Complexity is Hidden Debt
Why complexity is the enemy of security.
Complexity is the hidden debt in every system. It is not merely a maintenance burden. It is, fundamentally, a security risk. Often masked by the pretext of staying "up to date."
In my work over the last few years within regulated and high-value sectors, I have noticed a consistent pattern: a critical breach is rarely the result of a sophisticated zero-day exploit against a hardened kernel. Far more often, it is the result of a misunderstanding, or the byproduct of pressure to deliver something that was never truly required.
The Gap Between Models
I noticed that every system operates under at least two distinct models:
- The Designed Model: What architects and developers believe they built.
- The Actual Model: What is effectively running in production and being used every day.
Complexity widens the gap between these two. When this divergence becomes too large, reality eventually surprises us. In security and critical systems, surprise is failure.
Subtraction as Strategy
The most effective architectural decisions are often decisions not to do something.
- Not adding a specific feature.
- Not accepting an arbitrary priority.
- Not adopting a tool based on hype.
- Not coupling services without a clear necessity.
We tend to value what we build. We should, instead, value what we avoid building. This restraint is what allows us to strengthen the core and actually rely on the results of our systems.
Serious decisions require a calm environment. When pressured for immediate answers, seniority is revealed not through speed, but through the capacity to maintain judgment and evaluate dependencies before acting.
"Civilization advances by extending the number of important operations which we can perform without thinking about them." — Alfred North Whitehead
In critical systems, we seek the opposite. We want to reduce the number of operations that occur without us deeply understanding them.