The worst enemy of security is complexity

This statement was made by Bruce Schneier in 1999. He stated: You can't secure what you don't understand.

It’s interesting that every year we have new technologies, new products, new ideas, companies and research, yet people continue to ask why things are so bad with security? And the answer is that fundamentally the problem is complexity. And we absolutely love complexity.

There are a number of results of complexity (just a few):

1. Increased Attack Surface
2. More Errors and Vulnerabilities
3. Harder to Apply Security Patches and Updates
4. Overhead and Resource Drain

Complex policies ultimately will lead to a security breach, system outage or both (Survey mid-sized and enterprise organizations, ref: https://www.wired.com/insights/2013/01/uncovering-the-dangers-of-network-security-complexity/)

Some suggestions to get in control:

1. Know what you have (get a good overall picture of assets and their relations, get a #CMDB in place)
2. Get a list of existing critical systems to start to reduce complexity as part of Life Cycle Management.
3. Build new systems with simplicity in mind (will be challenging)

What do you think how we can reduce complexity and get more in control of the applications and systems?