Security Brutalism: Reducing Complexity

K. B. asked: "You mentioned multiple times that modern cybersecurity has become too complex, why? How come people are making it so complex? And why do you think the Security Brutalism approach might help fix this?"

Thank you for this question. I was wondering when it would be asked...

Modern security (I don't use the "C" word) is complex due to a combination of technological, organizational, and regulatory factors that have evolved rapidly in the past 10 years or so. The main drivers of this complexity, in my opinion, include:

• Proliferation of Systems and Tools: Organizations deploy multiple security and IT tools, platforms, and systems, each with its own configurations and requirements. This increases the attack surface and makes it difficult to maintain visibility across the entire environment, leading to more opportunities for attackers and more room for human error.
• Interconnected Supply Chains: The rise of cloud services, SaaS, and global supply chains means organizations depend on a web of third-party vendors. Each connection introduces new vulnerabilities, and the complexity of these relationships makes it challenging to secure every link, bringing more attack surface.
• Rapid Technological Change: Emerging technologies like AI, IoT, and mobile computing add layers of complexity. Security teams must defend against threats across many different platforms and devices, often with limited resources.
• Regulatory Overload: Increasing numbers of industry-specific regulations and privacy standards require organizations to implement multiple, sometimes conflicting, controls and processes. Managing compliance across jurisdictions adds further complexity.
• Human and Organizational Factors: As organizations grow, they add people, processes, and systems, each introducing potential gaps or inconsistencies in security practices. Shadow IT, where employees use unauthorized tools, further complicates oversight and control.

"Complexity in cybersecurity reduces visibility and increases vulnerability to human error and attacks. Consolidating security tools into a unified platform is crucial for eliminating blind spots and improving efficiency."

Why is this complexity happening?

People are making security complex, often unintentionally, because:

• They add new tools to address specific threats, leading to "point solution sprawl."
• Business units deploy their own technologies without central oversight (shadow IT).
• The need to comply with diverse regulations forces organizations to implement overlapping controls.
• The pace of "digital transformation" and innovation often outstrips the ability to integrate and secure new systems coherently.

How can Security Brutalism help?

Security Brutalism advocates for radical simplification and transparency in security design. Instead of layering more tools and controls, it calls for reducing the number of moving parts in the environment, prioritizing clear, understandable architectures that minimize hidden dependencies, and building secure-by-design systems that are resilient because of their simplicity, not despite their complexity.

This approach can help fix security’s complexity problem by making vulnerabilities and misconfigurations easier to spot and remediate, lowering the risk of human error by reducing the cognitive load on defenders, and improving the ability to audit, maintain, and evolve security controls as threats change.

"The worst enemy of security is complexity…complex systems are both easier to attack and harder to secure than simpler ones."

To Close

Modern security is complex because of the explosion of interconnected technologies, regulatory demands, and organizational sprawl. This complexity is largely a byproduct of attempts to keep pace with evolving threats and business needs. Security Brutalism offers a path forward by emphasizing simplicity, transparency, and secure-by-design principles, making it easier to build, maintain, and defend resilient systems.