Details. Details. So many details...
There's a Time and Place for Detail
One of the results of my misspent youth was becoming a Summer Mountain Leader.
At 18, I was qualified - and paid - to take groups safely into the mountains of the UK.
While it's easy to say - “But the UK doesn't have any real mountains...”
Helvellyn was at the end of my garden. And I walked the path to the summit daily.
Wrangling groups three times my age... with dodgy knees on ridge scrambles is tricky.
Where are we - exactly?
What are the escape routes?
What is the terrain for the next 10 meters?
And then there were the night ascents.
Inevitable cloud cover, with no stars to help.
Pitch black - but for the circle of light coming off my head torch.
The cliffs were still there.
The falls - just as dangerous.
But - you couldn't see them.
Night navigation is incredibly detailed.
The slightest inflection of a contour can tell you exactly where you are within 5 meters.
Decisions are made by counting steps.
But then comes the winter - and the snow.
A different set of challenges.
And the crisp details of summer become broad brushstrokes of lumps and dips.
In winter, less is more.
Don't use a detailed map.
Focus on the outcome and the next milestone.
Move it broad sweeps - rather than on intricate paths.
Look at the bigger picture.
That's all that matters.
The wind will change the details by the time you've finished your hot chocolate.
This week, the idea of tuning out the detail popped into my head while reviewing Microsoft 365 Conditional Access policies.
Unlike writing firewall rules - they aren't sequential. Instead, they operate in parallel - creating a mesh of permissions.
As I battled ever-increasing levels of detail and nuance - I started to lose the bigger picture.
How did Rule 23 fit into the bigger picture?
By stepping back, tuning out the detail, and looking to move in broad sweeps - I had...
Attack surface reduction - to limit the scope.
Managing emergency access.
General best practices.
And special cases.
By reducing the scope of what was required - the gaps and the intent of the rules became clearer.
When reviewing security controls - sometimes - details are problematic, and less is more.