businesses have dedicated cybersecurity budgets. Most companies access cybersecurity expertise, breach experts, and incident response through insurance. At the same time, the vast majority of cybersecurity vendors, in both product and service segments, are targeting the same several thousands of haves and ignoring the millions of security have-nots. SMBs, schools, local governments, and other organizations that operate in resource-constrained sectors, are being priced out of the security market. That said, some, such as consulting firm McKinsey, have stated that the SMB market represents a “$2 trillion dollar opportunity for cybersecurity vendors who can shift their architecture and selling models to meet the SMB needs”.
The signs of the cybersecurity poverty line do not stop there. The vast majority of cybersecurity practitioners we see in conferences and security events are employed by the small percentage of haves while the have-nots have no access to security talent. Moreover, the very problems that are being discussed at security conferences are those of large, sophisticated enterprises, not those of small businesses.
Over the past decade, many large enterprises developed a good level of cybersecurity capabilities. While some may argue that the number of breaches is going up regardless of all the investments, the fact remains that the bar for attackers has consistently gone up. The same cannot be said about the majority (although not all) SMBs, hospitals, schools, local governments, and other players that lack a basic understanding of security and security hygiene, as well as access to security talent and tooling that they can easily understand, afford, and adopt.
The cybersecurity poverty line problem is real, and there are no signs that it is going to go away anytime soon. On the contrary, it appears to be getting worse. According to the Global Cybersecurity Outlook 2024 Report produced by the World Economic Forum in collaboration with Accenture, “There is growing cyber inequity between organizations that are cyber resilient and those that are not. In parallel, the population of organizations that maintain a minimum level of cyber resilience is disappearing. Small and medium enterprises (SMEs), despite making up the majority of many country’s ecosystems, are being disproportionately affected by this disparity. The number of organizations that maintain minimum viable cyber resilience is down 30%. While large organizations demonstrated remarkable gains in cyber resilience, SMEs showed a significant decline. More than twice as many SMEs as the largest organizations say they lack the cyber resilience to meet their critical operational requirements.”
The same McKinsey report we previously mentioned discusses a pricing mismatch impacting SMBs and midmarket companies. Due to having fewer employees, costs of cybersecurity tooling are spread over a smaller pool of staff and due to this reality “they face a decision: either pay a disproportionate price per employee - by a factor of three to five or more than larger companies do, depending on the tooling category - or forego some security controls entirely”.
We are failing to solve the security poverty line problem
As an industry, we are failing to solve the security poverty line problem. There are several reasons why that is the case. One of the critical challenges that prevents us from being able to tackle the security poverty line problem effectively is the economics of security vendor markets and the incentives it creates. In particular,
Investors are often hesitant to fund SMB-focused security companies because it’s hard to build high-growth businesses in that segment. SMBs aren’t sophisticated buyers, their budgets and deployment sizes are limited, and they aren’t able to access the right talent, often impeding their ability to make tools effective even if they can afford to purchase them.
Founders often struggle when trying to bootstrap SMB-focused businesses because of small deployment sizes, and the large amount of time it takes to sell to a single company. While there are some outliers, who have begun offering a combination of security tooling and managed services for SMBs and midmarket companies, they are still outliers in the broader cybersecurity market.
Because SMBs, non-profit organizations, and local governments lack security expertise, they would benefit most from working with security service providers. Entrepreneurs, on the other hand, are much more interested in building products because they offer higher margins and exit multiples.
The majority of vendors in developed countries price their software for large US enterprise buyers, and by doing so, make it completely unaffordable for smaller customers and those in developing countries.
The majority of vendors in developed countries have to hire and pay salaries in markets with high costs of labor such as the US and Israel, and therefore have little choice but to set their prices the way they do.
Developing countries have less venture capital, and subsequently fewer startups that are able to build security solutions for domestic markets. Without venture funding, they lack resources to educate the market about the importance of security, and so the cycle continues.
Another important factor that prevents us from being able to tackle the security poverty line problem effectively is the dynamics surrounding the security talent. Specifically,
Small and medium businesses and non-profit organizations don’t usually have a good understanding of security and what kinds of security measures are appropriate for their environment. Moreover, they do not have the capital to hire full-time security practitioners with the skills needed to develop, monitor, and mature a comprehensive security program.
The problems experienced by small and medium businesses and non-profit organizations don’t usually require cutting-edge, novel technological solutions. Instead, they need someone to help with the basics - patching, implementing a password manager, and some basic security tooling. Many security practitioners are looking for complex technical challenges, so they are not motivated to seek employment in these organizations.
Because small and medium businesses rarely hire technical security talent, future founders who could be building impactful solutions never get to learn about the problems SMBs experience. The problems security engineers get exposed to are the problems of large enterprises so naturally when they think of building innovative solutions, they build solutions to problems experienced by the enterprises.
Another factor that hurts our ability to address the security poverty line problem is our mindset. For example,
Small and medium businesses and non-profit organizations often believe that they are not at risk of security breaches because they are “small fish” and “there is no way anybody is going to target them”. This mindset which stems from a complete misunderstanding of how adversaries work, leads leaders in these organizations to dismiss security as something only big players have to worry about. We have data demonstrating that attackers are equal opportunity exploiters and won’t hesitate to target small organizations as well, especially knowing they are often understaffed, lack expertise, and lack modern tooling to mitigate threats.
While it is common to see security leaders talk about the cybersecurity poverty line at conferences, events, and on social media, as an industry security is still quite dismissive of those who choose to help SMBs and non-profits. I have heard on several occasions statements that suggest that virtual/fractional security leaders (vCISOs) and consultants working with SMBs are not “real” security practitioners and that the problems they are tackling are not “real” security problems. Equally as harmful is the fact that security leaders of large enterprise organizations are often dismissive of peer security practitioners and leaders whose backgrounds may come from the SMB space.
Organizations living below the cybersecurity poverty line
The US market and developed countries
A large number of organizations in the US and other developed countries fall under the category of cybersecurity have-nots. Some of the most important categories include small and medium-sized businesses, non-profits, local governments, municipal agencies, and organizations such as courts and schools, as well as those that make heavy use of operational technology.
One of the most underserved market segments in the US is small and medium-sized businesses. According to the U.S. Small Business Administration,
There are 33,185,550 small businesses in the United States which constitutes 99.9% of American businesses.
Small businesses employ 61.7 million Americans, totaling 46.4% of private sector employees.
From 1995 to 2021, small businesses created 17.3 million net new jobs, accounting for 62.7% of net jobs created since 1995.
Small businesses pay 39.4% percent of private sector payroll and generate 32.6% percent of known export value.
Many of these SMBs are part of the modern digital economy, and perhaps while not internally developing software like larger business peers, they are undoubtedly using software and digital tooling to help power their business, servicing customers and delivering their value to the market - all of which requires securing their digital footprint.
Despite all the importance of the SMB market, I would estimate that over 90% of cybersecurity startups are built as enterprise-first solutions. There are good reasons for it as enterprises operate under heavy compliance scrutiny and regulatory oversight, have dedicated security budgets, experience unique and highly complex problems, and require large-scale deployments which naturally translates into large contracts. This situation, however, causes what I often describe as the great cybersecurity market imbalance.
The vast majority of SMBs live below the cybersecurity poverty line, and therefore they:
Lack the awareness of why they should be thinking about security and what they need.
Often struggle to find the right professional advice that can take care of their security needs.
Are being priced out of good technology and struggle when trying to access good technology suitable for their scale of problems.
At non-profit organizations, the situation is even worse. Unlike SMBs which, despite their inattention to security, can somehow sense that there are risks they need to plan for, non-profit organizations don’t have such intuition. Their leaders and teams are usually overwhelmed with fundraising that already takes their attention away from achieving their grand vision, so they have no time nor skills to even consider security as something they need to worry about. The “Why would anyone attack a poor non-profit organization?” is the mindset that can be detrimental to the organization’s ability to survive.
Local governments, municipal agencies, and organizations such as courts and schools also fall under the category of those living below the cybersecurity poverty line. They lack the budget to acquire, implement, or build robust security defenses to protect the government and citizen data. According to the 2022 Nationwide Cybersecurity Review, a survey of more than 3,600 state, local, tribal, and territorial government organizations on cybersecurity preparedness conducted by the Center for Internet Security, the following issues prevent the government from implementing a robust security program: insufficient funding, an increasing sophistication of cyber threats, a lack of documented processes, emerging technologies, and limited access to cybersecurity professionals. Sadly, according to the same report, these are the same issues the survey participants have been citing for the past eight years, and this is despite the fact that the number of attacks on local governments has been steadily increasing.
Another important category of organizations in the US that live below the cybersecurity poverty line is those heavily reliant on operational technology, which includes those working in chemical, communications, manufacturing, dams, defense industrial base, energy, water, and other sectors. I have previously discussed in depth the problems surrounding operational technology (OT) and industrial control systems (ICS) security, factors that make the OT/ICS security markets hard to compete in, and their future in the deep dive titled “Securing critical infrastructure in the US is not a policy problem, it’s a market problem”. Sadly, despite the fact that there are many conversations about securing critical infrastructure, a large subset of organizations that constitute critical infrastructure are also living below the cybersecurity poverty line.
Emerging economies on the global market
In 2024, it should be painfully obvious that companies outside of the US also have security needs, and that outside of the US, the problem of the cybersecurity poverty line is much more acute. Over a year ago in an article titled “Securing developing countries is not a charity, it's our responsibility”, I wrote: “When we think of cybersecurity, we think of the US, Europe, and Israel with the United States drawing a disproportionate amount of focus. There are many good reasons for that - that’s where the cost of data is the highest, the economies are the most developed, and companies can pay top dollar for protection. [...] A simple Google search shows that while there is a decent amount of scientific research on the topic of cybersecurity in developing countries, a discourse among industry practitioners is practically non-existent. That is the gap that cannot lead to good results.”
According to the Global Cybersecurity Outlook 2024 Report, “The lowest number of self-reported cyber-resilient organizations are in Latin America and Africa, while the highest number come from North America and Europe. Similarly, Latin America and Africa reported the highest number of insufficiently cyber-resilient organizations, while North America and Europe reported the lowest number.” There are many reasons why emerging economies are struggling with cybersecurity. These include:
Rapid digitization. In the past few decades, developing countries have experienced rapid digitalization, leapfrogging into the digital era. Unfortunately, this has not been accompanied by the establishment of cybersecurity practices and the growth of the number of security practitioners, leading the newly digitized nations to become increasingly vulnerable.
Software affordability. People in developing countries often cannot afford the latest versions of operating systems and licensed software that receive regular security patches. Instead, old versions of operating systems, pirated software, and torrent downloads have become widespread in developing nations. These types of software do not receive any security updates, and some such as torrent downloads stuffed with malvertisements, can be even more dangerous.
Low level of security awareness. This is due to the catch-22: the lack of awareness causes a lack of appropriate training which in turn leads to the lack of security professionals. Subsequently, the lack of security practitioners causes the absence of security awareness.
Low level of priority. High levels of political instability and pressing economic challenges have pushed the development of cybersecurity legislation and strategies by the government to the sidelines. This has widespread consequences, from the absence of proper cyber hygiene and control in the government and across publicly funded service providers, to the fact that cybercriminals view emerging economies as both perfect, defenseless victims and great hiding places. Cyber gangs often use developing nations as sandbox environments and training grounds for the subsequent financially and politically motivated attacks in developed countries.
For anyone looking to better understand the market dimension of the security poverty line, I highly recommend reading that piece.
It is important that when talking about those living below the cybersecurity poverty line, we keep in mind the billions of individuals and millions of organizations all over the globe affected by this problem, instead of looking almost exclusively at the US-based SMBs.
"Trickle-down" cybersecurity strategy
Three main forces help us mature our cybersecurity defenses: adversary behavior, insurance requirements, and government regulation.
The adversary behavior greatly impacts what mature security teams are paying attention to, prioritizing, and investing their resources into. The tactics, techniques, and procedures (TTPs) of the adversaries, as well as the emergence of new attack vectors, force security organizations to continuously raise the bar for attackers. Since those below the security poverty line lack the expertise and resources required to tailor defensive measures in response to adversary behavior, this factor has little influence on their security posture.
Because insurance providers have the incentives to reduce the number of claims, as well as the total amount they are required to pay when the claims occur, they are well-positioned to become advocates for establishing solid cybersecurity practices. Insurance companies have access to cybersecurity talent, insights into the details about the organization’s security posture obtained during policy underwriting, and information about claims from businesses with similar cyber hygiene habits. All this equips them to recommend improvement plans to companies that can benefit from implementing additional measures to strengthen their security posture. Additionally, insurance providers can continuously raise the bar required for companies to become eligible for cyber coverage, therefore forcing the maturation of security practices across different industries and geographies.
Government regulation plays a special role in accelerating the maturation of cybersecurity. As I discussed before, “Because the private sector focuses on maximizing shareholder value and increasing profits, without appropriate regulation and mechanisms for enforcement it will typically look to implement the minimum measures which allow it to achieve these goals. There is a shared understanding among security leaders, practitioners, and policymakers that we need to do better when it comes to cybersecurity. Businesses of all sizes need to make sure they implement measures that can protect them from cyber-attacks. Today, the government is the market maker: by legislating cybersecurity requirements, it produces the demand for new solutions. Security vendors are happy to lobby new regulations, frameworks, and compliance requirements because they help sell more products. The flow goes as follows: breaches lead to lobbying for new regulations, and this lobbying translates into legislative requirements, which in turn drive demand for cybersecurity.”
While all three factors are important, it is the latter two namely insurance requirements and government regulation that have the most impact on the mass market. Overall, without having acknowledged that this is what we are doing, we have essentially embraced the idea that if we do things right, the cybersecurity maturity will "trickle down" from the largest enterprises to the SMBs and other market participants. The government doesn’t have effective ways to regulate the whole market but it has established a solid playbook for overseeing publicly traded corporations. By enforcing the rules that demand higher maturity of public companies, it expects that they will be incentivized to implement more stringent security and compliance requirements for their thousands of suppliers, thus “trickling down” security to other parts of the market the government has no resources to oversee.
Everyone has a role to play in solving the cybersecurity poverty line problem
Typically, the advice for tackling the problem of the cybersecurity poverty line sounds something like follows:
Focus on basics such as patching and security training
Look for cost-effective solutions
Work with service providers
Increase security budget
While all this is certainly valid, I don’t think we will solve much by offering advice to those who are not in the position to make the best use of it. It is akin to suggesting people who are struggling with their finances to “become better at budgeting”: not exactly wrong, but in practical terms, quite unhelpful. Instead, I think there is a lot that we as an industry can do to create conditions for organizations living under the cybersecurity poverty line to level up their security defenses.
Role of technology vendors
The number one thing technology vendors can do to help overcome the problem of the cybersecurity poverty line is to build their products secure by default. Whether we are talking about large infrastructure providers like Amazon, Microsoft, and Google, or smaller SaaS companies and self-hosted/deployed software, all of them have the ability to make security accessible to those without large security budgets. Tech companies should also be enforcing secure defaults, such as requiring users to enable multi-factor authentication (MFA), allowing default universal passwords and disabling default public accessibility (e.g. AWS S3 Buckets).
Role of companies with mature security teams
Over the past decade, a small subset of companies and organizations were able to mature their security posture. Today, there is a lot they can do to help those who are less fortunate to implement the right security measures.
Companies that build their own solutions in-house, can find ways to share them as open source projects without endangering their own security posture. Netflix, Brex, Meta, Microsoft, and countless others did that, and I am hoping many more companies will soon follow suit. While those who live below the cybersecurity poverty line may not be able to afford the expertise to run open source solutions, contributing back to the industry’s knowledge base is likely to accelerate knowledge-sharing and help those in need.
Another way to encourage knowledge-sharing is by letting security professionals share their learnings with their peers. Too many companies do not allow their employees working on security teams to present at conferences and share their learnings with others in the industry. While there may be legitimate reasons to not do it, and it’s natural, that not everything should be shared, there are plenty of examples that mature security teams can find the right level of granularity to share their expertise while safeguarding their organizations. Companies such as Netflix and Coinbase, to name some, have shown how this can be done well. Additionally, high-caliber security talent can be dissuaded from working at organizations that don’t allow them to build a personal brand, engage with the community and showcase their learning and development. If you’re struggling to recruit and retain talent, you need to be removing barriers to those challenges, not adding them.
Role of security practitioners
There are myriad ways in which security practitioners can help organizations below the cybersecurity poverty line. First and foremost, they can offer consulting to small businesses, charities, and non-profits which tend to struggle with security because of a lack of knowledge and a solid budget. From becoming a part-time security leader, virtual CISO (vCISO), or fractional security consultant, starting an SMB or school-focused business, to getting involved with charities and offering help for free, people with experience in cybersecurity can make a huge difference in society. Another way to help is to mentor people working for the government, non-profits, and small businesses, or provide information technology (IT) services on security.
Role of security vendors
Over the past several years, we have started to see a large number of security vendors voice their concerns about the cybersecurity poverty line. While their sentiment is valid, it appears that many security companies gloss over their own role in solving the problem.
Some of the ways in which cybersecurity providers can make a difference and be the change they would like to see in the world include:
Making it possible for smaller organizations to access best-in-class solutions by getting rid of mandatory minimums, making their products available in self-service models for small-scale deployments, etc.
Pricing their product offerings based on geography, in a way that makes them accessible to customers outside of the US.
Providing free or heavily subsidized security solutions to charities, non-profits, and educational institutions training the next generation of cybersecurity professionals.
Role of investors
The role of VCs is not to save the planet but to generate financial returns for their Limited Partners (LPs). For that reason, it is hard to come up with some blanket recommendations and suggest that they “should” start investing in SMB- or critical infrastructure-focused security solutions, to name a few. If there is an opportunity to make money, VCs will be betting on it, and vice versa, if they don’t see such an opportunity, they won’t. That said, it’s a bit of a chicken-or-egg problem: the more capital is allocated to a certain area, the more companies will be able to channel their marketing budgets to educate prospective buyers, and the faster the industry segment will mature.
I hope that in the coming years, we will see more ambitious founders coming up with new go-to-market approaches to tackle underserved organizations, and more VCs willing to keep an open mind, spot an opportunity where there wasn’t much before, and support the entrepreneurs to make their vision a reality.
Closing thoughts: we must democratize cybersecurity
Industry insiders like to play with numbers estimating how big the security market is today and how fast it is growing. However, when we take a closer look at the industry, it becomes clear that there is nearly a 1:1 ratio between the top buyers of and sellers of security, with ~5,000 vendors trying to sell to the same ~5,000 enterprises. It’s a form of a Pareto principle: 80% of startups are selling to 20% of customers, and 20% of customers are responsible for 80% of the security market revenue. Now that I think about it, 90/10 is probably more likely than 80/20.
While things aren’t looking great and there is a lot that needs to be done to ensure that security is going to be accessible to everyone, and not a luxury available to a select few, it is equally important to acknowledge the progress we are making. Thanks to initiatives such as Common Good Cyber by Global Cyber Alliance, CyberPeace Institute, Hackers Without Borders, and Cyber Poverty Line Institute, the voices of people who are championing this important problem are becoming louder, and potential solutions are becoming clearer. Everyone seems to be aligned: from large vendors such as Cisco to think tanks such as the Atlantic Council and international non-governmental organizations such as the World Economic Forum, everyone is repeating how important it is to overcome the cybersecurity poverty gap. Now, all that remains is to put the outcomes of these conversations into action - something we have so far struggled to do effectively.
Rewrote my original comment using Claude:
# Perspective on Security Solutions for SMBs and NGOs
I partially disagree with the overall message presented, particularly regarding the following points:
- High minimum requirements for security services
- Awareness of solutions
- Charities' desire for security despite lack of funding
## Background and Experience
Having worked in businesses ranging from two-person operations serving SMBs to Fortune 100 companies, and attempted to provide consulting to charities, I've gained a unique perspective. Charities, in particular, often struggle more than for-profit entities with business organization and practices, reflecting their different goals and ownership structures.
## Historical Context: PGP and Its Relevance
Consider how PGP was created by a nuclear activist for secure government communications. It's still used today but criticized for poor UX. This makes sense given it wasn't designed for mass adoption but for highly technical individuals. This example illustrates the challenge of translating such solutions to non-technical NGOs operating in hostile territories.
## The "Secure by Default" Approach
The solution lies in "secure by default" products. We shouldn't expect users to understand the problem; instead, provide them with solutions that work without requiring deep technical knowledge.
## Financial Challenges
The critical question is: who pays for these solutions? NGOs often can't afford market rates. Similarly, SMBs struggle to justify the cost when they can't articulate the problem due to unclear existing processes. Many don't want education; they want solutions that don't require additional thought.
## Business Realities and Security Priorities
Most businesses don't prioritize security because:
1. They don't see it as essential for profit margins.
2. There's often a lack of incentive to change.
3. Plausible deniability exists until they're made aware of issues.
4. The cost-benefit analysis often favors inaction (cost of security > perceived cost of a breach).
## Root Causes of the Security Problem
I believe the current situation stems from:
1. Lack of secure-by-default solutions
2. Unrealistic expectations for business owners/operators to become security experts
3. Fundamentally flawed business processes ("building houses on sand")
## A Path Forward
For those targeting SMBs with security solutions, I recommend focusing on scalable solutions that improve business efficiency and communication while being secure by default. This approach is more likely to have a significant impact than targeting businesses individually for security improvements.
Ultimately, you can't prevent every security breach, but you can create systems that identify potential threats and mitigate damage. However, businesses won't invest in such solutions unless required by regulations. Therefore, the key is to develop products that are inherently secure while providing broader business value. Which is nothing new and has been elaborated on at length on this blog before.
The rewrite lost some of the message, but the gist is the same. I’ve spent a lot of time thinking about this problem and how to solve it: https://github.com/rmusser01/Infosec_Reference
That is my attempt at making a difference. By publicizing and making available a baseline of techniques and knowledge (more in depth than ATT&CK) for anyone and everyone globally for free. It has had an impact and I have been told so by industry professionals as well as foreign (to me) governments. So I’m not saying it’s all doom and gloom, but it’s not some ‘aha!’ problem that can be solved by any single product, existing business processes are the blocker.
crowd has a pro bono program for non profits and ngos that includes the solid full products and services, it's not some bargain bin bs. Its been around for many years. I think it's reasonable to ask the bigger vendors to do their part keeping doctors without borders (i have no idea if they are part of our program, just an example of an org I would hope our industry isn't trying to profit on).
PS. no bully pls