We can’t really address the underlying dynamics of the #SecurityPovertyLine if we don’t even know what constitutes effective security or whether it’s even affordable for most orgs.

Another thing I’m thrilled to see: the growth of Applied Cybersecurity Community Clinics, where cybersecurity students get hands-on experience doing pro bono work for those below the #SecurityPovertyLine: https://www.strausscenter.org/events/information-session-applied-cybersecurity-community-clinic/

@boblord @jack_daniel @accidentalciso It’s true that the loudest, most visible representatives of #infosec at conferences are military, financial institutions, and tech companies (along with security vendors, duh). It’s especially important in #policy to give a voice to everyone else, which is why I keep harping on the #SecurityPovertyLine. Nobody’s going to step on a stage and say “Our security sucks,” but these stories need to be told.

@0x7eff @mdfranz @gdbassett That’s how I phrase it when I talk about the #SecurityPovertyLine — they need budget, expertise, capability, and influence.

And expertise is more than just awareness or training; it includes the experience to know what to do with something you’ve never seen before.

https://youtu.be/7c-HrJmPj2Q

(talk starts about 10 minutes in)

One of my clients recently requested I do a security audit of an associated but independent side org.

There’s only 3 users and apparently an on-prem #exchange server. (They didn’t even know that’s what the computer in the corner of their office was.)
Their #wordpress is unpatched.
Security has never been something they’ve even spent 10 seconds thinking about.

The SMBs I take on as clients, often aren’t even doing any attempt at #defenseindepth until I’ve run through their stuff. Small Non-profits like this example are even worse off. MFA? yeah right. Password managers? you must be high.

There has to be a better way to serve these small orgs that’s not snake oil, and help them put up a solid defense somewhere above the #SecurityPovertyLine.
/rant