THE SECURITY BRUTALIST

Purpose or Attack Surface

Every component in your environment exists in one of two states: it either serves a clear purpose, or it expands your attack surface. There is no middle ground. "We might need it someday" is not a justification. Neither is "we've always had it".

This is one of the fundamental truths of Security Brutalism. If something does not directly support the business, it is attack surface.

Look around your environment. Count the services nobody uses, the APIs maintained "just in case", the dashboards nobody has opened in months, and the authentication methods retained for convenience. Each one represents a conscious decision to accept additional risk in exchange for theoretical value.

Every unused service is another door. Every forgotten administrative interface is another path an attacker can exploit. Attackers do not care about your roadmap, your org chart, or the reasons something was left in place. They care about reachable systems and exploitable complexity.

"The worst enemy of security is complexity... complex systems are both easier to attack and harder to secure than simpler ones."
- Bruce Schneier

The math is simple. More components create more entry points. More entry points expand the attack surface. A larger attack surface increases the likelihood of compromise. Conversely, the less there is to attack, the less there is to defend.

Security is not minimalism for its own sake. Every component should justify its existence through a direct contribution to business operations. If removing it would have little operational impact, its continued presence deserves scrutiny.

However, reality is rarely that perfect. Organizations inherit legacy systems, contractual obligations, and political constraints. Some components cannot be removed immediately. When elimination is not possible, isolation becomes mandatory. Segment these systems, restrict their access, monitor them aggressively, and surround them with compensating controls. Assume they will eventually fail and design accordingly.

Unnecessary complexity accumulates because organizations optimize for convenience. Flexible authentication methods, overlapping tools, and legacy platforms often appear useful, but convenience for defenders frequently becomes convenience for attackers.

Focus on subtraction. The hardest discipline in security. It means retiring services that still seem useful, consolidating tools that work adequately in isolation, and refusing features that add complexity without meaningful value. Teams will resist, users will complain, and stakeholders will question the decision. Remove it anyway if it cannot justify its existence.

Purpose is the filter. Strip away the convenient, eliminate the redundant, and remove the unused. What remains should be essential, defensible, and aligned with business objectives. Attackers exploit complexity. Meet them with simplicity.

In security, minimalism is not aesthetic. It is survival.