Insider Insights Series: Cybersecurity, Gardening, and The Sunk Cost Fallacy

gardening tools, pots, and dirt

Insider Insights is a new series written by Foresite employees. We’ll explore the challenges faced by customers/organizations and feature different ways of looking a cybersecurity from those who practice it every day. 

I have alluded to my garden in previous blogs, our gardening attempts are to try to grow some food to supplement our grocery bill. However, to be honest, buy the time we buy seeds and fertilizer, the water bill, and time spent weeding I am not sure it really saves us money, but darned if it doesn’t feel awesome to take a bite out of a garden-fresh tomato. This year I got the garden in late then we were hit with a minor drought so the garden wasn’t as successful as it could have been. I felt this early in the garden experience, but I continued on, tried to keep up on watering, tried to stay on top of the weeds (although the strawberry patch turned into a massive grass pile that I could probably sell to a sod company), and come harvest time it was not that great of a harvest. Since I put so much time and money into building raised beds and finding dirt to fill them with, I tried to keep going with the garden. Even as I watched the heat and dryness wilt the plants regularly, I kept on with it and kept trying. I was the little engine that could.

From Hacking to Harvesting: What cybersecurity and gardening have in common

Enter the sunk cost fallacy. The idea that spending a lot of time and money on a particular effort means that the effort will turn into a worthwhile result. Since I weeded and watered some of the time it must mean that my garden will bear a bounteous harvest come harvest season. Yeah, that didn’t happen, the green beans were decent, but the beets barely filled out, they are more regular roots then nice plump beets, the ears of corn were maybe 3 inches long and never grew kernels. I should have called the garden done early on and moved onto other projects and efforts, but I didn’t.
This same concept happened at a previous customer I was engaged with. They purchased licenses for a new type of security agent that would help with watching for breaches and then pulling back breach forensics data. The implementation took 6-7 months and created 2 network outages. The solution was finally implemented and ran for 2 years, during those 2 years this application generated hundreds of false positives where each one needed to be individually reviewed in case it was an actionable security incident. After the first year its continuation was discussed and due to how much time and effort (and licensing fees) had been invested the decision was made to continue for one more year, it had to be worthwhile eventually didn’t it? At the end of the 2-year period I asked the service owner for that product how many actionable incidents this product found – 0.

The Cost of Holding On: The Sunk Cost Fallacy

After 2 years, countless man hours reviewing false-positives, network outages, implementation issues, and an astronomical price tag it was decided to scrap the project and pull it from the environment. Added on to that is the missed opportunity cost, what else could that team have been doing to further the goal of protecting their environment from attack?

Just like my garden, I had issues realizing when it was time to throw in the towel and move onto something else, I could have been working on painting the exterior trim of the house, putting in a dog fence so the dog wouldn’t run over to the neighbors farm when she got away, the possibilities are endless on what I could have done but didn’t because I kept thinking that the garden would yield because it had to, didn’t it?

They kept this product around because it had to work didn’t it? Too much was spent for it not to work.

As you review your security portfolio do you have products that may not be achieving the results they were selected for? Are you looking to implement new solutions based on actual problems and issues; places that need shored up in your defense (like a farmer reviewing his cattle fence to protect his herd), does the need justify the cost of licensing and implementation costs? Does it fit with your current security plan and trajectory?

Getting Back to Basics

There are several security solutions that are required today for businesses of all sizes, solutions that must be in place for basic security hygiene. Items such as:

Beyond these basic solutions are many more, such as admin rights elevators, EDR’s, MDR’s, SOAR technologies, script blockers, vulnerability scanning, policy enforcement benchmark scanning, file auditing systems, risk scoring, lost/stolen device wipers, data loss prevention systems, penetration testing, and more.

Then beyond that is all the paperwork that goes with it and reviews of documentation and processes. Are you GDPR compliant, how is HIPPA data handled, do you have a process for handling breaches, do you work in an industry that requires a CISO? Are you worried about bringing in the wrong solution? Are you about to plant corn next to your beans (a good idea) or have your red raspberry plants next to your black raspberries (a bad idea).

Not all technologies fit together like a jigsaw puzzle, and it can become very complicated very quickly if not done with a plan in mind. All of these and more are very important questions for an organization to answer. However, not every company or agency has the manpower to be able to look at these requirements and know what they should be removing from their portfolio or looking to implement to protect them, their data, and their customers.

Pull the weeds to grow (your business)

Thankfully, here at Foresite we have a team dedicated to getting to know you and your organization and working with you to find the sunk costs if you have any and to work with you figure out what should be in your security portfolio.

Our Solution Architects can meet with you and discuss a best path forward that does not involve planting corn and tomatoes in late June instead of early May, I mean, purchasing and implementing a technology you are not ready for or what may not be a proved product yet.

Through their guidance they can meet your business needs and understand where the technology can best fit to help drive your business forward. This would allow you and your team to not get lost in opportunity costs and stuck in the weeds of an ever-changing cybersecurity garden.

Thomas Mark

Throughout his career, Thomas has bridged the gap between IT and the business through analyzing data to bring about positive ROI. His work has included supporting applications and software to enable a more successful business while becoming an experienced liaison for stakeholders, IT, business units, and business partners. Thomas is a certified Tanium Operator and Administrator and is currently the Lead Tanium Engineer for Foresite Cybersecurity.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.