Security Brutalism Metrics

Brutalist Security Metrics prioritize clear and direct indicators of fundamental security posture and operational effectiveness.

Key Metrics To Track

As defined in the Lightweight Brutalist Security Playbook, these are:

• Percentage of infrastructure defined in code. Target is 100%.
• MFA coverage (users, services). Target is 100%.
• Percentage of accounts with least privilege. Target is 95%+.
• Secrets exposed in past 30 days. Target is 0.
• Time to detect/contain incident. Target is <1 hour.
• Security training completion. Target is 100%.

Let's expand them.

Core Posture and Security Hygiene

• Percentage of Infrastructure Defined as Code: This directly measures the transparency and auditability of your infrastructure. Higher percentages indicate a more controlled and repeatable environment. Target is 100%.
• MFA Coverage (percentage of Users/Accounts): This is a fundamental control against unauthorized access. The metric should reflect the percentage of all applicable user accounts and privileged accounts protected by multi-factor authentication. Target is 100%.
• Percentage of Accounts Adhering to Least Privilege: This measures the principle of granting only necessary access rights. Track the percentage of user and service accounts operating with the minimum required permissions. Target is a high percentage, above 95%.
• Secrets Exposed (Count) in Past 30 Days: This directly measures the leakage of sensitive credentials. A lower number indicates better secrets management practices. Target is 0.

Operational Effectiveness

• Mean Time To Detect (MTTD) Security Incidents: This measures the efficiency of your detection capabilities. Track the average time from when an incident occurs to when it is identified. Target should be a decreasing trend over time, with specific targets based on the severity and type of incident. Less than an hour is the goal.
• Mean Time To Contain (MTTC) Security Incidents: This measures the efficiency of your response capabilities. Track the average time from when an incident is detected to when it is effectively contained. Target is also a decreasing trend over time, with specific targets based on the severity and type of incident. Less than an hour is the goal.

The Human Factor (Measured Functionality)

• Security Training Completion Rate (percentage of Assigned Users): This measures the basic hygiene of ensuring your personnel receive essential security awareness training. Focus on completion of relevant and actionable training modules. Target is 100%.

Why These?

These metrics are direct and understandable. They clearly indicate a specific aspect of security posture or operational efficiency. They remain actionable, with changes in these metrics directly reflecting the impact of security efforts. They are objective, primarily quantitative and less prone to subjective interpretation. And, they focus on the fundamentals. They address core security principles and essential operational capabilities.

There are More

There are more metrics we can use to support a Brutalist Security program, however the ones above are the base, the foundation. If you are planning to add more, keep in mind the following things to avoid:

• Vanity Metrics: Numbers that look good but don't reflect actual security improvement (e.g., number of security tools deployed).
• Overly Complex or Abstract Metrics: Metrics that are difficult to understand or don't directly translate to tangible security outcomes.
• Metrics That Encourage Gaming the System: Metrics that can be easily manipulated without actually improving security.