Sign in Subscribe

Your Cybersecurity Program Needs More Beer

No, I'm not suggesting team-wide happy hours (NTTAWWT).

Bill Bernard

7 min read
Your Cybersecurity Program Needs More Beer
The ceiling display at the now closed Captain Pabst Pilot House, in Milwaukee WI circa 2019. (taken by me)

Ah beer. The cause of, and solution to, most of life's problems.1 There are a number of ways your cybersecurity program needs more beer, but no, more corporate happy hours aren't what I'm talking about.

Beer is one of the world's constants, a known commodity since around 4000 BCE, something counted on by everyone no matter their social standing for various purposes across history: nourishment, preservation, and revelry. Beer was misunderstood in the beginning - the role of yeast and bacteria in fermentation went undiscovered for millennia, yet it worked just as everyone needed and expected it to. Beer is one of the closest things we have to alchemy, it isn't lead into gold, but it is barley into, well, beer.

You Only Need a Few Ingredients

Beer is really four ingredients: malted barley, hops, yeast, and water. Yes, that's it. The near infinite variety in beers, from IPA to stout and Helles to Dunkleweizen, is about playing with those four ingredients. How long and dark do you roast the barley? Which strain of yeast do you use? What variety of hops? What does your local water taste like? The entire rainbow of pale yellow through luscious red to opaque mahogany come from these variations in ingredients and processing.

Oh sure, there are wheat beers, rice beers, and rye beers. There are fruit beers, CBD beers, and beers that have had the alcohol removed. Beers with bacteria provided funk! Beers with engineered yeast to ferment to higher ABV. But at the heart of it is still malted barley, hops, yeast, and water.

Your cybersecurity program can be the exact same way. You can focus on the foundational stuff, and find that those things can cover a great variety of your cybersecurity wants and needs. After all, we don't all need fruited sours, Hefeweizen, or 32%ABV beer.

What are those base ingredients for cybersecurity? Well, you could do worse than starting with the advice in this blog:

Lather, Rinse, Repeat - the Never Ending Cycle of Good Cybersecurity
Like your doctor says when you go in for that annual physical you skipped: eat more veggies, get more exercise, sleep well. The same holds true for good cybersecurity - it’s the repetitive, boring stuff that often matters most.
Between Two FirewallsBill Bernard

Remember, too, that just like beer your cybersecurity program can have too many ingredients, too many "unique" properties, and suddenly you're pouring the whole batch down the drain, and nobody likes that.

You Need Exacting Processes

Attention to detail is crucial in beer making. Time, temperature, ingredient ratios, sanitation, and safety are all critical to the beer making process. The beer needs continuous monitoring throughout the process, though that monitoring is more involved during certain stages than other. Once you have a recipe for success, you have to be able to repeat it. Again, and again, and again.

Yes, there's room for experimentation. After all, variety doesn't happen without adjusting recipes from time to time. And a beer that hits the spot on a sunny 85o day after a fantastic softball game2 is likely to be very different than the one that you crave when you've just come in from shoveling the latest 6" of snow from the driveway. I know it is for me anyway.

But mess with the basics and you can contaminate the beer, throwing off the flavor, color, body, and even potentially exposing your drinkers to disease.

Your cybersecurity program needs to be every bit as regimented. Monotonous you say? Yes, that's the goal. A boring but effective security program is much better than an exciting and ineffective one, wouldn't you say? Your security program needs continuous monitoring, a highly detailed inventory, and standard operating procedures that you actually do and practice doing.

You Need To Anticipate Your Customers' Wants

Beer can take weeks to months to brew. (Yeast works on its own schedule, you can only do so much to influence that) So if you want an Oktoberfest beer ready for late summer, you need to be brewing it months in advance so you can keg/bottle/can it and get it out for distribution in August on time. That means you have to have gotten the right ingredients ordered even earlier. And your brewing equipment needs to be available to brew this beer - you can't have something else taking up the tank space.

Your cybersecurity program needs to be able to do the same thing. If you're not anticipating and getting out in front of your company's cybersecurity needs you'll be like the brewer who releases their Oktoberfest beer in October3 - late and leaving your continued viability in jeopardy.

Your Beer Didn't Come Out Right? Add More Hops!

Ever wonder why every brewery's first 52 different beers are all IPAs?4 There's a sad truth to brewing: if the ale didn't come out quite right keep adding hops. Eventually it will be bitter enough nobody will notice the issues with the beer.

OK, maybe that's not quite true, but adding hops to an "iffy" beer is a tried and true way to get past a few mistakes and make things better. Eventually as you become a stronger brewer you won't have to do this, and you can make good beer without the compromise of over-hopping it.

🍺
IPAs - India Pale Ales - were something of a compromise beer. British soldiers thousands of miles away from home were fed up with their beer arriving from home spoiled (refrigeration didn't exist yet) and so the brewers added more and more antiseptic compounds - hops! - to their brews so when the soldiers in India finally got their beer at least it wasn't spoiled. Eventually the soldiers returned home and they had developed a taste for the bitter brew. So yes, we all have England's imperialist history to blame for inflicting IPAs on the world.

If you're a novice at building a good security program, you, too, have a hops equivalent you can turn to. Standards and frameworks like the NIST CSF, CIS Critical Controls, many others that can help you take a mess of a program and get it functioning better than it is today. These standards won't make up for fundamental issues, but they will help you better identify them and improve on them while you strive to improve your art. And just like hops in beer, these never really go away, they're always part of a good final product.

Beer, the Gateway Food to Bread

For thousands of years the way to get yeast-risen bread was to gather suds from the local brewer and mix them into your dough. This was in the days before yeasts were identified, and before sourdough starters were really a thing.5 Without beer mankind would have been stuck with only noodles, gruel, and unleavened breads for centuries longer than necessary.

So, too, your security program can be a gateway to bigger and better things for your business - if you have the foresight to make it so. A quality system inventory can be very valuable to your IT, accounting, and other teams. A well maintained user account inventory can support your HR, IT, and other teams as well. The tech you deploy can have great benefit to your development teams and others. But only if you're sharing, and collaborating.

Get Funky to Meet a Niche Need

There are plenty of examples of beers with real FUNK in them. Belgian ales are often "yeast forward," which tends to bring interesting flavors not common in either English ales or German lagers. Then there are the sour beers, the Gose and Berliner Weiss as examples. One of my personal favorites was an open-fermentation beer brewed by a now defunct brewery in Milwaukee. It was the brewing equivalent of a sourdough bread, and it had some sweet, some tart, some fruit, and some pop all because the naturally occurring yeasts (and bacteria in the area) were allowed to do the fermentation - not cultivated and commercially supplied yeast. If I lived within their distribution range I can promise you I would have kept them in business just buying that beer! It fit a niche need for me, and that was great. Unfortunately for them, they didn't have their other bases covered well enough to survive.

The label for that open-fermentation beer. Sadly the brewery closed in Fall 2017.

Your security program may have to get funky to solve some issues for your organization, but the time to get funky is after you've mastered the basics and have a solid program already running. I know, the realities of business don't always allow for that, and ideal state isn't realistic for many of us. Just keep in mind that you have to balance the "run of the mill" lagers and ales with the funky beers, or you're going to find you're missing coverage you need in your menu/security program.

Thirsty For More?

I hope you are. I hope you're ready to add some beer to your cybersecurity program. Just remember to secure responsibly, don't drink and authenticate. And I'll see you at the brewery, metaphorically or otherwise.

1 As per noted philosopher Homer J Simpson, though he actually said "alcohol," I'm taking poetic license here.

2 As a Chicago area kid I must insist that 16" softball is the version of choice, played, of course, without gloves.

3 Oktoberfest is traditionally celebrated from late September through the first Sunday in October, or October 3rd, which ever is later.

4 Of course, it's really only first 5 beers, but sometimes it seems like more.

5 You remember sourdough starters, those things you got into during COVID lock down as you started experimenting in your own kitchen again.

💡
Particular companies and brands were mentioned in this blog. I have no financial relationship with any of them, and merely mentioning them should not be construed as endorsing them or their products. Please, make your own decisions based on your own needs and research.

Sign Up To Keep Up - Get Alerts For New Posts

Enter your email
Subscribe