IT Complexity: Metrics and Strategies to Navigate and Measure Performance

By: Josh Mayfield | 4/12/2019

IT complexity is one of the biggest roadblocks to success. One of the culprits is the tendency to pack endpoints with more and more controls, apps, and of course, agents. When an organization’s device and agent population expand, they compound the effects of one another; not multiplying endpoint complexity, but exponentiating it.

Different agents compete with one another for the device’s underlying resources: hardware, software, processes, etc. These zero-sum cage fights are more common as the number of agents has grown. Moreover, the variation in hardware — Dell, Lenovo, Microsoft — and software — OS versions and builds, agents, apps—has made everyone a de facto multi-platform enterprise.

This power law creates more security-eroding complexity than security-enabling assurance. Because…by the laws of probability, there are now many more ways for things to go wrong, than to go right.  The astonishing odds against this backdrop fall at the feet of IT and security teams trying to make sense out of what appears to be a senseless device-agent landscape.

This tangled web of complexity has completely changed how we see, control, respond to, and secure endpoints.

What Is IT Complexity?

The concept of IT complexity isn’t anything new. In fact, a 1979 paper by Bill Curtis was written to address the issue.

But not too long ago, keeping track of all our devices and everything running on them used to be manageable. Even ten years ago, maintaining agentsmaintaining agents and tools was a fairly straightforward process; so having conflicting controls, apps and agents on your devices just wasn’t a factor.

Those days are long gone, however. Today, device care is 12 times as difficult to reach the same degree of endpoint cyber resilience.

Why? Because every control, app, and agent is tapping into hardware and software resources — a zero-sum game in which some feast while others starve.

This agent friction leads to some startling results. Data from a recent webinar, The State of Endpoint Security 2019, recently revealed:

  • At any given time, 28 percent of antivirus/antimalware agents fail
  • 42 percent of encryption agents go to an early grave
  • 50 percent of repaired client/patch management agents required more than three repair events within one month
  • an era where patching is already a struggle, one in five patching agents break every month.

Our maniacal pursuit to stuff endpoints with controls, apps, and agents creates entirely new risks. By adding more security controls on a device, our organizations aren’t getting any safer; in fact, this only increases endpoint vulnerabilities. Worse, it diminishes the capabilities of our IT people. With so many tools and combinations, it’s almost impossible to determine what is causing things to fail.

When complexity intensifies, exposures that open up the attack surface become a feature of our IT environments.

To achieve cyber resilience, we must first acknowledge the self-inflicted trouble that occurs when we stuff our endpoints with competing agents. It’s as if we’re putting all our endpoints into a knife fight in a phone booth!

When agents conflict, we can optimize their behavior. When they fail, we can regenerate them, bringing them back to life. This is the power of persistence.

How to Measure IT Complexity

Measurement is the first step that leads to control and eventually to improvement. If you cant measure something, you cant understand it. If you cant understand it, you cant control it. If you cant control it, you cant improve it.”–H. James Harrington, business process guru.

Measuring IT complexity is all about looking for redundancy. You basically need to establish a heatmap of where things are getting complex. You need to answer these questions: Where is there agent creep, driver creep or app creep within your endpoints? What are all the OS types, device types, and client types within your organization? What is the lifecycle process?

padlockThere are so many factors, but these variables must be measured.

Sound overwhelming? It is. It isn’t called IT complexity for fun.

Measuring everything manually can be done, sure, but at what organizational cost? You can bring your enterprise architecture team into every budget meeting with a live inventory framework, and spend countless hours strategizing, but how sustainable is that?

The best way to help measure and deal with IT complexity is to reduce the effort. You need to manage it. If you’re in IT, you have no choice.

You need to manage your FTE (full time equivalent). What if you can reduce your FTE from 3½ to .3 in measuring complexity?

The only way to properly measure complexity is to have a solution manage it for you.

What It Means To Have IT under Control

To achieve true IT resilience, your endpoint management solution must go deeper and have a full view of everything going on within and outside of your devices with a privileged position.

You need to have a solution that resides right in the firmware to understand the complexities of your ecosystem. When measuring complexity, it’s imperative to get a detailed snapshot of your endpoints versus a sample level.

Most solutions on the market can look at your endpoints and present data that — if it were a court of law — would amount to circumstantial evidence. With Absolute, it’s like a DNA test.

Or think of it in other terms: say your friend sends you a video of a cute cat playing the piano. The coding behind that video is made up of ones and zeros. The coding is merely information; the other — the video — is knowledge. You want knowledge.

How to Manage IT Complexity

How do you even get started managing IT complexity without the right knowledge?

Absolute can not only provide validation that something may have occurred, but it looks at the implications of your services, can boomerang all the relevant data back to you and display a modelling of what happened before and after each incident.

When the time comes to demonstrate, prove, and validate your security posture, Absolute can be audit-ready and close the complexity gap with ceaseless visibility and control.

Want to learn more about how reducing IT complexity can lead to resilience for your endpoints? Watch our new webinar: The State of Endpoint Security in 2019, to discover actions you can take toward real-world resilience.

Financial Services