Is Simplicity the Way Forward for Cybersecurity? - GDS Group

Is Simplicity the Way Forward for Cybersecurity?

Article - Security
By Josh Porter|10th June 2025

Cybersecurity is complex. Or is it? 

It’s not an exaggeration to say the threat from cyber-attacks has never been greater. Ever-expanding risk surfaces colliding with increasingly sophisticated attacks is what keeps cybersecurity leaders up at night. But while cyber experts bend over backwards trying to secure everything, is there a way to simplify cybersecurity? 

At last month’s Security Insight Summit in Dallas, our audience heard from Kevin J. Scott, CIO & Chief Technology Officer at PGA of America, who suggested embracing simplicity could be the solution. 

Defense-in-Depth VS… 

Defense-in-depth is the current gold standard for cybersecurity. Characterized by layers of security measures, defense-in-depth operates under the assumption that one layer alone can’t stop every threat. If attackers get past one layer, the only prize they win is the next one. 

Sounds logical, right? But with each added countermeasure, your security estate grows in cost and complexity. Managing multiple tools requires continuous oversight, careful configuration, and a laundry list of skills and proficiencies. 

Despite the challenge, defense-in-depth remains a staple for many, particularly in sectors where regulatory compliance and data protection are paramount. 

Kevin Scott, however, has another suggestion: simplify cybersecurity.

…Radical Simplicity 

Galvanized by a malware attack on his active directory, Scott launched a radical simplification strategy to remove legacy complexity and migrate to the cloud. 

Kevin Scott cybersecurity quote

Scott’s unique perspective gave him license to question the assumptions around existing security strategies. Seeing how cloud migration had mitigated the fallout of that early malware attack, Scott doubled down. 

He stripped away nearly all on-prem infrastructure in favor of pure cloud and automation. He moved all services to AWS or SaaS, a fully automated network at half the previous cost. No Active Directory. No VPN. And no on-prem data centers. With everything in the custody of cloud services, there became nothing to protect or break into. 

In short, Scott’s plan was to kill complexity and refocus the IT team on innovation, not babysitting servers. 

Is Simple Really Better? 

Security leaders comfortable behind their walls of security countermeasures may roll their eyes at radical simplicity, but there are definite benefits to paring things back. 

Fewer Vulnerabilities

Keep it simple, stupid. Scott makes a persuasive argument that simpler systems are easier to secure. By cutting back you also shrink your attack surface. There’s also the human cost of complexity. Fewer tools mean less alert fatigue, fewer errors, and a lighter load on your SOC. 

Cost and Efficiency

Scott’s strategy saw compute and ops costs drop: “When we first did the migration to AWS, our costs were cut in half. That felt pretty good. And then they were cut in half again.” Cloud billing is largely usage driven, so predictable workloads mean predictable spend. Your IT teams also get time back, freeing them up to spend more time developing. 

Predictability, Visibility, and Simplicity 

Simplified systems are generally easier to understand and manage and less prone to human error. With fewer components, IT teams can identify and address issues more quickly. 

Kevin Scott cybersecurity quote

What’s the Catch?

Radical simplicity has drawbacks too. 

Vendor lock-in and concentration risk creates a single point of failure. Not only that, but with fewer layers, an organization must make sure the remaining defence is airtight. Simplicity demands discipline. If you want to follow in Scott’s footsteps, knowing where your responsibility for security ends and your cloud vendor’s begins is an absolute must.

It’s also not possible for every organization. Regulatory and legacy constraints pose a challenge for a lot of industries. In these cases, ripping out old tools isn’t trivial. Many compliance frameworks were written assuming physical boundaries and legacy directories. 

But Scott never claimed radical simplicity would be simple. His team spent years planning the cloud migration and change management that would lead to his simplified solution. 

Can We Simplify Cybersecurity?

Simplicity in cybersecurity offers real and measurable benefits. Lower costs, streamlined operations, and in many cases, a smaller attack surface. Scott’s radically simplified, cloud-native approach highlights just how far an organization can go in eliminating legacy complexity without compromising resilience. But, as compelling as simplicity is, it’s not a one-size-fits-all solution. 

Scott was never out to convert everyone to radical simplification. His keynote underscored something bigger: that we may have underestimated the value of simplification done right. In a threat landscape that’s only getting more sophisticated, sometimes less truly is more. 

 

For more from experts like Kevin J. Scott and to continue exploring how your peers are navigating these challenges, join us at our upcoming Security Summit.   

To see all our upcoming summits, visit our events page.

By Josh Porter|10th June 2025
Back to insights

Related content

View all
Security
Article

Security Summit, Lisbon 2025 | Insights Report

Missed our recent Security Summit, or maybe just want a refresher? Here are all the insights from the main stage.
Adam Burns
Find out more
Security
Article

Chief of Everything – What Does it Mean to be a Modern CISO?

Today’s CISO needs to wear a lot of hats. With so much on one plate, it’s no wonder that CISOs are asking "are we chief of anything?"
4 minute read
Josh Porter
Find out more
Security
Article

Consolidating Cybersecurity: Is it Worth it?

Airtight cybersecurity is what dreams are made of. You just need to figure out how to get there. Consolidate? Or consolidon't?
3 Minute Read
Patrick Mclean
Find out more
Security
Article

The CISO’s Dilemma – Doing More With Less in Cybersecurity

The list of CISO priorities is growing. Host and editor Ben Thompson, asks: how do CISOs manage the pressure to be more efficient and effective?
4 minute read
Ben Thompson
Find out more
Security
Article

How Do You Balance Security and Agility While Staying Compliant?

If you're not compliant, you're at risk. If you're too focused on compliance, you slow down your ability to innovate. How do you strike the balance?
5 minute read
Josh Porter
Find out more
Security
Article

Cybersecurity in 2025: Challenges and Solutions

With the year ahead of you, now’s a better time than any to start rethinking your security measures.
3 Minute Read
Patrick Mclean
Find out more
Healthcare
Article

Healthcare: Staying Secure in 2025

For the healthcare industry making a robust cybersecurity strategy not just important but absolutely critical.
4 minute read
Patrick Mclean
Find out more
Security
Article

Building Operational Resilience in 2025

Hear from the experts on how you can prioritize your operational resilience for 2025.
4 minute read
Josh Porter
Find out more
Security
Article

Managing the Pressures of Being a CISO

Managing the pressures of being a CISO is a constant challenge. Here is how CISOs can lighten the load.
5 minute read
Josh Porter
Find out more

Related events

GDS Roundtable Environment with host, Kristina
Security
Roundtable

Operationalizing Cyber Resilience Under Pressure

25 March 2026 12:00 pm - 1:30 pm GMT
Find out more