Brutalist Security Meets Team of Teams: Introduction
The power of Security Brutalism, as we've seen, comes from its strict adherence to core security principles to create a solid foundation. This approach doesn't rely on flashy features, but on the essentials that form the backbone of modern security. Fundamental practices, such as properly configured and hardened systems, regular patching, enforced multi-factor authentication, and a zero trust model, serve as the concrete barriers that make common exploits and opportunistic attacks far more difficult to carry out.
A Brutalist Security program is difficult to implement effectively without the right culture, one that fosters adaptability, collaboration, and continuous learning. This is where Gen. McChrystal's Team of Teams approach becomes essential. Instead of a rigid hierarchy, smaller, empowered units focus on specific security functions, threat intelligence, incident response, vulnerability management, security awareness, while staying connected to each other. These security teams aren't isolated; they link to other parts of the business, technical or otherwise, through shared consciousness and a common purpose, much like the interconnected cells in an organism.
Gen. McChrystal's model focuses on information sharing and collective awareness. Applied to security, this means all teams, including leadership, IT, and technical teams, regularly share findings, threats, and vulnerabilities, building a shared understanding that allows quicker detection and coordinated response. When threat intel spots a new tactic, vulnerability management can scan for exposures, incident response can prepare playbooks, and IT can rapidly deploy fixes or adjust controls, all at once. This distributed, real-time collaboration leads to faster, more effective defense.
Combining a brutalist approach to security with a Team of Teams model builds better redundancy and resilience. If one part of the team of teams is compromised or overwhelmed, the others can step in and provide support, so the overall security posture becomes more resilient to disruptions through a network of interconnected capabilities rather than a single point of failure. The constant feedback loops and collaboration within the team of teams also foster continuous improvement and security awareness, since lessons learned from incidents or threat intelligence get disseminated quickly and used to strengthen both the fundamental controls and the teams' processes. The program stays constantly reinforced and adapted based on real-world threats, as we will see in following posts.
One of the key elements of this method, if done in a transparent and open way, is organizational buy-in. When security becomes integrated into the fabric of the entire organization, rather than the responsibility of a siloed security department, as the Team of Teams concept encourages, it achieves broader buy-in and participation. Developers writing secure code, HR conducting security awareness training, and IT operations following secure configurations all become integral parts of the overall security posture, turning the entire organization into a layer of defense that reinforces the core security fundamentals.
Security Brutalism and a Team of Teams model complement each other to create a strong and more resilient security foundation. Security takes precedence over convenience or aesthetics, favoring clear, effective controls delivered through lean, empowered teams that prioritize action over bureaucracy. Just as Security Brutalism builds security in distinct, robust layers, the Team of Teams approach spreads these responsibilities across autonomous, specialized teams, each managing a different aspect of the security stack. Security Brutalism is rooted in proven fundamentals, hardening, patching, MFA, zero trust, and the Team of Teams model ensures these foundations evolve through continuous feedback, shared learning, and rapid adaptation. Brutalist security demands discipline and precision, and Team of Teams supports this with a shared understanding across all groups, threat intel, incident response, IT, engineering, so everyone operates with context and clarity. Security incidents often require speed, and Team of Teams enables quick, decentralized decision-making, empowering each security function to act immediately within its domain without waiting for top-down directives. Just as brutalist structures are built to withstand external pressure, this combined approach creates a resilient organization, structurally secure yet agile enough to respond to evolving threats.
Implementing a Security Brutalism philosophy within a Team of Teams structure
There's no one-size-fits-all way to implement this. It must be adapted to fit the unique culture and environment of each organization. That said, here are some potential ways it might take shape.
Each autonomous team within the Team of Teams structure could take responsibility for implementing and maintaining a baseline of brutalist security controls relevant to its specific domain, including mandatory secure coding practices, strict access controls for their systems, and rigorous testing protocols. To ensure consistency and the sharing of security knowledge, security professionals embedded within different teams could form guilds or communities of practice, responsible for defining and enforcing Brutalist Security standards across the organization. A smaller, central security team could act as the architects of the overall brutalist security framework, defining the foundational security principles, selecting core security technologies, and providing guidance and tooling to the individual teams.
Individuals with a strong security focus could act as liaisons between different teams, making sure security considerations get integrated into their workflows and that information about threats and vulnerabilities flows effectively. To minimize friction and ensure consistent application of Brutalist Security measures, automation would likely play a heavy role, through automated code scanning, infrastructure-as-code with built-in security configurations, and automated compliance checks. The underlying infrastructure and tooling provided to the teams should have strong security defaults baked in, reflecting the brutalist philosophy, through secure operating system configurations, network segmentation, and robust authentication mechanisms that individual teams find difficult to weaken. And security feedback provided to teams should stay direct and unambiguous, highlighting vulnerabilities and non-compliance without sugarcoating, aligning with the uncompromising aspect of Security Brutalism.
Potential Benefits
The layered and uncompromising nature of Security Brutalism, combined with the distributed ownership of a Team of Teams model, could lead to a more resilient and robust security posture. Empowered teams can react more quickly to security incidents within their domain, and embedding security responsibilities within each team can foster a stronger security culture across the organization. Since the Team of Teams model is inherently scalable, a distributed security approach can scale with it.
Potential Challenges
Ensuring consistent application of Brutalist Security standards across a large number of autonomous teams can be challenging, and the uncompromising nature of Security Brutalism might create friction with development teams focused on speed and agility. Coordinating security efforts across a decentralized network of teams requires effective communication and clear responsibilities, and there's a risk of security knowledge becoming siloed within individual teams if communication and collaboration aren't actively fostered. We will see in the next posts how to solve both problems.
In Short
Implementing a Security Brutalism approach within a Team of Teams structure could be a powerful way to build a strong and resilient security foundation while leveraging the agility and scalability of empowered, autonomous teams. Careful planning, clear communication, and a strong emphasis on collaboration remain essential to overcome the potential challenges.