paint-brush
Is Complexity the Enemy of Security?by@zacamos
1,180 reads
1,180 reads

Is Complexity the Enemy of Security?

by Zac AmosDecember 15th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

A simple solution is often better, but sometimes complexity is needed. Rather than strictly avoiding complexity in every case, instead use proper planning to make complexity work for you.

Company Mentioned

Mention Thumbnail
featured image - Is Complexity the Enemy of Security?
Zac Amos HackerNoon profile picture

The phrase “complexity is the enemy of security” has floated around IT teams for decades. The general belief is that an overly complicated approach to cybersecurity will lead to greater vulnerabilities. Since most organizations are scrambling to advance their defenses against new threats, the debate on whether it is true matters now more than ever.

What Does “Complexity Is the Enemy of Security” Mean?

The “complexity is the enemy of security” mantra means the more complicated a system is, the more challenging it will be to safeguard against threats. The more components, dependencies, integrations, and configurations an IT team has, the more time they’ll spend maintaining, managing, and securing everything.


Instead of sunsetting and replacing legacy systems, many organizations keep adding to their tech stack. Layering security to strengthen defenses has been the industry-standard approach for years. Rather than navigate intricate dependencies and configurations, they adopt more technology.


While many IT teams believe adapting is essential to security, most can’t upgrade all their technology whenever a new threat appears. Instead, they rely on well-established systems. However, having a mix of legacy and modern devices increases the risk of cyberattacks because it creates gaps — one of the reasons people consider complexity the enemy.

Why Cybersecurity Complexity Exists

Most IT teams manage dozens of software, hardware, vendors, and apps. Globally, every business used 130 separate SaaS applications on average in 2022. That number has risen annually for nearly a decade and will likely continue increasing for years.


Even though the general sentiment of complexity being detrimental has existed for ages, IT teams continue to layer security. They’ve mainly had to because it’s the only way they can safeguard against constantly changing cyberthreats.


Organizations must constantly adapt to keep pace with the ever-evolving threat landscape. With the sudden rise of technologies like artificial intelligence and the Internet of Things, professionals have had to modernize or risk being vulnerable.

How Does Cybersecurity Complexity Impact IT Teams?

Cybersecurity complexity has ripple effects upstream and downstream — it affects end users as much as chief information security officers. That said, the IT team feels the brunt of the impact.


They must manage an increased attack surface, constant updates, misconfigurations, troubleshooting, unintended component interactions, and convoluted compliance monitoring.

Consequently, IT professionals experience fatigue. Many neglect security in response, increasing their vulnerabilities. Research shows human error causes 90% of cybersecurity incidents in the United States and the United Kingdom. People are already prone to careless and malicious behavior, so these consistently large workloads aren’t ideal.


When systems become too complicated to manage, people naturally look for convenient workarounds. For example, they might skip pressing updates, refuse to implement multifactor authentication, or ignore essential alerts. As a result, their overall security suffers.


Attackers have used complexity to their advantage. They’ve exploited outdated systems, negligence, and misconfigurations to find gaps and vulnerabilities. Notably, IT professionals might also have more difficulty locating threats when maintaining dozens of security tools simultaneously.

Is “Complexity Is the Enemy of Security” True?

On the one hand, the phrase “complexity is the enemy of security” is true because overly complicated setups require more effort to maintain. They inherently create an increased attack surface and have a higher probability of failure. The chance for human error rises because people find workarounds to make their lives more convenient.


Additionally, complexity means more overhead and operational costs. The more organizations spend to maintain and manage their systems, the less they’ll have to strengthen security more meaningfully. The same concept applies to time — the longer they focus on upgrades and troubleshooting, the less attention they can devote to more pressing concerns.


On the other hand, complexity doesn’t automatically translate to difficulty. Often, complicated configurations result in more straightforward management for end users. Additionally, multilayered security offers comprehensive protection from every potential threat.


Moreover, having more hardware, software, and applications allows IT teams to adapt to any threat. Continuously layering security as the cybersecurity landscape evolves helps them fine-tune their defenses. Even if they only have redundant systems, they’re automatically more protected because they have backups.


Complexity isn’t inherently harmful to IT teams. Instead, subpar planning is the real threat. Professionals who balance their technology needs with manageability and convenience can better protect themselves. Sometimes, layering security translates to simplicity.

Complexity Doesn’t Translate to Better Security

For years, IT teams have upped their investments in security. Worldwide spending on cybersecurity reached $219 billion in 2023, an increase of 12.1% compared to 2022. However, none of those expenses have meaningfully slowed cyberthreats.


Rather, cybercriminals have become more brazen and have launched more attacks. Annual data breaches went from 1,279 instances in 2019 to 1,802 in 2022. The fact these cybersecurity incidents increased by 40% in the same period that spending rose $30.3 billion proves the industry’s approach to layering security isn’t working out as expected.


Even though most organizations have been spending more for years, they haven’t made a meaningful dent in the threat landscape. It seems complexity doesn’t result in marked improvement by itself. Although subpar planning is the real threat, IT teams shouldn’t layer security just to modernize or adapt.


Organizations can strengthen security with proper planning. Instead of continuously adopting a multilayered approach because it’s easier than reconfiguring or phasing out legacy systems, they must prioritize. Whether they need to safeguard personally identifiable information, proprietary data or critical systems, they must build their strategy around protecting core systems instead of expanding to fill every potential gap.

Organizations Can Make Complexity Work for Them

Organizations have grown too comfortable, making their systems overly complicated to compensate for their vulnerabilities. Instead of spreading themselves thin by expanding their protections to cover every endpoint, they should seriously consider reprioritizing. Strengthening the most critical systems and dropping unnecessary hardware can be very rewarding.


Even though having dozens of tools and systems isn’t inherently risky, simplifying their approach to security will undoubtedly improve IT professionals’ work lives and increase organizational safety. Although many IT leaders believe they must continue adopting new technology to protect themselves against the ever-evolving threat landscape, balancing complexity and manageability is much safer in the long term.