Simple vs Complex
What is Simple?
This is just one post in a series of posts, ultimately building up to how I think about Cybersecurity Operations.
If you missed the first post in this series, the following will have a little more context if you take a few minutes to go check it out!
Unattributed block quotes in this post belong to Rich Hickey, and are from his talk, “Simple Made Easy”.
Let’s Review: Simple vs Complex
To recap from the first post in this series:
Simple
So the first word is simple. And the roots of this word are sim and plex, and that means one fold or one braid or twist. And that characteristic about being [literally one] fold or twist? What’s one twist look like? No twists […], actually.
Complex
And the opposite of this word is complex, which means braided together or folded together. Being able to think about our [Cybersecurity Operations] in terms of whether or not it’s folded together is sort of the central point of this [series of posts].
Simple is…
- One fold/braid
- One role
- One task
- One concept
- One dimension
So if we want to try to apply simple to the kinds of work that we do, we’re going to start with this concept of having one braid.
Simple is About Lack of Interleaving, not Cardinality
On the other hand, we can’t get too fixated about one. In particular, simple doesn’t mean that there’s only one of them. […]
It also doesn’t mean an interface that only has one operation.
So it’s important to distinguish […] counting things from actual interleaving. What matters for simplicity is that there is no interleaving, not that there’s only one thing, and that’s very important.
Simple is Objective
The other critical thing about simple, as we’ve just described it, […] is if something is interleaved or not, that’s sort of an objective thing. You can probably go and look and see: I don’t see any connections; I don’t see anywhere where this twist was something else.
So simple is actually an objective notion. That’s also very important in deciding the difference between simple and easy.
Simple Exposes Failure
One point I’d like to add to Hickey’s remarks here is that if something is simple, it is usually very clear when and why it fails. People intuitively understand this.
There are benefits to this. This property makes it possible to discover problems sooner, which means they can be fixed or improved sooner.
I think this can be one of the biggest obstacles to making things simple in Cyberecurity Operations, though. People do not want to be associated with failure.
The less simple — or the more complex — something is, the more opaque it becomes as to who/what was responsible for it when it fails. So there is a subtle, perverse incentive that rewards people who avoid simplicity.
People know they can always blame ambiguous, amorphous complexity as the reason things went wrong. In extreme cases, people can even exploit this for their benefit.
Consider, for example, the Simple Sabotage Manual [pdf] that the CIA (then called the Office of Strategic Services) drafted during World War II. It has lots of suggestions on how to introduce failure, where the lack of simplicity of a given system or task provides plausible deniability for the saboteur.
So, what does any of this have to do with Cybersecurity Operations and Network Defense?
Check out the next post in this series, where we dive into ideas about what easy means it more detail, which will help us have a more precise discussion about Cybersecurity Operations and Network Defense later on.
