The Accretion Problem
Most people think of security as a matter of diligence: patch the server, update the firmware, renew the licence, tick the compliance box and hope that the gods of entropy are feeling merciful. But what is usually happening, behind the brave face of procedural competence, is the steady accretion of complexity. Code layered upon code, systems perched atop systems, hardware bolted onto hardware until the whole arrangement resembles an overgrown favela of technology, sprawling in every direction and understood by nobody in full.
And here lies the awkward truth that few care to utter aloud: the more complicated the system, the larger the attack surface becomes. Complexity is not merely untidy. Complexity is porous.
The choice is rarely comfortable, but it is always simple: reduce the sprawl, or inherit its consequences.
The Labyrinth Nobody Can Map
A surprising number of sysadmins, if cornered late enough at a conference bar, will admit that the infrastructures they oversee have already exceeded the limits of human comprehension. Companies are breached every day without ever discovering how the intruder entered. Was it an XSS vulnerability overlooked in some neglected application? An IoT camera quietly compromised months ago? A member of staff who clicked on a convincing phishing email while distracted before lunch? In many cases the answer is never found, because the labyrinth is too large to map after the fire has already started.
The problem resolves itself into two brutally simple categories: reduce the complexity to something your IT staff can realistically manage, or increase the number of IT staff so the existing complexity can be managed properly.
In practice, neither option is fashionable. Certain species of management regard IT departments the way Victorian mill owners regarded child labour: as something to be stretched until the machinery screams. The result is predictable — insufficient resources to overhaul and maintain security effectively, and an exhausted workforce that begins making mistakes.
The AI Fantasy
And then arrives the modern fantasy that artificial intelligence will somehow absorb the burden. The irony is that IT departments already use AI merely to keep pace with the accelerating demands placed upon them. Yet AI does not possess mystical omniscience. It cannot know a system through and through unless someone has first catalogued that system in exhaustive detail.
Is the managing director really going to document every IoT camera, wall heater, switch, printer, workstation and server? Will someone diligently record every firmware version, every access control list, every forgotten smartphone connected to the wireless network, every unmanaged device quietly existing beneath notice? Most organisations struggle to maintain an accurate inventory of their printers, let alone the invisible ecology of modern infrastructure.
So unless AI is deeply integrated into the workplace — which itself introduces a fresh carnival of risks — it is unlikely ever to perceive the complete picture. And security, unfortunately, is a discipline where the unseen detail is often the fatal one.
The Unglamorous Remedy
The remedy is neither glamorous nor marketable. It is simply this: ensure that your IT staff can manage the infrastructure comfortably, competently and without permanent crisis.
That begins with reducing unnecessary exposure. Audit what is unused, unknown or inherently risky, and remove it from the infrastructure wherever possible — or at the very least isolate it behind a VLAN and treat it with suspicion.
It also requires a coherent, centralised security policy that is actually read, reviewed and updated regularly. Not the usual corporate pantomime of legal threats dressed up as governance — the sort of memo that declares employees will be punished savagely for violating acceptable use policies. A real policy contains practical guidance: if you suspect phishing, terminate communication immediately and report it; if a device cannot be identified, quarantine it; if a service no longer has a purpose, retire it.
These are not dramatic insights. They are merely the disciplines that complexity has made unfashionable.
A Final Complication
The newest generation of large language models is already discovering vulnerabilities in everything from browsers to printers with unnerving efficiency. In such a world, the reduction of attack surface is no longer merely prudent housekeeping. It is the first line of defence against threats that have not yet even acquired names.