For years I've written about how dangerous network complexity is for business. It's simple math. The crazier things are in your environment, the less control you have. In other words, the more applications, computers, network segments, people, policies, cloud service providers, and so on in your environment the harder it is to manage the risks. It's a direct, quantifiable, and predictable inverse relationship.
Yet, no matter the degree of complexity networks evolve to, many IT professionals just keep piling stuff on top. The egotistical IT pro (I can say that because I used to be one…and still catch myself every now and then) will proclaim and often shout from the rooftop: “I can handle that.” Plainly and simply: give them another system to manage or process to follow and they can handle it. Or can they?
Interestingly, I've thought all along that IT professionals are just not the best at managing their time or managing their goals. But, during a recent discussion with a good friend who gets security, it occurred to me that network complexity may not be about IT professionals knowing their limits after all.
It's about control.
Like CIOs and certain CISOs who are afraid to acknowledge security problems for fear of their jobs, there's a conflict of interests going on here. I'm sure I'll ruffle some feathers for saying this. I'm just trying to position and view information security from the perspective of an executive – because that's where it counts.
You see, the more complex the environment, the greater the perceived responsibilities one has, the greater the chance of being seen as a person of value who's always busy, working his/her tail off. The way I understand human psychology, for the most part, people want to please others. It's how we derive our self-esteem or at least keep it from being taken away.
But think about this logic. When IT professionals add more and more complexity on top of an already complex network all they're doing in the long-run is hurting themselves. More complexity means more attack surface and thus increased risk of a breach. Even if that dreaded breach never occurs, the weakness (likely based on complexity) will most certainly be found by a savvy auditor or security assessor.
Why would you want to do that to yourself?
Your goal as an IT professional should be to minimize the number of systems, processes, and so on so you can come out looking like a hero because you actually have the time to spot and stop incidents in action. You can't do that when you're busy managing a thousand systems at once. As the saying goes when you are right, no one remembers and when you are wrong, no one forgets. That's okay. Stop trying to “prove” yourself in the wrong ways. Instead simplify. Work smarter and even greater rewards will come your way.
As Elbert Hubbard said: "The recipe for perpetual ignorance is: Be satisfied with your opinions and content with your knowledge." Promise yourself to work to stand out from the noise. Make a name for yourself – in a good way – to get people on your side. Whether it seems like it right now or not, a critically important part of this is knowing what you've got, understanding what's at risk, and then doing something about it which should include simplifying wherever you can.