Tuesday, August 4, 2015

The Three Headed Dog

Hercules and Cerberus

Vulnerable, Unreliable, and Inflexible Systems: Three Symptoms, One Disease

As IT systems increase in size, three things happen. Systems get more vulnerable to security breaches. Systems suffer more from reliability issues. And it becomes more expensive and time consuming to try to make modifications to those systems. This should not be a surprise. If you are like most IT professionals, you have seen this many times.

What you have probably not noticed is an underlying pattern. These three undesirable features invariably come in threes. Insecure systems are invariably unreliable and difficult to modify. Secure systems, on the other hand, are also reliable and easy to modify.

This tells us something important. Vulnerability, unreliability, and inflexibility are not independent issues; they are all symptoms of one common disease. It is the disease that is the problem, not the symptoms.

The disease is complexity. System complexity not only results in vulnerability, unreliability, and inflexibility, but a host of other problems such as budget overruns, deadline slippages, and poor business alignment. If you have ever had to deliver large IT systems, you are also painfully familiar with these issues.

System complexity spreads like most diseases: exponentially. As system size increases, system complexity increases faster. The rule of thumb is that when a system grows by twenty-five percent in functionality, it doubles in complexity. Once complexity doubles, security breaches double, system outages double, and the cost of making future changes double.

We are fortunate. In the last decade, we have made tremendous strides in understanding IT complexity. We now have mathematically grounded models for understanding complexity. We have metrics for measuring complexity. And we have directed methodologies for maximizing desirable functional growth while minimizing undesirable complexity growth. With these models, metrics, and methodologies, we are finally in a position to make complexity related IT problems a distant memory.

As we better manage the disease of complexity, we also better manage the symptoms of complexity: vulnerability, unreliability, inflexibility, and an assortment of others.

The irony is that if you want to make systems more secure, flexible, and reliable, you won’t do it by making systems more secure, flexible, and reliable. At least, you won’t get far doing that. Sooner or later, you need to attack the disease that is the underlying problem. That disease is complexity.

Complexity is the cancer of IT. That is the bad news. The good news is that we now no longer need be victims of complexity. We have models to understand complexity, methodologies to eliminate it, the tools to make sure it doesn’t return. And that means that we can now create large IT systems that are also secure, reliable, and flexible. Not to mention less complex.

- Roger Sessions, Austin Texas