About Security Brutalism
We live in an increasingly complex and noisy tech world, organizations often get bogged down in a proliferation of security tools and overly complicated strategies. Security Brutalism offers a contrasting philosophy: a return to the fundamental principles of security, prioritizing robust core controls, transparency and openness, and functional efficiency over complexity. This approach aims to build a resilient and understandable security foundation that effectively mitigates key risks without the unnecessary overhead and opacity that can plague modern security programs.
Security Brutalism helps focusing on what truly matters and ensuring everyone understands the "why" behind the security measures, leading to a stronger security culture and a more defensible organization.
In short: What you see is what's enforced; what breaks doesn't collapse the system; and what remains is strong and recoverable.
The Why Behind Security Brutalism
I’ve been in the security field for over 20 years, working across nearly every aspect of it. However, in the past decade, I’ve seen how security has become flooded with vendors offering random solutions, each claiming to solve problems we didn’t even know we had. Meanwhile, regulations continue to pile on new requirements, only adding to the complexity. This has made it increasingly difficult to prioritize what actually needs attention, especially when it comes to identifying the real gaps and issues that need fixing.
We’re facing a growing need for resources, yet budgets keep shrinking. Alerts are flooding our monitoring systems, but we have no clear understanding of their root causes. New controls are being implemented, but they often fail when put to the test.
And the people who should be benefiting from security still don’t fully understand it.
This is the reason behind Security Brutalism. It's a return to a no-nonsense, transparent, and robust approach to security, prioritizing effectiveness, simplicity, clarity, and resilience over superficial aesthetics.
My goal was to develop a security program centered around simplicity and strong fundamental protections. Similar to its architectural style counterpart, it focuses on a raw, functional, unadorned, and genuinely straightforward approach to security. You can read more on the Security Brutalist Blog.
If you need to contact me, please send a message to info @ security brutalist dot com. If you're interested in implementing the Security Brutalism principles in your organization, check out Black Arrows.
Please also consider supporting the site. Get a tshirt.
Disclaimer
The views and opinions expressed on this blog are solely my own and do not reflect the official positions or endorsements of any current or former employers, teams, clients, or affiliated organizations.
All content, including information and suggestions, is provided "as is" without any warranties or guarantees of any kind. By using or applying any material from this site, you acknowledge that you do so at your own risk. I accept no responsibility or liability for any issues that may arise, including but not limited to malfunctions, damage, or security breaches.
You are solely responsible for any actions you take based on the content presented here. If you do not agree with these terms, please refrain from using or referencing this website.
Privacy
This site does not collect personal information, track user activity, or require the submission of any data.
