Too Deep Is Not an Argument

I built an assessment with 110 questions in it. When we started running it, everyone liked the output. There was exactly one complaint, and it came back every time: it's too deep, it takes too long. I understand the constraint behind that. I will never accept it as an argument against doing the work.

The assessment covers change management, compliance, security settings at every layer, deep dives on the line-of-business apps, a full server storage review — what's taking up space, what's actually used, what's just archival — network inventory, workstation configurations, lifecycle management, and business context. For a client you've never worked with, filling it out accurately can take eight hours. For one you already know well, you can often get it down to about two. So the pushback was never "this is wrong." It was "where am I going to fit eight hours into the schedule." That's a real problem. It's a scheduling problem. It is not a reason to skip the understanding.

Because here's the thing nobody could argue with: if you actually go through the assessment, you come out understanding the client's environment. And you cannot make good, long-term, strategic decisions for a business you don't understand. The depth isn't there to pad a document. It's there to force a human being to go get the understanding.

The assessment itself isn't valuable. What it forces — one human actually understanding the environment — is where all the value comes from.

This is the part most people miss. The assessment isn't about checking boxes or listing which standards a client meets. If it were, you could automate the whole thing, split the 110 questions across five people, collect every answer, and call it done. You'd have a complete document and not one person who could confidently say they understand how the client operates. The document is not the deliverable. The understanding is. Everything that produces value — the roadmap, the strategy, the right call on what to eliminate versus keep — happens after, and only if someone is holding the whole picture in their head.

A shallow pass has its place. It's great at finding the low-hanging fruit: end-of-life hardware, a missing stack deployment, antivirus that never got installed. Worth knowing, worth fixing. But that pass generates very little insight, very little strategy, and very little recurring value for either side. Knowing what's broken is not the same as understanding what to do about it.

What depth actually buys you

We onboarded a brand-new client. The first 30 days were the standard stuff — gathering passwords, deploying our stack, lifting the basic support. Thirty days in, you have almost no real understanding of how a client works. Then we ran the deep assessment. Afterward, we knew how they operated, which systems did which work, what they actually valued from their technology, and what was simply broken. Four hours of assessment, three hours of documentation, four hours of roadmapping — and we produced $50,000 of new recurring work that the client approved on the spot.

What the depth surfaced: the network was a mess underneath. Broadcast storms throughout. Most machines were running under 5 Mbps even over wired ethernet. Switches were failing every other week. Remote access was insecure. There were three different DHCP servers fighting each other and the wifi was slow. Half of all users were signing into their computers and their applications with the same shared login. No MFA anywhere. No auditing. OneDrive was a disaster, because nobody had individual accounts in the first place.

So we rebuilt the foundation. Data got cleaned up. Every user now has their own identity synced to Entra and matching their email format. MFA is enforced. OneDrive is finally being used the way it was designed to be. Battery backups were replaced, the ISPs were upgraded, and the network now runs at a gigabit minimum — with the access points and switching already capable of a 10 Gb backplane the moment they need it or it simply becomes the obvious move. Identity is consistent across the board.

A shallow pass would have flagged "the switches are old, replace them," and stopped there. It never would have caught the shared-login identity problem, traced the broadcast storms, or tied all of it into one coherent roadmap a client signs immediately. Depth is what turned a hardware refresh into a foundation.

So is depth ever too much?

Yes — for the parts that are binary. Whether MFA is enforced, whether antivirus is deployed, whether last night's backup actually ran: those are checkboxes, and they should be automated. People with more access than me are building exactly that, and they should. But the rest of the assessment doesn't exist to collect answers. It exists to build understanding and judgment, and you cannot automate judgment.

That's the real line. It isn't deep versus fast. It's mechanical versus human. Automate every mechanical check you can. Never automate the part where a person comes to understand the business. When someone tells me an assessment is "too deep," what they almost always mean is "this takes time I hadn't planned for." Fair enough. Find the time. The alternative — making strategic decisions for a business you don't actually understand — costs a lot more than eight hours.