Security Brutalist Program: Building from Zero

This guide is designed for organizations looking to build a security function from the ground up or overhaul one that's underperforming. Based on the principles of Security Brutalism, it emphasizes strength, simplicity, and an uncompromising focus on core fundamentals. The goal is to establish a solid foundation that can support future growth and development.

For a deeper dive, check Starting a Security Program from Scratch, Implementing Security Brutalism Without Breaking the Business, and Security Brutalism 3-Year Implementation.

Finally, check the A Lightweight Brutalist Security Playbook to stay on track with maintaining and evolving the program.

Core Principles

• Uncompromising Focus: Prioritize the essential security controls that directly reduce the most significant risks.
• Strict Simplicity: Avoid complex systems and solutions. Choose what is easiest to implement, maintain, and understand.
• Ruthless Efficiency: Maximize security with minimal resources. Eliminate any activity that doesn't directly contribute to risk reduction.
• Extreme Clarity: Document everything clearly and concisely. Ensure everyone understands their roles and responsibilities.
• Resolute Ownership: Clearly define who is responsible for each security control. Accountability is paramount.

The Brutalist Security Team

A small, agile team focused solely on establishing and maintaining the core security functions.

Roles:

• Security Lead: Sets strategy, manages the team, and communicates with stakeholders.
• Security Engineer: Implements and maintains security controls.
• Security Analyst: Monitors systems, responds to incidents, and assesses vulnerabilities.

Characteristics:

• Highly Skilled: Deep expertise in core security domains.
• Results-Oriented: Focused on achieving tangible security improvements.
• Pragmatic: Prioritizes effective solutions over perfect ones.
• Autonomous: Able to work independently and make quick decisions.

The Brutalist Security Program: The 6 Fundamentals

1. Risk Management
• Identify your organization's most critical assets (data, systems, people).
• Determine the most likely and impactful threats to those assets.
• Implement controls to mitigate those risks. Use a simple risk matrix (High/Medium/Low) and document everything in a risk register.
2. Asset Management
• Maintain a complete and up-to-date inventory of all hardware, software, and data.
• Classify assets based on their sensitivity and importance.
• This is not optional. You cannot secure what you do not know you have.
3. Identity and Access Management (IAM)
• Implement the principle of least privilege: Grant users only the access they need.
• Enforce strong passwords and multi-factor authentication (MFA) for all critical systems.
• Regularly review and revoke access when it is no longer needed.
4. Vulnerability Management
• Establish a process for identifying, assessing, and remediating vulnerabilities.
• Regularly scan systems and applications for known vulnerabilities.
• Patch systems promptly, prioritizing critical and high-risk vulnerabilities.
5. Incident Response
• Develop a basic incident response plan.
• Focus on:
• Identification: How do you know something is wrong?
• Containment: How do you stop it from getting worse?
• Recovery: How do you get back to normal?
• Test the plan regularly.
6. Security Awareness
• Provide mandatory security awareness training to all employees.
• Focus on practical topics: The reality of phishing and social engineering, password security and why it's important, data handling and the consequences of mishandling it, and how to report incidents.
• Keep it short, relevant, and engaging.

Brutalist Security Tools

• Choose tools that are: Simple to use, reliable, well documented, and cost effecive.
• Prioritize open-source solutions where appropriate.
• Avoid complex, bloated, or vendor-locked solutions.

Brutalist Security Metrics

1. Track only the essential metrics:
• Time to detect and respond to incidents.
• Number of successful attacks.
• Vulnerability remediation rates.
• Percentage of employees completing security training.
2. Use these metrics to drive continuous improvement.

Once the program is underway and more mature, you switch to more advanced metrics.

To Close

By adhering to these principles and focusing on the fundamentals, organizations can establish a security program that is lean, effective, and resilient. This program will not only protect the organization's assets but also enable it to achieve its business objectives with confidence.