30in30 – Post 13 – Cultivating Cybersecurity: Unveiling the Surprising Similarities between Gardening and Cybersecurity

Welcome to the 30-in-30 blog campaign! I’m excited to launch this initiative, which involves publishing a brand new blog post every single day for the next 30 days. I will not mince words about this. It is hard to keep it up, stay engaging, relevant and interactive. More about this campaign is at the end of this article.

One might not expect to find any similarities with cybersecurity and the peaceful realm of gardening. However, upon closer inspection, it becomes evident that the two share more in common than meets the eye. From the careful nurturing of plants to the protection of sensitive data, the parallels between gardening and cybersecurity are surprisingly abundant. So, grab your gardening gloves and your security hat as we embark on an amusing exploration of these unexpected connections.

This article was inspired by a LinkedIn post by Jesse Miller, the founder of PowerPSA. Congrats on getting your new tractor Jesse!

Throwing tools at a problem doesn’t solve it. But don’t get so dogmatic that you pass up legitimate uses for them. Working on our big garden this year, it became pretty clear. if I wanted to get it in before fall, something more than just my two hands would be needed. So, I finally had the justification to buy my first real tractor.

In 45 minutes I had our entire 60×60 plot plowed. Something that would have taken all day with a walk behind. And there’s many other things it’s going to speed up around here. In the same way, yes, you should make sure your people, processes, and existing technology are fully optimized before adding new stuff to the mix.

But don’t discount the ROI on getting an extremely helpful tool, either. Just be able to justify it.

Some people are just buying the tractor in security, with no idea how to use it. It’s a good analogy, as it highlights a need to have a base level of knowledge and a plan to make effective use of the tool.

If a company focused on the outcome of the garden, they could do the cost and effort analysis and determine the best course of action.

Lets dig into the analogy a bit more and how organizations approach cybersecurity. If the goal is to create a garden, which would be a plot of earth that produces vegetables, the analogy would be implementing a cybersecurity plan that yields benefits of time when nurtured. Those benefits, instead of tomatoes and cucumbers, would be risk reduction, regulatory compliance, cost reduction, protection of personal information, client trust, etc.

When an company looks at implementing a cybersecurity plan, there is the discussion of using tools, people and process in different ways that make sense for the organization. In the same way that using a tractor for a garden to speed up the process of tilling, security tools can help achieve the objectives of a cybersecurity plan. However, they are not the be-all and end-all. Below are some garden examples and the their cybersecurity parallels.

How an organization can build a garden. Or how an organization can implement a cyber security plan.

1a) Garden: Use existing staff, buy the tractor and build the garden.

1b) Cybersecurity Plan: Use existing IT operations and buy some security tools. Hope that the staff know how to use them, or have time to learn, implement using best practices, and manage, in addition to their current workload.

Outcome uncertain, and costs need to be distributed across multiple technology solutions.

2a) Garden: Hire staff to learn how to use the tractor, buy the tractor and build the garden.

2b) Cybersecurity Plan: Buy security tools. Leverage staff augmentation or new hires to learn the tools, implement using best practices, and manage them.

Outcome desired more likely. Very expensive, in the millions of dollars and years to implement and refine effectively. For example, the minimum number of people required to run a SOC 24/7 with all the roles and capabilities required to be effective, is about 12. At an average salary of $150K a year, you can see the costs get very high, very quickly. An you still have to buy the tools.

3a) Garden: Hire a gardener to show you how to properly build a garden, then allocate money based on the strategy and timeline.

3b) Cybersecurity Plan: This is the CISO / vCISO strategy. It is a good way to define a plan, and has great showback of value to the organization. You still need to deploy and manage tools, services and people, but it can be done strategically. You can prioritize efforts based on risk levels and budget.

Outcome is sound with quantitatively justified costs and timelines. You can think of this as a guiding overlay that makes sure efforts are in the right direction and that vulnerability exposures are not as easily missed.

4a) Garden: Hire a company that has a good track record of building and maintaining sustainable gardens.

4b) Cybersecurity Plan: This would be akin to outsourcing to an MSSP, or more tactically, an MDR / XDR (Managed Detection and Response / Extended Detection and Response) Service Provider. This is a very cost effective way to implement a strategy that mitigates risk and improves security posture. I work for a very good organization that provides this service, so I may be partial to this strategy. 🙂

Outcome is very cost effective, does not burden existing staff with additional work and the services will often remove the need to purchase and manage the majority of additional tools.

5a) Garden: Buy the vegetables at the store. Forget the garden.

5b) Cybersecurity Plan: This is like implementing IaaS / Cloud / SASE. It removes some of the need for managing on-prem tools. Much of the risk is transferred to the service provider / hyperscaler, but not all of it. You simply have to use new tools, enable logging for everything and get staff that understand the security intricacies of the cloud models. If you are running in a hybrid mode, then that could be even more complex.

Outcome is ineffective as a singular strategy. Moving to cloud will not inherently make you any more secure, but it will allow you to shed some technical and security debt.

6a) Garden: Eat out, where the vegetables are already cooked for you.

6b) Cybersecurity Plan: Use SaaS services. This works for many things, but is never a silver bullet for everything. This is good as part of a modernization plan, or for organizations with fewer staff, where its easy to change if need be. The biggest problem with IaaS and SaaS is that although its easy to start, its very expensive to succeed with or remove later. The larger an organization is, the more they need to do the cost analysis of cloud spend vs on-prem spend.

Outcome is good when used as part of a strategy, but not the entire strategy. Just like a fine wine is a good when pairing with food, a bottle of wine is not a good dinner on its own.

7a) Garden: Forget the tractor. Get some shovels and get dirty.

7b) Cybersecurity Plan: This is similar to just scraping by with what you have and building a solution yourself with pet projects, open source solutions a lot of time, and no budget.

Outcome is ineffective, costly when accounting for time spent by staff, and often there is no measure of the success, other than if there is a breach or not.

8a) Garden: Forget the tractor, shovels and the garden. Use existing staff to stand in mud.

8b) Cybersecurity Plan: This is the do nothing approach. Everything is fine. Until it isn’t.

Outcome is the worst of the bunch. You will get breached and that will be costly. It will be amazing how fast you get the budget to fix a leaky boat when the water is coming in. Otherwise it sinks, and the organization ceases to exist.

9a) Garden: Take a picture of a tractor and buy vitamins.

9b) Cybersecurity Plan: This is Artificial Intelligence. Just like vitamins, it helps you fill the gaps of your diet. It is not a strategy on its own. Don’t believe the hype.

Outcome is supportive when used with other strategies. Not a good idea to solely rely on it. Best case scenario, you will still need to hire people to interpret the alerts and do the investigations from the findings in the system. That can be expensive, and there are more effective ways to spend budget.

Final thoughts

Cost: Green Thumbs and Greenbacks:

Just as gardening enthusiasts must invest in various tools, equipment, and resources to maintain a flourishing garden, organizations must allocate a budget to safeguard their digital landscapes. Both gardening and cybersecurity require careful financial planning. Just as plants need fertilizer and sunlight, cybersecurity requires investments in firewalls, intrusion detection systems, and other protective measures. Remember, a lush garden doesn’t grow on a shoestring budget, and neither does a secure IT infrastructure.

Outsourcing: Calling in the Experts:

Gardening aficionados often seek the assistance of professional landscapers to tackle complex tasks, design elaborate layouts, or even maintain their gardens when they are away. Similarly, organizations may choose to outsource their cybersecurity needs to Managed Security Service Providers (MSSPs). These experts bring their knowledge and experience, just like landscapers, to tend to the security needs of businesses, alleviating the burden on internal resources. After all, just as not everyone has a green thumb, not everyone can be an expert in cybersecurity.

Building a SOC: Sowing the Seeds of Security:

Just as a gardener creates a greenhouse to nurture delicate plants, organizations establish Security Operations Centers (SOCs) to protect their digital assets. The SOC serves as a control center, monitoring, analyzing, and responding to security incidents. It acts as a greenhouse of sorts, safeguarding the organization from potential threats. Just as a gardener must be vigilant about pests and diseases, the SOC team keeps a close eye on malicious actors and potential vulnerabilities in the cyber landscape.

MDR, XDR, and the Battle against Weeds:

In the gardening realm, dealing with pesky weeds is an ongoing challenge. Similarly, organizations face the constant threat of cyber threats, which can be thought of as the weeds of the digital world. Managed Detection and Response (MDR) and Extended Detection and Response (XDR) services come to the rescue, just as weed killers or herbicides help eradicate unwanted growth. MDR and XDR solutions ensure that any potential breaches are promptly detected and neutralized, minimizing the impact of cyber-weeds on the organization’s ecosystem.

vCISO: Cultivating a Security Vision:

Every garden needs a skilled gardener to tend to its needs and ensure its growth. Likewise, organizations can benefit from a Virtual Chief Information Security Officer (vCISO). A vCISO brings expertise and strategic guidance, much like a seasoned gardener, to cultivate a robust security posture. They analyze the organization’s security landscape, identify vulnerabilities, and provide actionable recommendations. A vCISO helps plot the security roadmap, just as a gardener designs a layout for the garden.

Adaptation and Pruning: The Ever-Changing Landscape:

Gardens and cybersecurity landscapes are in a constant state of change. Plants grow, seasons shift, and new threats emerge. Just as gardeners adapt their pruning techniques to control growth and maintain aesthetic appeal, cybersecurity professionals utilize Extended Detection and Response (XDR) solutions. XDR helps monitor and respond to threats across multiple attack vectors, enabling organizations to adapt to ever-evolving cybersecurity challenges.

Conclusion:

By drawing parallels between gardening and cybersecurity, we can bring a lighthearted perspective to the world of cybersecurity. It reminds us that just as gardens require careful planning, nurturing, and protection, our digital landscapes demand the same level of attention and care.

Thanks for reading this far.

My aim with this campaign is to provide readers with valuable content, insights, and inspiration that can help in their personal and professional lives. Whether you’re looking to improve your productivity, enhance your creative strategies, or simply stay up-to-date with the latest news and ideas in cybersecurity, I’ve got something for you.

But this campaign isn’t just about sharing our knowledge and expertise with you. It’s also about building a community of like-minded IT and security focused individuals who are passionate about learning, growing, and collaborating. By subscribing to the blog and reading every day, you’ll have the opportunity to engage with other readers, share your own insights and experiences, and connect with people in the industry.

So why should you read every day and subscribe? Well, for starters, you’ll be getting access to some great content that you won’t find anywhere else. From practical tips and strategies to thought-provoking insights and analysis, the blog has something for everyone that wants to get current and topical cybersecurity information. Plus, by subscribing, you’ll never miss a post, so you can stay on top of the latest trends and ideas in the field.

But perhaps the biggest reason to join the 30-in-30 campaign is that it’s a chance to be part of something bigger than yourself. By engaging with the community, sharing your thoughts and ideas, and learning from others, you’ll be able to grow both personally and professionally. So what are you waiting for? Subscribe, and for the next 30 days and beyond, let’s learn, grow, and achieve our goals together!