Every enterprise has a minimum viable security posture. Fall below it, and you're not just vulnerable—you're insolvent.
The cybersecurity industry has a measurement problem. We've convinced ourselves that security is binary: you're either "secure" or you're not. But that's not how risk works.
In economics, the poverty line represents the minimum income required to meet basic needs. Fall below it, and you can't survive. Exceed it by 10x, and you're comfortable—but there's a point of diminishing returns.
Cybersecurity works the same way. Every enterprise has a cybersecurity poverty line—the minimum security posture required to survive in their threat environment given their risk profile, industry, regulatory obligations, and organizational capacity.
"The problem isn't that we're spending too little on security. The problem is we have no idea what 'enough' looks like for OUR organization."
— CISO, Fortune 500 Financial Services
Traditional approaches can't tell you where your poverty line is. They sell you "best practices" that might be overkill for a regional manufacturer or catastrophically insufficient for a critical infrastructure provider. They tell you to "adopt zero trust" without considering if your organization can actually implement it.
Risk Aperture calculates YOUR poverty line based on YOUR enterprise reality.
Different enterprises have fundamentally different minimum security requirements
A regional manufacturing company and a multinational bank have fundamentally different threat profiles, regulatory requirements, and risk tolerances. Yet most security frameworks recommend the same controls for both.
Your poverty line is calculated based on your specific threat environment, industry regulations, business model, data sensitivity, and organizational capacity to implement and maintain controls.
Six factors that define your minimum viable security posture
Who's targeting you? Nation-states, ransomware gangs, opportunistic attackers? Your adversaries determine your minimum defensive posture.
HIPAA, PCI-DSS, CMMC, GDPR, state privacy laws—regulatory obligations create non-negotiable minimums.
SaaS company? E-commerce? Critical infrastructure? Your revenue model and customer commitments define risk exposure.
What data do you hold? PHI, financial records, trade secrets, or public information? Data value determines attack motivation.
Team size, budget, technical debt, and culture. You can't implement what you can't sustain.
Board appetite for risk, insurance coverage, incident history, and business resilience capabilities.
The stakes couldn't be higher
Breach is a matter of when, not if
Regulatory penalties likely exceed cost of fixes
Insurance claims may be denied
Business continuity at serious risk
Risk reduced to acceptable, quantified levels
Compliance requirements demonstrably met
Insurance positions strengthened
Board can justify security investment
Methodology built on 20+ years of DoD and Fortune 500 experience
We analyze your industry, geographic presence, business model, and digital footprint to identify likely threat actors and attack vectors. This isn't speculation—it's based on our threat intelligence database and decade of incident response experience.
Every applicable regulation, standard, and contractual obligation is mapped to specific control requirements using OSCAL frameworks. These create your non-negotiable baseline.
What are your crown jewels? Which systems, if compromised, would cause existential harm? We quantify business impact across confidentiality, integrity, and availability.
Team capabilities, technical debt, budget constraints, cultural factors. Your poverty line must be achievable—we factor in what you can actually implement and sustain.
Combining all factors, we calculate the minimum control set required to keep your residual risk within acceptable bounds. This is YOUR poverty line—contextualized, quantified, and defensible.
Foundations doesn't just tell you your poverty line—it shows you the gap between where you are and where you need to be, prioritizes investments by impact, and tracks your progress over time.
Board-ready dashboards, executive summaries, and detailed technical roadmaps—all personalized to your organization.
Stop guessing. Stop overspending. Stop underspending.
Get data-driven clarity on your minimum viable security posture.