Identify and Eliminate Unnecessary Security Layers

Julie Q. asked: "How can I identify and eliminate unnecessary security layers on a current program to adopt a Security Brutalist approach?"

Start by inventorying everything: every tool, control, and process currently in place. For each one, ask what specific threat it addresses and whether it would be missed if it disappeared tomorrow. Most security stacks have accumulated controls that nobody champions or fully understands, and nobody would notice losing. Those are the first candidates for removal.

Once you have the inventory, look for overlap. Two tools solving the same problem is not defense in depth, it is complexity that costs money, creates maintenance burden, and makes the environment harder to understand under pressure. Pick the one that performs better and cut the other. Apply the same logic to processes: if a workflow exists because it once satisfied an audit requirement but does not actually reduce risk, it goes.

The brutalist filter is simple, if a control cannot be explained clearly by the person responsible for it, it is a candidate for removal. If it cannot be audited, it is a liability. If it does not tie back to a current, credible threat, it is overhead. Keep what reduces risk, hardens the environment, or improves your ability to detect and recover. Remove everything else.

What remains should be hardened and made visible. Strong authentication, least privilege, secure configuration, and fast patching are the foundation. Automate the routine work so your team's attention stays on what requires judgment. Make sure every control leaves a clear, reviewable trail, because during an incident you will need to know exactly what happened and when.

Run this process on a regular cycle. The environment changes, threats shift, and controls that were load-bearing last year may be redundant today. A lean security stack is not a one-time achievement. It requires the same discipline to maintain as it does to build.