The insatiable urge to consume more, even when you're already bursting at the seams. The team that simply cannot say no to the next shiny new product, appliance, platform, or service. Their security stack resembles a digital hoarder’s paradise, a monument to every vendor demo they’ve ever attended. Their data lake is less a lake and more an ocean, overflowing with logs from systems they bought three years ago and still haven't fully integrated. You ask them what they need, and they respond, "Everything, but more."

Fundamentally, complexity in cybersecurity means a lack of visibility. The sheer number of components and point products in many modern networks makes identifying vulnerabilities, let alone remediating them, challenging.

Writing about computer systems twenty-five years ago, Schneier wrote that “the worst enemy of security is complexity” (Schneier, 1999), because complex systems are both easier to attack and harder to secure than simpler ones. In this essay, we provide an overview of Schneier’s complexity principle and provide our observations of how two articles in this issue, Liang et al. (2025) and Tanriverdi et al. (2025), employed this principle in their research. We also offer our ideas for why complexity and cybersecurity are especially amenable for study in the field of information systems and where future research can go from here.

Scale is the most important consideration as industry transforms information security and assurance across our supply chains. The transition to zero trust presents us with an opportunity to embrace network and security architectures that scale by centralizing the configuration and management of our systems, devices, and software. A focus on improving scale has the potential to not only improve security for organizations of all sizes but to also reduce the ongoing lack of qualified cybersecurity professionals.

Security Brutalism truths, because reality! Truth I: Real security is built on understanding systems, not buying solutions. Truth II: Depth beats breadth in security expertise. Truth III: Security brutalism practitioners cannot be rapidly trained. Truth IV: Effective security teams must exist before incidents occur. Truth V: Security brutalism requires organizational support beyond the security team.