News
Apr 14, 2025

The 'security poverty line' and its impact on third-party cyber risk

Wendy Nather coined the term "security poverty line" (SPL) in a 2013 presentation delivered at the RSA Conference, bringing the well-known economic concept of the "poverty line" to cybersecurity. The security poverty line (also sometimes called the "cyber poverty line" or "cybersecurity poverty line") describes a situation in which a business is unable to attain a baseline level of security.

Although businesses of any size can find themselves below the poverty line, small and medium-sized businesses (SMBs) tend to be the most affected by the conditions that prevent organizations from overcoming the poverty line.

Larger organizations can still be affected by the SPL in two ways:

  1. If they for some reason lack resources (including people and technology) to achieve a level of security that would put them above the line, and
  2. If they have SMBs in their supply chain that are unable to achieve a baseline level of security, which exposes them to risks that could have a ripple effect on the business.

For this post, we'll focus on this second challenge. Because larger companies often have resources and in-house expertise, they can help push their vendors and partners above the security poverty line. First, however, we must understand the nature of the problem.

The security poverty line 

When a company is below the security poverty line, software is often left at default settings, workarounds are implemented to solve daily issues, and the resources available do not allow them to acquire a full suite of security tools and pay for the labor required to tune them. Their IT expertise and long-term planning capabilities tend to be limited as well.

While it goes without saying that smaller businesses usually do not have the same kind of management structure that larger organizations do, cybersecurity presents additional challenges with the potential to undermine attempts to bring substantial improvements or mitigate risks.

Many of the challenges that place businesses below the security poverty line are mentioned in this interesting conversation between Wendy Nather, Joe Levy from Sophos, and Michael Daniel from the Cyber Threat Alliance. Some of the key issues include:

There isn't much agreement on what works: Even experienced CISOs might have different opinions on what security products are "essential." Smaller businesses have limited budgets, and can sometimes only afford the most important solutions. However, not many people in the cybersecurity space are comfortable saying what is or isn't a priority. Because smaller businesses often lack in-house expertise, they will have an even harder time deciding on these trade-offs by themselves.

Budgeting is challenging due to secretive pricing models: Many security products, even those that would be helpful for SMBs, do not publicly disclose their pricing. Wendy Nather mentions that budgets can be off by as much as a factor of 4, which is problematic for managers under budgets that are both small and often changing.

Priorities do not align with security: Smaller businesses are often fully focused on competitiveness and their day-to-day operations. In non-profits, this can also manifest as difficulty justifying security expenses to donors.

MSPs are under pressure: This point is discussed in another conversation with Tarah Wheeler. Managed service providers already spend a significant amount of time on governance, risk, and compliance (GRC) tasks for their clients, which makes their services more expensive. If an SMB cannot afford to do their own security and MSPs are similarly costly, many businesses might be left with no security at all.

Buying security is different for SMBs

When larger companies acquire software — especially SaaS solutions — they often need all the features offered at the most expensive tier or version offered by the vendor. With this, they also get all the security features available.

Unfortunately, even basic security features are frequently gated behind these offerings that SMBs otherwise don't need, creating what Kymberlee Price referred to as security tax in a talk at LABSCon24. She cites a website dedicated to the Single Sign-on (SSO) "tax." An interesting thing to note is that many vendors refuse to disclose the pricing for SSO, often requiring their customers to call them — which, again, creates budgeting challenges for SMBs. Pricing for this feature alone varies wildly from one vendor to the next, and some require a minimum number of seats to make it available.

SaaS platforms can also have pricing models that incentivize riskier security practices, such as sharing passwords to avoid paying for more users than they think they need.

Logging capabilities are also regularly restricted to enterprise offerings. The United States Cybersecurity and Infrastructure Security Agency (CISA) pressured Microsoft into expanding logging capabilities for customers that previously only had "standard" logging after government agencies at higher tiers found that hackers were using a key stolen from Microsoft to access their email. While that is a good thing, no other vendor has had to follow suit.

The total cost to SMBs can be even higher because they cannot afford discounted annual plans. Larger companies tend to have enough cash flow and planning to pay annually (or even negotiate lower prices because of their size), making security for smaller organizations comparatively more expensive.

What should large organizations do?

Because SMBs have a role as vendors to large organizations and are essential to their local communities, they are not the only ones bearing the risk of staying below the security poverty line. A security breach almost always impacts their customers in some way, regardless of size.

As part of their Third-Party Cyber Risk Management (TPCRM) programs, large businesses can be mindful of the challenges faced by smaller companies and assure them that they will not lose out on competitiveness because they're spending on security.

In other words, it's helpful to apply Secure by Demand principles and encourage third parties to be transparent about the cost of security on the services and products they provide, guiding them towards a baseline level of security.

This goes beyond the exclusive purview of the security team, however. It will require close alignment with, at a minimum, the business and procurement teams leading vendor selection. Otherwise, the signal related to the additional risk represented by a less secure vendor might be drowned out by the higher priority given to feature set and cost.

The TPCRM program can help build a cooperative atmosphere to share expertise and tools, especially when the latter is cheaper for the larger organization. A solution like Zanshin looks into the security controls that are in place and finds many common issues that businesses below the poverty line might miss, among many others.

This ensures that vendors take care of their network and IT assets and that they're not just being chosen because they traded security away for a lower price.

Share
Latest Posts
Digital Nomads: An unique opportunity for professional growth at Tenchi Security
Read more
The telecom industry's growing exposure to third-party cyber risks: what you need to know
Read more
Key trends for third-party cyber risk management in 2025
Read more