The Security Theater We Built
Walk into any enterprise security operations center and you'll see the same thing: walls of dashboards, threat feeds streaming in real-time, SIEM systems ingesting gigabytes of logs per second, endpoint detection agents on every machine, network intrusion prevention at every hop.
It's impressive. It's expensive. And most of it is fighting the wrong battle.
We've built an entire industry around adding more—more monitoring, more agents, more rules, more alerts. The implicit assumption: complexity is inevitable, so we need equally complex defenses.
But after 20 years in cybersecurity, I've learned the opposite lesson: the most secure systems I've ever seen were the simplest ones.
The Complexity Tax
Every line of code is a liability. Every dependency is an attack surface. Every integration point is a potential breach vector.
At Link11, we protect infrastructure that handles millions of requests per second. When an attack hits, we don't have time to debug a tangled web of microservices or trace through fifteen layers of abstraction. We need systems that are legible—where you can understand the entire flow in your head.
The Log4j vulnerability wasn't just a bug. It was a symptom of dependency hell: a logging library, used everywhere, with features nobody asked for (remote code execution via JNDI lookups), creating a global supply chain crisis.
How many organizations even knew they were running Log4j? How many are still running it today, patched but bloated, because ripping it out means rewriting half the stack?
This is the complexity tax: the more you have, the more you have to defend. And defense doesn't scale linearly—it scales combinatorially.
What "Clean" Actually Means
Clean isn't about aesthetics. It's about minimizing surface area.
- Fewer dependencies: If you can do it in the standard library, don't pull in a package. Every npm install is a trust decision.
- Smaller deployments: A 50MB Go binary beats a 2GB Docker image with 400 system packages. Less to patch, less to audit, less to attack.
- Boring technology: Postgres over MongoDB. Nginx over Envoy. The mature, battle-tested tool wins when uptime matters more than hype.
- No phantom code: Dead feature flags, unused APIs, legacy endpoints "just in case"—they're not harmless. They're forgotten doors that attackers will find.
At Link11, we routinely delete code. Not refactor—delete. If a feature hasn't been touched in two years and has no active users, it's gone. Every line removed is one less thing to go wrong at 3am.
The Security Paradox of Tooling
Here's the uncomfortable truth: security tools are themselves attack vectors.
Your SIEM agent runs with elevated privileges. Your endpoint protection software has kernel-level access. Your WAF sits in front of every request, parsing untrusted input.
When SolarWinds was compromised, the attackers didn't just breach one company—they breached the security vendor that thousands of companies trusted. The tool meant to protect became the weapon.
This isn't an argument against tooling. It's an argument for ruthless minimalism. Every tool you add must justify its existence:
- What specific threat does it mitigate?
- Can we achieve 80% of the value with a simpler alternative?
- If this tool gets compromised, what's the blast radius?
Most organizations fail the third question. They install vendor software without considering the supply chain risk they've just inherited.
Clean Infrastructure in Practice
So what does a "clean" security architecture actually look like?
1. Immutable infrastructure: Servers are cattle, not pets. Every deploy is a fresh image. No SSH access, no manual patches, no configuration drift. If something's wrong, you don't fix it—you replace it.
2. Zero standing privileges: No permanent admin keys. Every elevated action requires just-in-time access, audited and time-limited. Your credential database can't leak what it doesn't store.
3. Network segmentation by default: Microservices don't need to talk to each other just because they're in the same VPC. Default deny, explicit allow. If service A has never called service B in production, the firewall should block it.
4. Static binaries over dynamic runtimes: Go and Rust produce single-file executables with no runtime dependencies. Compare that to a Node.js app with 1,200 packages in node_modules. Which one can you audit? Which one can you trust?
5. Logging that matters: Most logs are noise. The signal-to-noise ratio in a typical SIEM is abysmal. Instead of "log everything and search later," we log decisions: authentication events, authorization failures, state changes. The rest is sampling.
Why This Is Hard
Simplicity is harder than complexity. It's easier to add than to subtract. It's easier to install a vendor product than to ask "do we really need this?"
And there's organizational inertia. Security teams are judged by coverage—how many threats are on the dashboard, how many agents are deployed. Simplicity looks like underinvestment.
But here's what I've learned: the best security teams are the ones that say no.
No to the shiny new EDR tool that promises AI-powered threat detection. No to the microservice rewrite that turns three services into thirty. No to the logging pipeline that ingests terabytes of data nobody will ever read.
Every "no" is a decision to reduce surface area. And in security, surface area is everything.
The Path Forward
If you're a CISO or an engineering leader, here's the exercise I recommend:
Audit your dependencies. Not just npm packages—everything. System libraries, third-party agents, SaaS integrations. For each one, ask:
- What would break if we removed this?
- Is there a simpler alternative?
- Who is responsible if this gets compromised?
Then start deleting. Not recklessly—strategically. The goal isn't zero dependencies (that's impossible). The goal is legible infrastructure: a system you can hold in your head, where every piece has a clear purpose and a known risk profile.
Because at the end of the day, security isn't about having the most advanced tools. It's about having the fewest ways to fail.
And that starts with clean.
Follow the journey
Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.
Subscribe →