Breaking the cycle of security poverty

In cybersecurity, there are haves and have-nots. But securing everyone is a moral issue — and will be a benefit for all.
Breaking the cycle of security poverty

Cybersecurity depends on solid defense at every level. That includes inside your organization and far beyond — to partners, third-party contractors, in effect, just about anyone you connect with. Because you’re only as strong as the weakest link in the chain.  

That’s why it’s critical to spread the enterprise-level security wealth, and make solid cyber-defense all but ubiquitous, across every supply chain and business ecosystem, whether in the developed world or developing. Because we all depend on a secure world — and security and privacy are fundamental human rights.  

Too many organizations, however, are below the security poverty line. That’s a term coined by Wendy Nather, Cisco’s head of advisory CISOs. And it results from a complex combination of economic, technological, educational, and other factors.  

“It’s the constraints in the environment that affect the organization’'s capabilities,” Nather explained. “For example, you simply cannot implement controls at the network layer if you don’t run your own network.” 

It’s a situation that hackers are only too happy to exploit.  

“Smaller businesses are much more vulnerable by my estimation, especially in developing economies,” said Will Townsend, senior analyst at Moor Insights and Strategy. “Many lack basic knowledge or capabilities in security or the resources to begin the evaluation process.”  

As Accenture reported, 43 percent of cyberattacks target small businesses, but only 14 percent have the capabilities to protect themselves.  

But the stakes are high for every organization.  

“The concept of a security poverty line is that we live in a highly interconnected ecosystem,” said Jeetu Patel, Cisco’s executive vice president and general manager of security and collaboration. “Organizations aren’t operating as individual entities; they’re operating as a part of an ecosystem. That means that the weakest link in the ecosystem can actually bring down the entirety of the value chain.” 

Patel cited an example of just that.  

“Recently,” he continued, “an auto manufacturer had to shut down the entire production plant because there was a potential breach by one of the small component car parts manufacturers. You could have a hundred-dollar product and if someone along the supply chain has a 7-cent part and that 7-cent part gets breached, it can shut down your entire production line.” 


A moral imperative

Of course, raising billions more people above the security poverty line is also a moral imperative. And it will demand better education and skills, along with a reimagining of the technology, cost, and equity of cybersecurity. 

“It is our civic duty to ensure that everyone below the security poverty line has a level of safety,” said Guy Diedrich, who as SVP and global innovation officer at Cisco, also leads its Country Digital Acceleration (CDA) program, which includes the Cisco Networking Academy. “Because it’s going to eventually be a human rights issue.” 

It’s no surprise that many of the most impoverished regions and communities are the most poorly connected. The digital divide and the security poverty line are closely related. And once underserved communities are connected, it’s often with limited bandwidth and grave security gaps.  

“My definition of the security poverty line is the line below which an organization cannot be effectively protected,” said Wendy Nather, head of advisory CISOs at Cisco. “And I’ve broken down what they’re lacking into four categories: money, expertise, capability, and influence.” 


Innovation to the rescue 

If security poverty stems from a combination of budget shortfalls, inexperienced security teams (if there is a team), inadequate technology, and an inability to influence the security practices of partners, suppliers, etc., then how can we break the cycle? 

Automation is one place to start.
“Automating incident response and detection can help,” Nather explained. “Especially if you have junior people on staff, it can raise your capabilities. You can make up for a lot of that expertise with the right automation.” 

Technologies like Zero Trust, for example, enhance security without adding complexity.  

“Innovation in the form of simplification and infrastructure built on zero-trust principals that authenticate users to applications can go far to mitigate risk,” said Townsend, “especially versus a flat network.” 

Cost, of course, remains a major challenge. And many public-sector and small-to-medium businesses still rely on outmoded, unsecured network infrastructures.  

“If you’re below the security poverty line,” Nather said, “it’s difficult to change your architecture.” 

Cisco is working to change the economics of the internet. By making technologies like the Silicon One chip available in a wider range of products beyond just mass-scale and enterprise-level infrastructure, the company is bringing great improvements in networking power and energy usage to many more people around the world, while adding simplicity and deeply embedded security advantages.  

“Our advancements in silicon, optics, software, and systems allow Cisco to uniquely simplify connectivity for everyone,” said Jonathan Davidson, “with the new architecture that we call routed optical networking. We worked with partners to improve connectivity with routed optical networking for Chicago public schools here in the U.S. They have increased capacity in their network 80-fold, and at the same time they’ve cut their annual cost by over half. Imagine the future if we did this for every school in every town in every nation.” 


Opportunities to upgrade, through circular design 

With its circular-design ethos, Cisco is also a leader in the recycling and refurbishment of older technology. For many organizations and regions, a previous generation of switches, routers, and other gear can still represent a huge leap forward in security and capabilities.  

Nather sees open-source solutions as another alternative, though she clarifies that many organizations may still not be able to afford the expertise to run them. That’s why she believes government subsidies for security may need to be discussed in certain countries.  

“Some basic security infrastructure or controls could be provided as a subsidized service,” she conjectured. “Government initiatives in places like Estonia can provide a good example.” 

Townsend agreed, while also citing the importance of other government initiatives, like privacy regulations.  

“Government subsidies work in certain parts of the world,” he said, “but legislation can also raise awareness levels and provide a framework for small and midsized businesses to start a cybersecurity journey. Europe has been a leader with its GDPR legislation and more needs to be done globally to ensure the same.”  


Two keys to a secure world: upskilling and education

It’s hard to increase your expertise in a world where 3 million cybersecurity jobs remain unfilled. So, closing the cybersecurity skills gap is core to lowering the cybersecurity poverty line.  

At a White House summit on the cyberskills gap this summer, Cisco pledged to train 200,000 additional U.S. cybersecurity workers in the next three years. Cisco’s Networking Academy will be a big part of that. It’s one the largest technology skills programs of its kind in the world. And since 2003, Networking Academy has trained more than 17 million people with tech skills in 190 counties. Two million of them have studied cybersecurity.  

“The Networking Academy is strongly aligned to Cisco’s purpose, powering an Inclusive Future,” said Laura Quintana, vice president and general manager of Cisco Networking Academy. “We are leveling the playing field and empowering people everywhere with career opportunities. Cybersecurity skills are in really high demand. So, there’s a significant opportunity to transform lives and tap into more diverse talent.”  

Townsend applauds global initiatives like Networking Academy and Cisco’s Country Digital Acceleration program, which has worked with 48 governments around the world to help transform — and secure — everything from agriculture and energy to education and healthcare.
“Training is critical,” Townsend said, “and partnerships between cybersecurity companies and colleges and universities to develop degree and certification programs can go far to close the worker gap. More companies should invest in education through programs such as Cisco Networking Academy and Cisco’s unique County Digital Acceleration program.”  

Security will be especially critical in the next few years, Diedrich added, as up to 500 billion new things are connected — all of which will need to be secured — and the global economy faces even greater upheavals.  

“According to the World Economic Forum, we’re going to have 85 million people displaced by digitization over the next two-to-three years,” Diedrich explained. “But at the same time, digitization is going to create 97 million new jobs. Security will be a big part of that. So, by upskilling, you are setting people up for a prosperous future. Because security is only going to be expanding.” 

As the U.N. and organizations like Cisco have affirmed, privacy and cybersecurity are human rights issues. And while digital innovation can benefit the world by supporting opportunity, education, sustainability, equality, and so much more, it will come to naught without security — for rich, poor, large organizations, and small.   

“Everything has to happen in parallel,” Diedrich emphasized. “If you’re going to be making investments in security and digitization of your country in general and you don't have a parallel component in education, training, and upskilling, then you’re just throwing money down a technology black hole. You’ll never see the value of it if you don’t have the people there to execute.” 

As Diedrich stressed, we simply can’t have global progress without security — and that means security for everyone.  

“Security is so fundamental to our mission of spreading growth, creating opportunity, and closing the digital divide,” he said. “You can’t do these things without security.” 

But as important as the efforts of technology companies will be, Nather believes that solving security poverty will demand wider resolve and awareness. The problem is deeply connected with other global inequities, so piecemeal solutions will only go so far.  

“The dynamics of security poverty are very close to the dynamics of regular poverty,” she said. “Systemic political, cultural, and economic challenges keep organizations in security poverty just as much as a lack of budget and personnel, and if we don’t address those, simply throwing money and training at the problem won’t solve it.”