Surface Area
Operations & security practice; “luck surface area” popularised by Jason Roberts
“Surface area” is the set of interfaces and contact points where your system, team, or product meets the world: APIs, suppliers, SKUs, pages, meetings, commitments. A larger surface means more things can happen. That can be good (more chances for sales, ideas, luck) or bad (more failures, attacks, obligations). The craft is to shrink downside surfaces (attack, error, fragility) and expand upside surfaces (distribution, partnerships, serendipity), while keeping complexity in check.
Downside surfaces (reduce/harden) – security endpoints, manual steps, single points of failure, legal exposures, operational handoffs.
Upside surfaces (expand/enable) – routes to demand, shareable assets (APIs, content, talks), partner interfaces, contributor on-ramps.
Convexity rule – when payoffs are asymmetric (limited loss, uncapped gain), increase exposure; when losses can be catastrophic, reduce or buffer.
Edge counting – risk/opportunity often scales with number × quality of edges (connections) rather than size of the core.
Security/SRE – cut public endpoints; least-privilege; rate limits; simplify configs.
Ops design – fewer handoffs; standardise SKUs; consolidate vendors; queue to decouple.
GTM & growth – more qualified touchpoints: distribution partners, content, open-source, referrals.
Product/platforms – curated APIs, templates, and self-serve docs expand safe adoption.
Personal/career – publish, teach, and network (upside); avoid commitments that create rigid liabilities (downside).
Map surfaces – list interfaces by domain: tech (APIs/ports), ops (handoffs), legal (contracts), finance (covenants), GTM (channels), content (assets).
Classify each – Downside (breach, defect, cost) vs Upside (reach, learning, revenue).
Decide per class
Downside: remove, merge, or harden (authZ, limits, monitoring, playbooks).
Upside: amplify with low-cost replication (content syndication, APIs, partners), and instrument quality.
Design for convexity – cap downside (limits, escrow, sandbox, small batch sizes) so you can safely widen upside surfaces.
Simplify – prefer fewer, higher-quality interfaces over many brittle ones; create gateways and standards.
Instrument – track breach/incident rate, MTTR, change failure rate (downside), and qualified leads/activations/referrals (upside).
Review cadence – quarterly “surface audit”: add two upside edges, remove or harden two downside edges.
More edges than capacity – expansion without automation creates toil and error.
Common-mode dependencies – “redundant” edges that fail together (same cloud/region/vendor).
Unqualified exposure – adding channels that attract the wrong users; raise entrance bars and filters.
Interface sprawl – too many public APIs/SKUs/CTAs increase cognitive load and attack surface.
Neglecting maintenance – stale docs and untested fallbacks turn upside edges into liabilities.