Cut Out The Stupid Stuff

A very useful, if overused, software design concept is "Keep It Simple, Stupid" or KISS. As is probably obvious, the idea is to avoid complexity where possible. This idea is necessary because it is so very tempting to solve very aspect of a problem individually, ending up with a solution that is as large as it possibly can be. The more lines of code you have, the more opportunities for bugs and inefficiencies and conflicts, all of which are things you don't want. However, features are external and visible to the peole who pay you while poor structure is internal, only visible indirectly as when software is too slow or takes too long to modify, or tends to blow up. This means that external features tend to carry more weight than internal elegant simplicity. That means that software can end up too complicated and bloated. Which leads to managers having posters, t-shirts, mugs and knickknacks with K.I.S.S emblazoned on them.

In that spirit, Pythia Cyber has our own pithy bumper sticker-worthy catch-phrase and snappy acronym: "Cut Out The Stupid Stuff" or COTSS. Rolls off the tongue, doesn't it?

This is a lighthearted way to open a serious and delicate topic: not doing stupid stuff. This is a delicate topic because we all live in the impossible region between these two statements:

1. I'm not stupid
2. I do stupid stuff

These two statements seem to be in contradiction to each other, but they are not. The confusion comes from the fact that both statements are about "I" but "I" refers to a human being and human beings are complex and inconsistent.

A further complication is the tense: English implies the continuous present, so statement 1 (S1 in formal linguistics nerdliness) means "I am not inherently stupid; in the general course of events I can be counted on to be intelligent. By contract, S2 means "I have, on occasion, rare occasion, been known to be tired or distracted or upset or ignorant of some key fact or facts."

So the more accurate version would be "even though I am not a stupid person, I do the occasional stupid thing."

The problem is that Cybersecurity is an unforgiving business. If you do something stupid, even only rarely, that stupidity can linger. And, as we have mentioned in previous posts such as this one, people are actively looking for your mistakes. Did you open a hole in your firewall to help debug some service and then forget to close it? Someone may find it. Did you keep putting off upgrading some system that "doesn't have anything important on it anyway" until someone found that easily patched-but-not-patched vulnerability? These are examples of stupid stuff, actions you would never sign off on except under whatever unfortunately circumstances befell you.

We all do this. So what is COTSS about? COTSS is about making sure that smart, focused, reasonable you keeps tired, distracted, upset or ignorant you out of trouble. COTSS is about trying to have some sense of when you are not at your best, either in the moment (perfect) or afterward (almost as good).

Pretending that you (and your team) NEVER do stupid stuff is silly. And no one would believe you, not even you.

Present You is usually a good friend to Future You, but not always. There is no shame in recognizing that fact and acting accordingly. Remember: your colleagues get to fix their spreadsheet formula stupidities, often with no one ever finding out, but your colleagues don't have literal armies of people trying to break every spreadsheet they make. You do have literal armies of people trying to break every system you deploy. Everybody makes mistakes so everybody has to either live with the consequences or fix those mistakes. In Cybersecurity, the consequences of being cracked open like a walnut are generally more severe than being a bit sheepish. Take the high road: Future You will thank you.

COTSS, because "Everyone makes mistakes so to try to find and all of yours" makes a terrible acronym: EMMSTTFAFAOY.