Is IT complexity a significant factor in managing IT risk?

By Tim Wadey, Head of Advisory at Logicalis UKI

 

My emerging view of the key IT issue businesses are focusing on in 2022, is IT risk.  It may be dressed up as something different, but fundamentally it is risk. This is caused by:

  • Delays in upgrading unsupported hardware because of the chip shortage
  • Work from Home systems built in haste
  • Working in a hybrid cloud environment – added complexity and a larger “attack surface”
  • Regulatory risk from holding sensitive data to working across borders
  • The IT skills shortage globally reducing access to the whole range of IT resources

I believe there is one further aspect of IT for businesses to focus on, and that is complexity, which comes in a number of different forms:

  • Infrastructure complexity increases the number of parts to go wrong, which increases the attack surface
  • Integration complexity makes every change, security patch or code upgrade more risky
  • Code complexity has always brought risk, but with micro services displacing well tested homogeneous code, the opportunity for risk increases

Over the past few years “Complexity” has also come up with clients as a problem to be tackled.  It manifests itself in many ways, from a raft of applications with historic use cases, through to inventories of differing equipment built up over years to webs of integrations using API’s to share data or outcomes.  I was made to think about it recently when a client wanted to discuss Platform Simplification – designing out complexity through virtualisation.  In that use case it was a move to a singular cloud and the adoption of standard virtual machine builds.  It was at this point I saw an IDG article about the pitfalls of code complexity and was interested in a new approach to quantifying it trying to quantify it more meaningfully than the number of lines of code.

A few years ago, we looked at how to measure IT Complexity for a CIO dashboard.  A literature search turned up work done by Capco and Commerzbank. It focused on four dimensions:

  1. Functionality or the business & process logic supported by the IT asset
  2. Interfaces, the interoperability between the IT assets
  3. Data, logical and physical data objects
  4. The underlying technology infrastructure

The approach actually looked at over 20 factors that came together as the four dimensions, so it was clear that we needed to simplify our approach.

We decided to look at the dimensions that we could measure, and which would be meaningful in a programme defined to reduce complexity and with it the IT risk.  We eventually identified metrics that could be measured, and which could be changed to measurably reduce complexity.  We looked at each major service and measured:

  • Customer Impact - we looked at time to customer impact of a failure, drawing on Business Continuity metrics – the customer facing app and web servers with the highest criticality, internal admin the lowest
  • Integration Complexity – the number of interfaces to other systems or services
  • Infrastructure Scale – the number of infrastructure components

From a data perspective, each service tended to access specific data, in silos, which could not really be measured or simplified without re-architecting the data and applications into a more modern approach. 

We also looked at data in a different way and 2 further metrics which cut across all services:

  • Data – the number of fields (columns) in all the differing repositories on the assumption that some are copied to others – reducing the number reduces complexity
  • Software, is it bespoke, configured or customised to reduce the support risk?
  • Infrastructure Complexity - which looked at virtualisation densities on the differing platforms

As we do the next round of Infrastructure Risk Assessments with our clients, I will be working on incorporating these ideas in a practical way.  This will help our IT colleagues explain IT complexity and its inherent risk to their business in a meaningful and measurable way to support their risk reduction activities.

We are seeing that minimising risk across the IT stack is a current discussion at Board level and have developed a way to measure the risk from a range of dimensions.  We can explain how we can help you change that discussion with our Infrastructure Risk Assessments. Get in touch today to learn more about this assessment by emailing info.uki@logicalis.com.