This past week I was honored to be asked to participate in a fireside chat at the Chainalysis LINK conference in New York. I really enjoyed the chat. One question that came up during the chat and one that I get a lot (I am known as the [admittedly self-titled] “Ransomware Sommelier”): What attracted you to wine?

This is not the answer I gave, but one I have been thinking about a lot. There are a lot of lessons that ransomware defenders, and defenders in general, could learn from winemaking. Whether it is be prepared for unexpected events (such as an early frost) or understanding the whole of the organization (winemakers adapting to climate change) or a half dozen other lessons. But, today, I want to focus on what I think is the most important lesson that ransomware defenders can learn from winemakers: Document Everything.

A few years ago, my wife and I hosted a vertical tasting for some of our friends. A vertical tasting is a chance to try different vintages of the same wine all in one sitting. Each vintage of a wine should reflect the realities of the year (weather conditions, crop yield, etc) while still remaining true to the winemaker’s vision and the terroir from which the grapes were harvested.

In this case (apologies for the blurry picture), we were tasting Fabbioli Cellars, Tre Sorelle, and we were lucky enough to have Doug Fabbioli lead the tasting for us. We tried wines from the 2005 through the 2013 vintages. Fabbioli Cellars is a special winery to us, we had our second (and many other) dates there and have been avid collector’s of Doug’s wines. It was nice to share our passion and the wine with our friends, especially those who weren’t familiar with Doug’s wine.

Before each wine was poured, Doug would spend a few minutes talking about the vintage. He would describe the weather that year, when the grapes were harvested, what wines were included in the blend and why he chose the blending he did for that year.

When I used to do more programming, I could barely barely remember why I did something the way I did 6 months ago, must less 10 years ago. Yet, here was Doug, who when he started was basically running a two-man show, having documented every part of the winemaking process, from bud break, to the weather to harvest and how long it aged.

Ransomware defenders need to be more like wine makers in this regard. Every aspect of the network has to be documented and updated as things change. This documentation should be in place before a ransomware attack. If a ransomware attack occurs everything during the attack and during the recovery process needs to be documented as well. The more documentation available, the easier it is to remember why something was done and make smart decisions about changing it in the future. Good documentation can help reduce technical debt, because it can make it easier to make changes as needed to the network and the organization.

In short, be more like winemakers and incorporate documentation into the ransomware defense process.