• Joe Vandervest

Control Complexity - Use Standards

Shows graph for increasing complexity according to Metcalf's law and additive results of a survey for CVE's announced for key platforms during the last two years.  With 10 platforms there's a HUGE potential number of patches and fixes that need to be applied - leading to administrative cost and effort - and increased security risk and loss of focus on any one platform.
Increasing platform variation increases complexity and effort.

A lack of standards, or standards discipline can easily lead to platform chaos, increased costs, security problems, and balkanization of data into dis-connected islands of -connected data.

Absence of Standards Leads to Complexity

The chart above, based on a two year patch release review of a set of open source software packages providing web services, shows how proliferation of packages increases maintenance effort. The Black line in the graph shows the impact of Metcalf’s law - essentially the role of interdependence and connections adding to complexity. The red tinted area shows the difference between the number of updates for each of the packages (platforms) and the statistically high end for the number of patches.

Any one of the CVE’s on the chart (red area), left unpatched, could be that one vulnerability that leads to a significant privacy breach. In today’s compliance environment, a security breach could kill small organizations.

Reduce Complexity, Reduce Risk

One way to help limit risk is to reduce complexity. Setting, then adhering to standards, is one way to reduce complexity. Standards help control the number of different kinds of platforms you must know, understand, operate, support, and administer - all of which helps reduce risk.

Increasing complexity increases risks. One privacy breach lawsuit can break an organization. Run away infrastructure maintenance costs can contribute to a company’s demise. Overly complex systems make accessing data a major effort which in turn contributes to slower customer response or service. All these will eventually impact revenue.

Technology standards make a difference. I recently read a wonderful bit about Fleet Standardization by Christopher Amos. You can read it yourself here. Although the article is about standards in automotive fleets, if you read it and use it as an analogy for information technology contexts, you’ll see the value.

Process Complexity

Processes like system setup, configuration, and maintenance are usually complicated. Different platforms require different processes. Multiple types of platforms create more complexity for managers, technicians, and systems staff who are already dealing with complex process. Complexity multiplies - with a major impact on risk, cost, reliability, and return on investment.

Fewer types of platforms reduce complexity.


Adding nodes to a network increases its complexity. In this way, the more a network or organization adds nodes, points, departments, etc. the more complex communications and connections become. (See Metcalfe’s Law,)

For instance, connections between 100 systems running the same application is one thing. Connections between those 100 systems each running a different platform or application that talk to one another is an entirely different thing.

Many different types of platforms, each requiring custom crafted and maintained inter-connections, lead to increased complexity. That increased complexity increases risk. Standard platforms, no matter how many, generally enable easier inter-connections, and reduce risk.

Platform Proliferation Weakens Your Business

Together both process complexity and interconnection complexity weaken your business or organization.

Your organization’s tech support/admin staff/vendors will eventually be overwhelmed by the amount of effort needed for security fixes, monitoring, interfaces, professional systems administration, responsive user support, and maintenance to keep things interconnected.

Unless you take action to rein in complexity - diminishing performance caused by platform complexity will lead to any or all of the following: failing systems, security breaches, staff burnout, and overall service reduction.

In order to maintain high levels of service and production your organization will need to increase the number of technicians hired, or support contracts established, and vendors engaged. In a context where finding well-paid, qualified technical staff is difficult at best, there is no guarantee that you will find qualified staff or affordable vendors.

Increasing costs caused by complexity will eventually put you to the point where you will be unwilling or unable to afford it.

Once that starts happening, the financial footings for your business begin to weaken.

Control Platform Proliferation

Set some standards. Decide on tools and services. Setup standards so that they can be changed and reviewed. Expand the platforms or services used only after thinking about it and talking about it with people who know what is needed and those who will have to support, maintain, and administer them. Stay realistic when assessing the costs/impacts of your choices - but don’t be afraid to add platforms or remove older platforms if it makes sense.

Standards Suck

It’s a refrain we’ve all heard or voiced ourselves. “Standards suck” - they hamper our agility, limit our choices, get in the way of customer service and response, don’t offer choices I like, cost too much, prevent us from doing X, etc.

Sometimes they do suck and get in the way. Why?

  • They don’t echo current business needs or trends.

  • They are not implemented and communicated in a way that explains WHY they are standards

  • There are no processes to allow standards to quickly change, evolve, and address near term needs

  • Evaluation and review processes don’t actively involve all interested parties

You need standards, but you must also design processes and resource them so that standards can be evaluated, modified, and influenced by business needs in such a way that they support agility, nimbleness, and responsiveness. At the same time they must support the needs of the organization to minimize complexity, mitigate risk, and control costs.

Just because a service or technology is not on the standards list doesn’t mean it can’t be used. What it means is that it is new, needs evaluation, and a deliberate business oriented review. When you set standards, offer easy to use, easy to understand ways for them to change.

Standards must not be a roadblock to an organization’s technical evolution. They are a tool to help an organization evolve its technology platforms securely, and efficiently.

Cover Photo by John Moeses Bauan on Unsplash