And how to fix it without buying more tools.

Most organisations don't have a network security problem. They have a network complexity problem.

Over time, enterprise networks grow organically. New applications are introduced, new environments are spun up, sites are added, and firewall rules are created under time pressure or during project onboarding — and often left unfixed. Each individual change is usually justified. The problem is that no one ever goes back to simplify what was built.

The result is a network that technically works, but is operationally fragile and increasingly risky.

The Real Cost of Complexity

The impact of network complexity goes far beyond security posture. It shows up as:

  • Firewall rules that no one dares to remove
  • Changes that take weeks instead of hours
  • High operational risk during simple modifications
  • Shadow rules that often permit more than they should
  • Audit cycles that turn into reactive firefighting
  • Security teams stuck maintaining legacy decisions instead of reducing risk

At this stage, many organisations conclude they need better tools. In reality, they already have powerful platforms in place. What they lack is structure, shared understanding, and visibility.

Tooling Is Not the Bottleneck — Structure Is

In most enterprise environments, in-house knowledge is scarce, fragmented, and unevenly distributed.

No single individual truly understands every application, system, dependency, and business requirement that consumes firewall services. Despite this, firewall cleanup and network security ownership are frequently assigned to one person — usually the most experienced engineer on the team.

This creates an unhealthy and unsustainable dynamic:

  • One person becomes the decision bottleneck
  • Legacy rules remain untouched due to uncertainty
  • Risk decisions are made without full business context
  • Knowledge stays tribal and undocumented

At the same time, application ownership itself is often weaker than organisations assume. In many cases, application owners do not fully understand their own applications — especially legacy systems that have evolved over years through incremental changes, team turnover, and undocumented integrations. This lack of clarity leads to understandable caution. When people are unsure how their application behaves, the safest option appears to be not changing anything at all — or as I like to call it: "if it works, don't fix it."

The result is predictable:

  • Firewall rules are preserved "just in case"
  • Overly permissive access remains in place
  • Security controls are avoided rather than refined

"Complexity persists not because teams are incapable, but because responsibility is centralised while understanding is fragmented — or missing altogether."

The way forward is not to force decisions, but to rebuild understanding. When application owners are supported in understanding how their applications consume network and firewall services, identifying which flows are truly required versus historical artefacts, and mapping technical dependencies to business functionality — they become active contributors to security rather than passive risk holders.

Protecting an application starts with understanding how it communicates. Firewall cleanup, done properly, becomes an opportunity to improve both security and application resilience — not a threat to stability.

Network Security Is a Team Sport

Effective network security simplification is not a hero exercise. Reducing complexity requires cross-functional collaboration:

  • Application owners explain why specific traffic exists
  • Infrastructure teams clarify how systems are connected
  • Security teams provide structure, risk framing, and guardrails
  • Decisions are documented, reviewed, and shared

When this collaboration happens, something important changes. Firewall rules stop being "technical artefacts" and become business decisions with clear ownership.

What Actually Works in Practice

In organisations that successfully reduce network complexity, the approach is surprisingly consistent:

  1. Establish visibility into real traffic flows, not assumptions
  2. Map flows to assets and business purpose
  3. Normalise and rationalise firewall rules
  4. Introduce rule lifecycle management (why it exists, who owns it, when it expires)
  5. Track progress using simple, honest metrics (e.g. percentage of reviewed and justified rules)

This is not glamorous work. But it is effective.

The Outcome: Less Risk, More Agility

When complexity is reduced deliberately:

  • Security posture improves measurably
  • Change velocity increases
  • Audit conversations become factual instead of defensive
  • Knowledge moves from individuals into the organisation

The most important shift is cultural. Network security becomes an operational discipline, not a collection of tools.

Final Thought

If your firewall is slowing the business down, it's rarely because it is "too strict". More often, it's because the network has become too complex to manage safely. The solution is not another product. It's structure, visibility, and shared ownership.