I had the opportunity to review Rothman’s Pragmatic CSO before the holidays, and it got me thinking about complexity.

(Oh yeah, and it’s really good, but I’m not allowed to endorse anything so that’s all I’ll say.)

One thing I realized after spending a few years wandering into people’s homes and vehicles during the most stressful events of their lives (legally, being a paramedic and all) is that we have this incredible ability to make our lives more complicated than they need to be. It’s as if the human creature, by din of our apparently complex consciousness, builds nearly insurmountable mental constructs that shield us from that which is straightforward and simple. It’s like our brains are these high performance sports cars that just have to run at full speed no matter what the road. And let’s be honest, not all sports cars are built alike, sending those of lower performance flying off the cliff edge of intelligence to land in a mangled heap when they hit the hard pavement of reality.

Time and time again I saw people sometimes destroy themselves by failing to follow the path of simplicity- sometimes losing a relationship or their long term health, other times losing their lives. Come on, you all know the drama kings and queens that crave complexity in their lives despite their protestations for the contrary. Or the motormouths that keep their lips moving to prevent theirs brain from having a moment of quiet reflection to show them how much they’ve screwed themselves up.

We (and I really mean we; all of us are guilty) often make similar mistakes in the professional world. We spend more time building an RFP and testing each widget in a product than we’ll actually spend using it, totally ignoring the fact it doesn’t have the one critical feature we really need. We spend more time building frameworks, models, architectures, and checklists than building the necessary systems. I’m not saying we should toss all paperwork and planning to the winds, but we very often lose perspective and create unnecessary complexity. Just look at the COSO ERM framework as the shining example of CTSCS (crap to sell consulting services), or the government paperwork bottlenecks of accreditation and certification.

In mountain rescue our goal was to keep every rescue system and operational plan as simple as possible- because the more pieces you add to the chain, the greater the likelihood of failure (literally).

I like Rothman’s work because he’s trying to pull us back to basics. Yes, we need assessments, strategies, policies, and plans, but the practicality of security is complex enough as it is; we shouldn’t let the business of security compound the problem. We need to be realists and know that we’ll never solve everything, but by focusing on the pragmatic, simple, and direct we can best protect our organizations without going totally batshit.

Don’t make life harder than it needs to be. Don’t add complexity. Keep it real.

One of the best ways to be effective in security is to look for the simplest and most pragmatic solutions to the complex problems.