Brutalist Security Meets Team of Teams: Implementation Guide

This guide continues from Brutalist Security Meets Team of Teams: Introduction and covers organizational fit, implementation runbook, governance structure, and operational practices for integrating Security Brutalism with the Team of Teams methodology.

Who Should Use This Approach

This integrated methodology combining Security Brutalism with Team of Teams is particularly effective for organizations that exhibit specific characteristics, such as operational complexity, rapid growth, and a need for agility in the face of evolving security threats. However, this method is not universally applicable.

Ideal Organizational Characteristics

Complex and Distributed Environments

• Organizations with multiple product lines, business units, or geographically dispersed teams
• Benefit from the decentralized nature of Team of Teams and consistently applied security of Security Brutalism

Rapid Growth and Scaling

• The Team of Teams model is inherently scalable
• Embedding security responsibilities within each autonomous unit allows security to scale effectively alongside organizational growth

Agile and DevOps Culture

• Organizations embracing agile and DevOps practices can integrate Security Brutalism principles into existing workflows
• Enables effective DevSecOps through empowered teams and automated security controls

High-Value Assets and Significant Security Risks

• Companies dealing with sensitive data, critical infrastructure, or facing high threat landscapes
• The robust and uncompromising nature of Security Brutalism provides significant value in mitigating risks

Strong Security Culture Desire

• Fosters shared responsibility for security across all teams
• Creates stronger overall security culture compared to centralized, siloed security approaches

Willingness to Embrace Foundational Security

• Organizations that understand long-term benefits of strong, sometimes initially less user-friendly, security controls
• More receptive to the Security Brutalism philosophy

Commitment to Collaboration and Communication

• Team of Teams model thrives on effective communication and collaboration
• Crucial for successful implementation of distributed security approach

Organizations Facing Specific Challenges

Inconsistent Security Practices Across Teams

• Helps establish baseline of strong security across varying levels of security maturity

Slow Security Response Times

• Empowered teams with security ownership react more quickly to threats and vulnerabilities within their domains

Security Bottlenecks

• Distributing security responsibilities alleviates centralized bottlenecks and allows for more parallel security efforts

Difficulty Scaling Security Efforts

• Embedding security within each team provides more scalable solution as organization grows

Lack of Security Ownership by Development Teams

• Encourages development teams to take greater ownership of security in their products and services

Organizations That Might Find This Less Ideal

Small, Highly Centralized Organizations

• Overhead of establishing security champions and formal guilds might outweigh benefits
• More direct security approach might be sufficient

Organizations with Very Low Threat Profile

• If operating with minimal security risks and non-sensitive data, Security Brutalism rigor might be perceived as excessive

Highly Regulated and Compliance-Driven Environments (Without Flexibility)

• Extremely rigid, top-down compliance requirements might find decentralized Team of Teams challenging without careful planning

Organizations with Strong Resistance to Change or Collaboration

• Requires willingness to adapt and collaborate for both Security Brutalism and Team of Teams structural shifts

Implementation Runbook

This runbook outlines key phases, activities, and considerations for implementing Security Brutalism within a Team of Teams framework.

Goal: Establish robust and uncompromising security posture by integrating foundational security principles into decentralized and collaborative Team of Teams organizational structure.

Target Audience: Security Leadership, Engineering Leadership, Team Leaders, Security Champions

Phase 1: Vision and Strategy Definition

Clearly Articulate Security Brutalism

• Mandatory multi-factor authentication for all access
• Strict least-privilege access controls enforced at all levels
• Automated and frequent vulnerability scanning
• Immutable infrastructure principles where applicable
• Clear and non-negotiable security baselines for all systems

Align with Organizational Goals

• Ensure Security Brutalism approach supports overall business objectives
• Doesn't unduly hinder innovation or agility
• Identify key risk areas this approach aims to mitigate

Define Scope and Phased Rollout

• Determine initial scope of implementation (specific product lines, infrastructure components)
• Plan phased rollout to allow for learning and adjustments
• Identify key stakeholders

Establish Success Metrics

• Define measurable metrics to track progress and effectiveness
• Adoption rates of security controls
• Reduction in vulnerabilities
• Incident response times

Phase 2: Organizational Structure and Roles

Identify Security Champions

• Nominate or recruit individuals within each team to serve as security champions
• Primary point of contact for security matters within their teams

Establish Security Guilds/Communities of Practice

• Create forums for security champions and specialists to collaborate
• Share knowledge and contribute to definition and enforcement of security standards

Define Central Security Architecture Team Role

• Clearly define responsibilities of central security team
• Setting overall security framework
• Providing guidance and specialized expertise

Define Team-Level Security Responsibilities

• Outline specific security responsibilities of each autonomous team
• Implementing controls, participating in security reviews, responding to vulnerabilities in their domain

Establish Communication Channels

• Define clear communication pathways for security-related information flow
• Between teams, security champions, and central security team

Phase 3: Defining "Brutalist" Security Standards and Tooling

Develop Core Security Standards

• Translate security brutalism principles into concrete, actionable security standards
• Password complexity requirements, encryption standards, logging and monitoring policies

Select and Implement Foundational Security Tools

• Identify and deploy essential security tools aligning with brutalist principles
• Vulnerability scanners, static and dynamic code analysis tools, IAM systems, SIEM systems
• Prioritize tools that can be automated and integrated into team workflows

Create Security Baselines and Templates

• Develop secure configuration baselines for operating systems, applications, infrastructure components
• Provide templates and guidelines to teams for consistent implementation

Automate Security Controls

• Use infrastructure-as-code to enforce secure configurations
• Automated code scanning in CI/CD pipelines

Phase 4: Team Enablement and Training

Security Awareness Training

• Comprehensive security awareness training for all team members
• Emphasize importance of brutalist security principles and individual responsibilities

Security Champion Training

• Specialized training for security champions
• Equip with knowledge and skills to effectively advocate for and implement security within teams

Tooling and Process Training

• Hands-on training on security tools and processes teams will use

Knowledge Sharing and Documentation

• Create easily accessible documentation and knowledge bases
• Security standards, tools, and best practices
• Encourage security guilds to contribute to documentation

Phase 5: Implementation and Integration

Pilot Program

• Select few pilot teams to implement Security Brutalism approach and provide feedback

Integrate Security into Development and Operations Workflows

• Embed security checks and controls into existing development pipelines (DevSecOps)
• Ensure security considerations are standard part of planning, design, and deployment

Phased Rollout to Other Teams

• Based on pilot program learnings, gradually roll out implementation to other teams

Continuous Monitoring and Feedback

• Establish mechanisms for continuous monitoring of security control implementation
• Gather feedback from teams on effectiveness and usability of standards and tools

Phase 6: Governance and Enforcement

Establish Security Policies

• Formalize Brutalist Security standards into clear and enforceable security policies

Define Compliance Monitoring Processes

• Implement processes to monitor adherence to security policies and standards across all teams

Establish Non-Compliance Procedures

• Define clear procedures for addressing and remediating instances of non-compliance

Regular Security Audits

• Conduct periodic security audits to assess effectiveness of implemented controls
• Identify areas for improvement

Phase 7: Continuous Improvement

Regular Review of Security Standards

• Periodically review and update brutalist security standards based on evolving threats, new technologies, and team feedback

Lessons Learned Sessions

• Conduct regular sessions after security incidents or significant security initiatives
• Identify areas for improvement in implementation

Adapt and Iterate

• Be prepared to adapt approach and make adjustments based on experience and

Brutalist Security Council

A Brutalist Security Council serves as the central governing body and driving force behind the Security Brutalism approach within the Team of Teams environment.

Structure and Membership

Composition

• Security Leadership: CISO or designated senior security leader chairs the council
• Security Architecture Team Representatives: Members responsible for defining overall security framework and standards
• Lead Security Champions: Representatives from different product lines, business units, or significant teams
• Engineering and IT Leadership Representatives: Ensure alignment with development practices and address friction points
• Risk/Compliance Representative: Ensure approach meets regulatory and internal policy requirements

Size: 5-8 members (large enough for diverse representation, small enough for effective decision-making)

Tenure: Rotate terms to ensure continuity and fresh perspectives

Responsibilities and Functions

Championing the Security Brutalism Vision

• Socialize principles across organization
• Ensure everyone understands rationale and benefits

Defining and Refining Security Standards

• Based on evolving threats, lessons learned, and input from security guilds
• Ultimate authority for defining and updating core Brutalist Security standards

Ensuring Consistency and Alignment

• Consistent application of security standards across all autonomous teams
• Address deviations or inconsistencies

Facilitating Knowledge Sharing

• Central hub for sharing best practices and successful implementation strategies
• Facilitate cross-team communication and collaboration on security matters

Reviewing and Approving Security Tooling

• Evaluate and approve foundational security tools and technologies
• Ensure alignment with Brutalist Security philosophy

Addressing Cross-Cutting Security Concerns

• Tackle security issues spanning multiple teams or requiring organization-wide attention

Driving Continuous Improvement

• Regularly review security metrics and KPIs
• Analyze security incident reports and post-mortems
• Solicit feedback from teams on practicality and effectiveness
• Sponsor pilot programs for new security approaches
• Oversee development and dissemination of updated guidelines and training

Mediating Conflicts and Addressing Roadblocks

• Serve as escalation point for conflicts or roadblocks related to Security Brutalism implementation

Reporting to Leadership

• Regular reports on security state, progress, challenges, and risks to executive leadership

Operational Mechanisms

Regular Meetings: Monthly or bi-monthly with structured agenda and detailed minutes.

Feedback Loops: Clear feedback mechanisms with security and technology teams.

Decision-Making Process: Defined process (consensus-based or majority vote) for efficient progress.

Transparency: Council activities, decisions, and updated standards communicated clearly organization-wide.

Security Brutalist Sync

Adapting McChrystal's daily sync concept for Security Brutalism requires a focused, efficient approach—shorter and more targeted than the original 90-minute daily updates.

Participants

• Representatives from Central Security Architecture Team
• Lead Security Champions from each major product line, business unit, or team cluster
• Representatives from key operational teams (Incident Response, SOC, Threat Intelligence)
• Rotating members based on specific incidents or topics

Format

Structure: Brief virtual meeting with strict time limit (15-30 minutes).

Focus: Concise and action-oriented, mirroring McChrystal's effectiveness principles.

Key Information Sharing Categories

Significant Security Incidents

• Brief overviews of ongoing or recently resolved security incidents
• Impact assessment and key learnings

Emerging Threats and Vulnerabilities

• Updates on newly identified threats and critical vulnerabilities
• Especially those relevant to organization's technology stack
• Recommended immediate actions

Changes to Security Standards or Policies

• Announcements of updates or changes to brutalist security standards or policies
• Cross-Team Dependencies or Blocking Issues
• Security-related dependencies or roadblocks affecting multiple teams

Key Security Metrics and Trends

• High-level summaries of relevant security metrics
• Vulnerability remediation progress, incident volume trends

Success Stories and Learnings

• Sharing successful security implementations or valuable lessons learned by different teams

Upcoming Security Initiatives or Events

• Planned security initiatives, training sessions, or audits

Frequency Options

Daily (Similar to McChrystal)

• Pros: Most up-to-date information shared rapidly, quick identification of emerging threats, reinforces strong security focus
• Cons: Time-consuming, potential meeting fatigue if not impactful, may be overkill with no significant updates
• Best For: High-threat environments or organizations undergoing significant infrastructure/security changes

Every Other Day (Monday, Wednesday, Friday)

• Pros: Balances timely updates with time commitment, allows relatively frequent information sharing
• Cons: Slight delay in disseminating critical information compared to daily sync
• Best For: Moderate threat landscape with steady pace of change

Twice Weekly (Monday and Thursday)

• Pros: Less time commitment, still provides regular touchpoints
• Cons: Information becomes less timely, potentially delaying responses to rapidly evolving threats
• Best For: Lower threat landscape or more stable environments

Recommendation: Start with every other day (Monday, Wednesday, Friday) for balance between timely updates and minimizing meeting fatigue. Adjust frequency based on volume and criticality of security information.

Key Success Factors

Strict Time Management: Adhere to agreed-upon time limit for efficiency.

Focused Agenda: Keep tightly focused on critical security updates.

Action-Oriented Discussion: Emphasize what needs to be done with shared information.

Clear Communication Channels: Ensure representatives have effective channels to cascade information to teams.

Regular Review of Effectiveness: Periodically assess value and efficiency, make adjustments as needed.

Key Considerations for Overall Success

Leadership Buy-in: Strong executive leadership support is crucial for initiative success.

Clear Communication: Transparent and consistent communication ensures all teams understand goals and expectations.

Empowerment and Trust: While approach is brutalist in foundational principles, empowering teams to own security within boundaries is vital.

Balance with Agility: Integrate security seamlessly into team workflows without creating undue friction—automation is key.

Focus on Education and Collaboration: Emphasize education and collaboration over strict enforcement to foster strong security culture.

Organizational Adaptation: Tailor specific activities and timelines to your organization's unique context and needs—iterate and adapt as you progress.

Conclusion

The integrated Security Brutalism and Team of Teams approach is especially effective for large, scaling, and complex organizations that prioritize agility and face heightened security challenges. These organizations understand the importance of building resilient and transparent security foundations while maintaining speed, innovation, and team autonomy.

Success requires careful planning, clear communication, and strong emphasis on collaboration to overcome potential challenges of maintaining consistency, coordination complexity, and avoiding silos. When implemented thoughtfully, this approach creates a robust security posture that can scale with organizational growth while maintaining the agility needed in today's dynamic threat landscape.