Security Brutalism Risk Method

Security Brutalism cuts through the fluff to prioritize raw, transparent, and effective security. I believe this approach would be particularly valuable in the initial risk assessment and analysis of new processes, features, projects, and deployments (among other things). For a risk assessment method to work this way, we need a process that is intentionally blunt, fast, and brutally honest — revealing the true state of risk with minimal ceremony.

Here’s how I think you can operationalize this for rapid, on-the-go risk assessments. Again, this is not a new approach or concept; it's a practice we've used before and many still do. Yet, it appears this basic way of doing things has been lost in the shuffle, judging by current observations.

Security Brutalism Risk Method (SBRM)

Philosophy: Be blunt. Be fast. Be directionally correct. Make risk visible, even if it’s ugly.

Core Principles

1. Visibility Over Polish: Expose raw risk data and decisions. Skip the beautified risk dashboards — favor red flags, quick-impact visuals, and unfiltered language.
2. Speed Over Precision: 80% accurate in five minutes beats 95% in five days. Prioritize directionally correct insights over fine-tuned analysis.
3. Context is King: Risk is meaningless without environment. Anchor every risk to business impact and velocity.
4. Assumption Acknowledgment: Always document assumptions in plain language. Acknowledge known unknowns.
5. Decide Now, Fine Tune Later: Make a call with what you’ve got. Revisit if needed. Inaction is also a risk.

SBRM Process: 5 Steps, 15 Minutes Max

Step 1: Quick Trigger (2 min)

1. Identify what triggered the risk check (incident, audit finding, new feature, etc.)
2. Tag with a simple “Why now?”

Step 2: Brutalist Snapshot (3 min)

Quickly sketch the risk:

1. Asset at Risk: What are we protecting?
2. Threat Actor or Vector: Who or what could hurt us?
3. Likelihood: Gut-level estimate (High / Medium / Low)
4. Impact: Business-level consequence (“Reputational hit,” “Revenue freeze,” “Customer churn”)

Step 3: Risk Scorecard (3 min)

Populate a standard, single-slide view:

1. Risk: A risky risk
2. Likelihood: High
3. Impact: Medium
4. Speed to Damage: Hours
5. Detection Today: Weak
6. Controls in Place: Partial (list them)
7. Brutal Truth: "Totally exposed. We got lucky last time."

Remember: Use blunt language. Be direct.

Step 4: Rapid Verdict (5 min)

Make a Now/Next/Later call - When to fix this:

• Now: Immediate response needed.
• Next: Needs prioritization in next sprint/cycle/within days.
• Later: Watchlist or park.

Step 5: Share The Brief (2 min)

Send out a raw, internal message to the stakeholder:

“Risk Review: Exposed database in prod, no MFA, attackers already probing. Business impact high if breached. Fix needed now. Risk brutally assessed, scorecard attached.”

More Stuff To Do

You can also consider these (optional) additional elements to enhance their risk assessments:

• Brutalist Risk Review Board: Monthly 30-min session where the top 3 “brutal risks” are reviewed by the CTO/CISO/CIO with scorecard cards.
• Risk Brutality Score: Track how many “Now” risks are closed in under 72 hours.

Sample Use Case

Trigger: Marketing team pushes a last-minute promo with customer data exposed in a public S3 bucket.

SBRM Result:

1. Risk: Data exfiltration via misconfigured bucket
2. Likelihood: High
3. Impact: High (reputation + regulatory)
4. Speed to Damage: Immediate
5. Detection: In Place
6. Controls: None
7. Brutal Truth: “Wide open to anyone with the URL. Unacceptable for customer data.”
8. Verdict: Now
9. Raw Message: “Exposed customer PII via promo S3 bucket. Fix by EOD. Audit all S3 now.”