No doubt that companies struggle with information security these days. Today they spend hundreds of thousand dollars, some millions, tomorrow they realize they have done nothing! Security folks do not have peaceful night sleep, because they know what they have done during the day could easy be compromised!
Regardless of why we are spending money while we are not certain or confident to an expected outcome, why solutions really getting more and more useless and ineffective? The answer is the hidden monster behind all insecurities within information technology: the complexity beast!
Complex systems introduce complex work flows which are prone to intensive security flaws!
Complicated systems (which are also prone to insufficiency) introduce complex work flows and a model which is naturally prone to have more flaws, result of more surface for the attack and more attack vectors with combined magnitude and even unexpected new evolved way of attach. This is not fiction, this is the dynamic of today’s cyber security trend. You hire, you purchase, you train, you consult… you do your best and still you are not confident cause your neighbor company just had a breach and you will be more scared if you have pro visibility and see how malicious actors are already in-house!
Traditions have proven outcome already messaged, although market hesitate to listen, let alone to follow!
Fancy systems are more attractive to adversaries also, and there is reason behind it because they know how the chance of finding a flaw is exponentially higher when they see a fancy colorful IT infrastructure vs a clunky system out there. The worst part of this is that, customers of that fancy information system do not necessarily get better services or goods (products) even they pay more for it, they are also prone to lose more due to a complex system as back-end, but that is another story with its own sad ending.
Complex software and hardware build complex systems
Complex systems are built around complex software, hardware and literally a complex IT setup where a given goal is accomplished through a complicated workflow, and this is either result of poor design, or just excess resource assignment where it is not needed at all. There are millions of examples you look around, or better, start by your own business or department you are managing:
- Do you think all businesses need Windows platform to run applications?
- Do you think you use even 20% of Outlook features and capabilities?
- Do you think most website owners need PHP vs simple HTML?
- Have you ever walked to your company server room and ask your IT guy why things are setup like that?
- Have you ever tried simpler software vs the one with more features?
- Have you ever shopped based on what you need vs what has higher score reviews?
Those are just goofy questions just to fire up the real flame inside you which makes you as yourself: should I really totally trust people that are running my IT infrastructure, or I could use my common sense and just question why I need these complex system? What workflow my business really need and then what simple system is out there to support my workflow regardless of what market is pushing me to buy.
Complex system setup puts us in more trouble when we start securing it with the consistent complicated mindset, and that’s where we could end up having more insecurities after spending and relying on sophisticated security solutions. Experience has shown and proven that the simplest way to address security is designing and implementing a simple system, an straightforward workflow is naturally secure, or easier to secure with even free or cheap security solutions which are easier to maintain, manage and run, so the outcome is more secure and cheaper and more reliable and efficient.