The majority of all data breach incidents do not result from circumvention of advanced defensive systems and complex security controls; but from the failure of well-established systems, in particular firewalls, that have become too numerous and complex to manage effectively. This paper discusses the implications of firewall policy complexity, why it remains a problem today and how to resolve it.