June 29, 2022

Things People Say About Security and Complexity

Dr. Simon Wiseman

When explaining ideas, we often use famous quotes to support our points in a concise and memorable way. Quite often it’s a mis-quote (Jack Swigert didn’t actually say, “Houston, we have a problem” on Apollo 13), but it still does the trick.

But will we ever stop failing? Richard Cook, a researcher at the University of Chicago, famously said “failure is the normal function of your systems, not the abnormal one” so you should not try to stop failure but add defences to avoid catastrophe. Unfortunately, the cyber defences we are adding are themselves complex systems, so they too are expected to fail and need defending. This could go on forever, something acknowledged by the ancient Roman poet Juvenal when he asked, “who guards the guards?”

So, adding complexity to fix problems in complex systems is not going to work. Instead, we need to seek simpler solutions. The 11th century philosopher Sir William of Occam said something like, “when solving problems entities should not be multiplied beyond necessity”. He was talking about choosing between competing theories and meant you should go with the one with fewer assumptions, on the basis that simpler arguments are more likely to be right. Taking that as a starting point, we should be choosing simple solutions to our security problems over complex ones.

However, Albert Einstein gave us a warning. He is attributed with the phrase “everything should be made as simple as possible, but not simpler.” Ironically, he said it in a much more complicated way, but his meaning is clear – the simple way of doing something is better than a more complicated way, but there’s a limit to how simple you go and going further than that will actually make things worse. So we need simpler solutions, but must ensure they still do the job.

Larry Tesler formulated the Law of Conservation of Complexity, while at Xerox PARC in the mid 1980s. He said "The total complexity of a system is a constant. If you make a user’s interaction with a system simpler, the complexity behind the scenes increases.” This was in the context of human-computer interface implementation, and he meant that once you have a solution with the minimum possible complexity, you can’t reduce it further, but you can decide where to put it – and it’s best to make the developers take on more of the complexity to reduce the burden on the users.

This all sounds like sage advice. We should recognise that defending complex systems from cyber attack is a complex task. This means something will fail. But we must take steps to handle the failures and avert catastrophe, and those steps must not increase the complexity. We then need to ensure the burden of the essential complexity is carried by the developers, not the users of the systems.

Simplicity is what Forcepoint strives for. Security simplified. All the protection you need, implemented with just the right amount of complexity inside and delivered in a way that’s simple to use.

Forcepoint ONE hides the complexity of the security solution from its users by providing one platform with one console using one agent. Users and administrators don’t have to handle a jumble of separate products that provide protection that doesn’t quite line up.

Within this, Remote Browsing Isolation makes it easy for the end users to browse the web, because they don’t have to worry about every click. And Zero Trust Content Disarm and Reconstruction means users can engage content without worrying about threats inside, and the security team don’t have to chase malware around the system. Then DLP helps users to avoid mistakes and administrators to keep users honest.

Beyond that, Forcepoint’s Cross Domain Solutions for government and critical infrastructure are designed to face the most serious and persistent cyber threats. Here it’s not just about reducing complexity and simplifying administration but building solutions in a way that allows their effectiveness to be proven. This means utilising specialised software platforms to contain the complexity, so any failures cause no damage, and in some cases even moving this into dedicated hardware.

Dr. Simon Wiseman

Dr Simon Wiseman is CTO for Global Governments and Critical Infrastructure. Simon joined Forcepoint from the Deep Secure acquisition in 2021, and brings over thirty years of experience in Government computer security. Responsible for the technical strategy of Forcepoint’s Content...

Read more articles by Dr. Simon Wiseman

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.