Spend enough time working across different IT environments and you start noticing a pattern.
When a security incident happens, the immediate reaction is often to look for the missing technology. Another security product. Another monitoring platform. Another dashboard.
In many cases, that isn't where the real problem started.
The biggest weakness I encounter isn't an unpatched vulnerability or an outdated operating system. It's a lack of visibility.
Teams don't have a complete picture of their own environment anymore.
Nobody is completely sure which systems are still in use. Documentation is months—or years—behind reality. Applications overlap. Old management platforms continue to exist alongside newer ones because nobody had the time, or the authority, to remove them. Temporary exceptions quietly become permanent architecture.
Security becomes difficult long before an attacker appears.
One of the clearest examples is unfinished work.
An Intune deployment that never reached every device. Conditional Access policies left in report-only mode. Test environments that somehow became production. Old GPOs that nobody wants to remove because "something might break."
- None of these situations are caused by technical limitations.
- They are the result of projects that never truly finished.
Over time, every unfinished decision adds uncertainty. Eventually, nobody knows exactly what can be changed safely.
That uncertainty is often a bigger security risk than the software itself.
I also think many IT organizations optimize the wrong metrics.
Management dashboards focus on ticket volumes, SLA compliance, uptime, and operational costs. Those metrics matter, but they rarely measure the health of the environment.
- How much technical debt was removed this quarter?
- How many obsolete systems were retired?
- How much documentation was actually updated?
- How many manual processes disappeared?
- How much knowledge was transferred to the team?
Those questions are harder to quantify, so they're often ignored. Yet they have a direct impact on security, resilience, and operational efficiency.
The same applies to modernization.
I've seen environments where everyone agrees that a process is outdated, but nothing changes because "we've always done it this way" or because changes can only happen during a tiny maintenance window once every few months.
Eventually, the infrastructure becomes a collection of compromises instead of a coherent architecture.
Adding another security product doesn't solve that.
In fact, it often makes things worse.
The answer isn't another tool. It's better ownership.
- Know what you have.
- Remove what you no longer need.
- Finish the projects you start.
- Document decisions while they're still fresh.
- Challenge legacy processes instead of protecting them forever.
- Most importantly, build environments that people can actually understand.
I don't think this requires a new generation of engineers. It requires a new generation of thinking.
An IT organization shouldn't measure success only by keeping the lights on. It should also measure how much simpler, clearer, and easier to operate its environment becomes over time.
Because an infrastructure that is easy to understand is usually an infrastructure that is easier to secure.
0 Comments