Rethinking Security

As security practitioners, we face an uphill challenge, not just with defending our organization, customers, and data; but we often struggle with effectively implementing our strategies, processes and controls in order to effectively do so. Let’s face it, there’s at least some level of security theater at most companies and it’s incredibly difficult to successfully implement world-class security protocols programs.

This leads to why I’m making this post. My good friend Uri has authored his thoughts surrounding Security Brutalism and getting away from the buzzwords, marketing fluff, and vendor ‘solutions’ that create new problems rather than address the root cause of the issues.

Security Brutalism presents a provocative approach to cybersecurity, emphasizing a return to fundamentals and a focus on resilience over compliance. This forward thinking and possibly controversial approach (to some), can help CISO’s and organizations focus on what matters most — check out the article I wrote earlier today on my take on this particular topic for a different lens.

Key Points of the Security Brutalism Approach

Security as Warfare: The approach frames cybersecurity as an ongoing battle against adversaries, necessitating a mindset akin to warfare rather than bureaucratic compliance.

Doctrine Over Decoration: It advocates for a principle-driven security strategy, discarding superfluous controls that don’t directly reduce risk or enhance response capabilities.

Lean and Agile Teams: Emphasizes small, empowered teams capable of rapid response, drawing parallels to special operations units. If you haven’t read it already, Stanley McChrystal’s Team of Teams is a fantastic read for all leaders regardless of their industry.

Acceptance of Imperfection: Recognizes the inevitability of breaches and focuses on building systems that can withstand and quickly recover from attacks. In this day and age, the tired saying of “it’s not if, but when you get breached” holds true and by becoming resilient to not just attacks but also successful breaches, it enables you to recover to normal operations faster.

Pros and Cons of the Security Brutalism Approach

Pros

Enhanced Focus: By eliminating unnecessary controls, organizations can concentrate on measures that directly impact security posture. This reduces unnecessary initiatives that are often resource-intensive within security and also cross-functionally.

Improved Agility: Small, empowered teams can respond more swiftly to threats, reducing potential damage.

Cultural Shift: Promotes a proactive security culture that prioritizes real-world effectiveness over procedural compliance.

Cost Efficiency: Potentially reduces expenditures on redundant tools and processes.

Cons

Regulatory Risks: Discarding certain controls may lead to non-compliance with industry regulations and standards.

Potential for Oversight: In the drive to simplify, critical security measures might be inadvertently removed.

Cultural Resistance: Shifting to a Brutalist approach may face pushback from stakeholders accustomed to traditional methods. Additionally, internally to the security organization, security professionals themselves may not be ready to adopt this mindset and may find it difficult to operate without the old security constructs (sic “crutches”) they used to rely on.

Scalability Concerns: The effectiveness of small, agile teams may diminish in larger, more complex organizations and it will require common-sense adoption and scaling.

Security Brutalism’s emphasis on agility, empowerment, and direct action aligns well with the need for rapid response and adaptability. By focusing on essential controls and fostering a culture of resilience, organizations can better withstand and recover from attacks, ultimately enhancing their security posture. However, the approach’s aggressive stance may not be suitable for all organizational cultures, potentially leading to internal friction and implementation challenges.

Adopting a Pragmatic Approach to Culture Change in Security Organizations

A balanced strategy that integrates the strengths of Security Brutalism with the necessities of traditional frameworks can lead to effective cultural transformation.

To be successful, ensure you have secured commitment from top management to drive the cultural shift. Implement in phases, by piloting the brutalist approach in select areas to assess effectiveness before broader rollout. Investing in staff is incredibly important by providing training programs that equip teams with the skills and authority to make swift decisions.

Once you have implemented the pilot regularly assess the impact of changes and adjust strategies accordingly. Lastly, ensure that the streamlined approach still meets any necessary regulatory requirements.

By thoughtfully integrating the principles of Security Brutalism with established security practices, organizations can foster a culture that is both resilient and compliant, capable of navigating the complex landscape of modern cybersecurity threats.