Patient Gardening

I was pulling weeds in my garden last weekend, and it struck me that there are a lot of parallels between gardening and cybersecurity.  I’m always overwhelmed when I first look at the garden and see all the weeds and the disorder. I feel really discouraged, because I don’t know where to begin.  My first impulse is to attack everything at once, but every time I take that approach, I never feel like I’ve made any progress when I knock off for the day.  Over the years, I’ve developed a couple of strategies that may help you bring your garden in order, too.

Vertical strategy - Pick a weed

Decide on a single weed, and eradicate it from your garden.  I usually start with dandelions. Dandelions are a good choice from a risk perspective -  a single plant can produce up to 15,000 seeds. Their distinctive yellow flowers make them easy to spot.  But dandelions have deep roots, and if you don't get the whole root, it will sprout again and be even harder to pull next time. I invested in a special tool to loosen the soil so I can get the whole root Since I'm only targeting, it’s pretty easy just to walk around the yard with the tool and pull every dandelion I spot. After about 10 plant, I develop a technique and get really good at uprooting dandelions.  I usually don’t need the tool for the next type of weed I choose, so I set it aside once I've gotten all the dandelions. It’s really gratifying to see that the dandelions completely eliminated from my property!  Now that I've gotten them down to zero, it will be really easy to spot - and eradicate - any new dandelions that spring up.  

Horizontal strategy - Pick a spot

Another way to go about weeding is to pick a small area - say your lettuce patch - and pull all the weeds in that small patch.  This technique is slightly more zen - you may be able to even sit down for a spell and pull all the weeds within reach.  It’s more immediately gratifying to completely purge a patch of weeds down to nothing but soil, and it allows you to get your priority areas to zero-defects.  Once you’ve cleared all the weeds, it’s also easy to keep clean - just pull up anything that pokes through the soil.

The great thing about pulling weeds is that it doesn’t have to be a big project if I don't want it to.  I don’t need a plan to be successful,  but I do need a strategy.  It’s a group effort, and every little bit helps - I’ve persuaded each member of my family to pull  a couple of weeds on her way out the door (assuming there’s no quarantine). 

What are you doing to weed your garden?

Limitations

It's great to be confident. But, to quote Dirty Harry in Magnum Force, a man's got to know his limitations.

I'm not going to go into the Capability Maturity Model in this post - you can look it up yourself.  I don't really like the idea of giving an organization a single score on their capabilities, because I think most organizations are great at some things and pretty terrible at others, and you lose a lot of resolution if you try to pack all of that into one step.

I do think that a lot of organizations are delusional about their capabilities.  I recently read a Computer Weekly article by Warwick Ashford saying that 60% of the organizations they surveyed had had an outage due to digital certificates in the past year.  Sixty percent of organizations are having trouble managing their certificates.

In case you hadn't heard, certificates are the foundation of the Secure Web.  Browsers are starting to break sessions if the certs aren't good.  In words of two syllables or less: If you can't do certs, you will fail at the sexy stuff,  Stuff like automation, single-sign on, big data, AI, and all the other cutting-edge things your boss wants you to do this year. 

Almost any next-gen technology you build is going to rely on your infrastructure, and if  you're having trouble with foundational capabilities like certificate management, or DNS, or routing, you may want to seriously rethink your roadmap.  Maybe it's time to stop fishing and cut bait for a while.

After all, a man's got to know his limitations.