A Brutalist Approach to Security Teams
A brutalist security approach to managing security teams prioritizes clear roles, responsibilities, and transparent performance metrics above all else. It is functional, direct, and focused on tangible outcomes.
Leadership and the Team
The right choices, the right direction: Select the right person for the right job in the team, and let that person go work on the problems.
Ownership and mistakes: Each person owns his or her world. If there is a problem and that person thinks it’s someone else’s fault, consider the person not suitable for team.
Information flow: Everyone, including, and especially, the leader must provide transparency at all times. Keep the team always informed.
When in doubt ask: Do not suffer alone. We are a team. We are here to help each other. Ask for help.
Structure and Roles
Clearly defined, minimal roles: Avoid overly specialized or ambiguous job titles. Roles should be broad but with sharply defined areas of responsibility and accountability. Think "Security Engineer (Detection & Response)" rather than "Senior Threat Intelligence Analyst, specializing in Eastern European APT groups with a focus on supply chain attacks."
Flat hierarchy: Minimize layers of management. Information flows directly, and decision-making is as close to the work as possible. This fosters ownership and reduces communication overhead.
Direct reporting lines: Each team member reports to a single lead, ensuring clear lines of authority and responsibility.
Communication and Transparency
Direct and unfiltered communication: Information is shared openly and honestly, without sugarcoating or unnecessary jargon. Status updates are factual and outcome-oriented. Communication happens daily and weekly as needed.
Regular and no-frills meetings: Meetings are focused, have clear agendas, and are kept to the minimum necessary. The emphasis is on action items and progress tracking. Transparency is key. Number of meetings is kept to the minimum possible.
Performance Management
Objective evaluation: Performance is judged primarily on measurable contributions to security outcomes, based on the publicly visible metrics. Subjective assessments are minimized. Rate managers by how well they enable other people to achieve things successfully, and Rate ICs by how well they think on their feet, recover from failure, and ultimately deliver the thing.
Clear expectations and consequences: Performance expectations are clearly defined, and the consequences of not meeting them are transparent and consistently applied. This includes both rewards for high performance and corrective actions for underperformance.
Focus on skill development for functionality: Training and development are geared towards acquiring practical skills directly relevant to team responsibilities and improving measurable outcomes. Fluff or trendy but non-essential training is avoided. No CISSP.
Tooling and Processes
Essential tools only: The team utilizes a minimal set of robust and well-understood tools that directly support their core functions. The adoption of "shiny new objects" without clear justification is discouraged.
Standardized, documented processes: Core security processes (incident response, vulnerability management, etc.) are clearly documented, consistently followed, and regularly reviewed for effectiveness. Complexity is minimized.
Automation for efficiency: Repetitive and manual tasks are automated wherever possible to free up human resources for more critical thinking and complex problem-solving.
Culture
Emphasis on ownership and accountability: Individuals are expected to take ownership of their responsibilities and are held accountable for their results.
Results oriented: The focus is squarely on achieving security goals and improving relevant metrics. Effort without tangible results is less valued than effective execution.
No "rockstar" mentality: While individual contributions are recognized, the emphasis is on the team's collective performance and the reliability of core processes. Individual performance is expected, how well you work with a team is what really matters.
In Short
A brutalist approach to managing security teams strips away the unnecessary layers of bureaucracy, subjective evaluations, and trendy but ineffective practices. It focuses on clarity, functionality, accountability, and measurable results, treating the security team as a critical operational unit with clear objectives.