THE SECURITY BRUTALIST

Security Brutalism: Reducing Complexity

K. B. asked: "You mentioned multiple times that modern cybersecurity has become too complex, why? How come people are making it so complex? And why do you think the Security Brutalism approach might help fix this?"

I was wondering when this question would come up.

Security has grown complex because every wave of new technology, regulation, and organizational change added controls without removing old ones. Cloud services, SaaS platforms, and global supply chains multiplied the number of systems that need defending. Regulations layered compliance requirements on top of each other, sometimes in conflict. Business units deployed their own tools without central oversight, and security teams responded to each new threat by buying another product. Over ten years or so, the result is environments where nobody has full visibility, configurations drift, and the sheer volume of alerts and processes creates more room for human error than it eliminates.

Most of this complexity was not deliberate. Organizations added point solutions to address specific threats, and those solutions accumulated. The pace of technology adoption consistently outran the ability to integrate and secure new systems coherently. Complexity became the default state, not a choice.

"Complexity in cybersecurity reduces visibility and increases vulnerability to human error and attacks. Consolidating security tools into a unified platform is crucial for eliminating blind spots and improving efficiency."
-World Economic Forum

Security Brutalism pushes back against that default. Fewer tools mean fewer configuration gaps and fewer blind spots. Clear, auditable architectures are easier to defend than layered ones full of hidden dependencies. Systems designed to be secure from the start require less reactive patching and less heroic intervention when something goes wrong. Simplicity is not a constraint on good security. It is what makes good security possible to maintain under pressure.

"The worst enemy of security is complexity... complex systems are both easier to attack and harder to secure than simpler ones."
-Bruce Schneier

The complexity problem in security is not going to solve itself. Every new technology adds surface area, and the instinct under pressure is always to add another control rather than remove two old ones. Security Brutalism is a discipline against that instinct, keeping environments lean enough that defenders can actually see what is happening and act on it before the damage spreads.