What Is Security Brutalism?

Haruto Y. asked: How would you explain what is security brutalism to leadership that is not very technical, and how would you go about looking at your company to see if this method would fit?

Great questions! I’ll do my best to keep the response simple and direct, otherwise, I might end up writing something overly long and verbose.

Security Brutalism: Direct, Uncompromising Security

Security Brutalism is about taking a direct, uncompromising, and function-first approach to security. It emphasizes raw functionality, minimalism, and durability:

• Functionality: Prioritizing core, practical security features that directly address threats, avoiding unnecessary complexity. Every component should have a clear, critical purpose.
• Minimalism: Designing lean, efficient security systems using the fewest resources and the least complexity needed for robust protection. This means removing non-essential features to improve maintainability and reduce potential vulnerabilities.
• Durability: Building resilient security measures designed to withstand continuous and evolving threats through redundancies, fail-safes, and hardened defenses. The focus is on long-term resilience over short-term convenience.

In today's security landscape, maturity often equates to complexity: more controls, dashboards, and layers. However, complexity doesn't inherently increase security; it often just slows things down. Security Brutalism is the discipline of ruthless simplicity, asking:

• What’s essential?
• What’s redundant?
• What can we remove to make protection stronger?

It's about clarity, speed, and resilience, not just minimalist aesthetics. It's a return to security fundamentals to build stronger, more resilient solutions with fewer rules, default-deny access, an automation-first mindset, clear risk ownership, and understandable controls.

Think of security built like a fortress, not a funhouse.

Signs Your Security Program Might Be Too Complex

Security complexity often creeps in unnoticed, eventually hindering the very protections it's meant to provide. Security Brutalism isn't about doing less, but about focusing on what truly matters.

Here are five signs your security program could benefit from a Brutalist rethink. There are more signs, of course, but these are the ones I’ve seen most frequently, especially in organizations that weren’t originally built with growth in mind.

1. You need a wiki to explain your ticketing system.
2. Every exception creates a new custom policy.
3. Users bypass controls “just to get work done.”
4. You run tools no one configures, or understands.
5. Risk discussions spiral into compliance checklists.

Again, the idea with Security Brutalism is to:

• Streamline.
• Automate.
• Prioritize risk over regulation.

Remember: Simplicity scales. Complexity collapses.

Applying Brutalist Thinking to Controls

Brutalist Security doesn't mean abandoning controls, but implementing clear, enforceable ones that don't require extensive interpretation. Here's how to apply this thinking:

Access Management

Bad: 12 different entitlement levels and quarterly review spreadsheets.
Brutalist: Role-based access + auto-expiry + alert on elevation.

Data Protection

Bad: Multiple overlapping DLP rules that no one tunes.
Brutalist: One rule - sensitive data must stay in approved systems—with automated block + alert.

Network Segmentation

Bad: VLAN spaghetti.
Brutalist: Default-deny between trust zones, with clearly defined paths.

If a control isn't enforceable, understandable, or measurable, it's likely unnecessary. Strip it down and make it effective.

Brutalist Metrics: What You Should Actually Measure

Most security dashboards are bloated with vanity metrics. Brutalist security measures what matters. Things tied to real risk reduction and system resilience.

Key Brutalist Metrics

• Percentage of controls automated
• Time to detect / time to contain
• Percentage of assets covered by baseline enforcement
• Number of exception paths (lower = better)
• Policy surface area (less = clearer enforcement)

Forget how many phishing emails were “reported.” Ask: How many made it through—and what was done?

The Executive Sell: Making the Case for Less

Security leaders often feel pressure to "do more": More tools, more policies, more coverage. But in high-performing organizations, clarity beats complexity.

Here’s one way to sell Brutalist Security to executives and boards:

"This control reduces risk and operational load."
"We’re removing steps that slow the business down."
"We’re focusing on measurable outcomes, not more processes."

Executives want answers, not noise. They'll ask:

• What’s our actual risk?
• Are we closing real gaps?
• Are we enabling or blocking the business?

Security Brutalism demonstrates discipline, not a lack of effort. It's not a step backward, but a move toward clarity, speed, and trust. And it provides clear and simple answers to those critical executive questions.