From Farming To Cybersecurity
Inspired by the Unusual Journeys Into Infosec series, security researcher Janice Dyer tells us how farming and cybersecurity are similar in lots of ways.
A quick read of the "Unusual Journeys into Infosec" series demonstrates that information security professionals can come from anywhere. I am a social scientist with a background in natural resources. So how did I wind up spending the last 9 months binge-watching Cybrary videos, cramming for certifications, following every infosec-related Twitter account I find, learning Linux on an old desktop, playing Python coding games on my phone, and studying DoD's Risk Management Framework and DFARS standards?
Well, it all started several years ago on a 10-acre strawberry farm in rural North Alabama. (Cue the lively banjo music.)
No, really, it did. My last full-time job was as a project coordinator for a non-profit food hub. The position had me wearing many hats: sales, public relations, grant writing, lugging 40-pound cases of sweet potatoes, and more. It was a tough job that required being on-call 24/7 to handle fruit and vegetable emergencies (yes, that's a thing, usually in the form of broken-down trucks or moldy bell peppers). But my favorite hat to wear was my food safety hat, which I first donned on a strawberry farm. Bear with me, I promise I'm headed somewhere with this.
I helped farmers develop food safety plans and prepare for on-site inspections so they could be compliant with upcoming FSMA regulations. That's the Food Safety Modernization Act—not to be confused with FISMA, the Federal Information Security Management Act. There are fun acronyms in agriculture, too!
I would conduct inspections of farmers' facilities and point out things that required remediation, like the need for lidded trash receptacles in the employee break room or shatterproof light fixtures in the packing shed. But probably the most-appreciated service I provided was assistance with writing food safety manuals. These are long, boring written plans articulating various policies and procedures in excruciating detail, and often featuring lots of numbered sections, like 2.1.1b.
A lot of the content is just plain common sense ("workers will wash hands after using the bathroom"). They are accompanied by monitoring logs, historical records, and checklists presented during inspections to a food safety auditor. Let me tell you, farmers HATE paperwork.
Although, I did know some organic mushroom producers who were quite adept at it; but generally speaking, farmers loathe it. They would grumble about how they have never had any problems with their product, they're doing everything they're supposed to, and if they didn't have to spend so much damned time filling out stupid records, they could actually go about the business of growing their food safely!
Sound familiar? Well, maybe not the growing food part, but the rest of it?
Ok, here's where I'm finally going to make the connection between farming and information security: there's always risk. Always! And mitigating these risks has to take the business side of things into consideration.
Does triple-washing those greens in a sanitizing solution reduce the risk of contamination? Sure, but most small-scale farmers don't have the facilities or labor to handle that. Just like most small businesses aren't going to rush out and purchase every cybersecurity tool on the market.
But just like small-scale farmers need to evaluate their food safety measures, small businesses need to conduct risk assessments of their networks. Risk assessments provide a crucial framework for knowing what the risks are and determining whether current control measures are adequate. Also, just like farmers need to evaluate their policies and procedures annually to keep their practices up-to-date (especially as they integrate new tools and technologies), so too does any business that utilizes IT.
One important thing I learned in writing food safety plans is the need to acknowledge the risks that are there, not ignore them. I knew the food safety auditor sure as hell wasn't going to ignore them. I had to teach farmers to view their farm through the auditor’s eyes.
That cute, furry Pyrenees Mountain dog hanging around the farm? Risk! But, is there a justification for her presence? Yes. She keeps deer out of the watermelons, rabbits out of the strawberries, and strange people off the premises. And she's been trained not to poop in the crops.
Acknowledge the risk, articulate the chosen method (accept, avoid, mitigate, transfer) to address it, and provide reasoning for the chosen method. And do all this using language the auditor understands, in a format that makes sense to him (I followed a numbered template that mirrored his checklist).
In some cases (not many, but a few) a farmer actually made a change to their processes or protocols following a risk assessment. Writing their food safety manual and going through the risk checklist gave them pause. They realized there was some process they could reconfigure or even steps to eliminate to reduce the chance of contamination. I took great pride in helping them develop a culture of food safety. Farmers began to look at everything around them—water sources, chemicals, friendly visitors—as possible threats. And, perhaps even more important, they trained their employees to do the same.
About 9 months ago, someone made the connection between what I liked most about my last job—identifying risks and helping hard-working people address those risks and articulate control measures—and the growing need for cybersecurity professionals with these same skills.
It was an “Aha!” moment for me. I want to help the guy grumbling about paperwork, and how what he's done has always worked, and how the new rules are ridiculous bureaucratic bullshit designed to put him out of business.
I know my background isn't typical of those who go into cybersecurity. I know it'll be a tough row to hoe, to borrow an agriculture-related idiom. I have a lot to learn. But (said in my best Buddy the Elf voice) learning is my favorite! I like studying technology and poring over data. I know the skills I picked up shadowing auditors and tromping through fields are transferable to the infosec world. And it's going to take all stripes to address the employment supply gap facing the industry.
Some of those stripes might as well come from red Alabama clay soils.
Main Image Credit : The awesome piece of artwork used to head this article is called 'John Deere' and it was created by graphic designer Bob Case.