Trade the Comfort of Security Theater for True Security

COMMENTARY

With all the recent cyberattacks, data breaches, lawsuits, enforcement actions, and regulatory investigations, I am often surprised by the number of companies I see engaging in security practices that are more focused on a compelling marketing campaign than on mitigating business, financial, and legal risks. This is "security theater," a program that gives the illusion of security without meaningful defensive substance. It is meticulously crafted for C-suite executives and leaders who demand a feel-good performance at bargain-basement production costs, often led by a cast of actors more concerned with the audience than the substance.

Beware, though! Companies and the individuals working for them are being sued, fined, and issued consent decrees on cybersecurity and data protection practices despite their good security theater. Corporate lawsuits, regulatory investigations, and Senate demands for CEO accountability can and should drive actions to create robust security programs. Whether you are a CEO, CISO, general counsel, or just the highest-level security, risk, compliance, or legal resource within your organization (regardless of title), you should learn how to tell the difference between an effective security program and a performance of security theater.

Security Theater Is Only a Paper Moon

The cast of security theater includes standards-setting bodies, third-party certifiers, and security vendors, all being directed by security personnel for the benefit of the audience. Some of the actors are cast in multiple roles. Standards-setting bodies may be played by security professionals at big tech companies or security vendors, influencing the standards to reflect the work they already do. Certification bodies — the guardians of compliance — occasionally double as security vendors, offering consulting services designed to help companies meet the standards they will certify.

Now, this does not mean conflicting interests should prevent all parties from providing related services. In many instances, holding multiple roles allows for knowledge sharing between well-funded incumbents and newer entities. However, sometimes charlatans peddle a quick fix of checklist-style compliance documentation wrapped in the illusion of security because they can all but guarantee that a certification will be granted.

Unfortunately, behind the dazzling facade lies the chaotic backstage reality. While security theater provides a sense of reassurance, it often falls short in terms of tangible risk mitigation and legal compliance. The audience leaves patting each other's backs because their employees are regularly getting phishing tests (and retraining when they inevitably click). They breathe a sigh of relief knowing they have a network firewall in place and a virtual private network for remote employees. A few might even exit with the smug sense of self-satisfaction because they have an ISO 27001 certification that some of their competitors lack.

Truly effective security, unlike its theatrical counterpart, is not a source of comfort but a constant reminder of vulnerability. It recognizes that common practices — even best practices — do not always work. True security knows that data breaches happen to ISO-certified companies. True security knows that people are its weakest link and that being human is not a moral failing. Truly effective security plans for compromise by incorporating layered defenses and response plans for compromise rather than trying to train around it, ready to simply blame or punish individuals for merely being human. True security is a state of constantly evolving engineering and vigilance that is built with our human nature in mind: People may be fallible, but they are a feature, not a bug.

Stakes of Missing True Security Are High and Growing

Perhaps you are in the audience of security theater, thinking that true security would be great but is too expensive. Look out, though: Existing and new laws are demanding true security as table stakes for digital businesses. For example, EU regulators recently issued an opinion that compliance with a standard on data anonymization did not mean that it was sufficient anonymization under the law. And fines are piling up: A variety of new laws coming into effect in Europe call for fines of 2% to 7% of an enterprise's global annual revenue for violations of each law. This means that a single incident leading to a data breach may trigger multiple instances of revenue-based fines — and that's just in Europe. When you consider other jurisdictions that are following Brussels' lead, this adds up fast.

The US is also focusing on these issues, albeit in a different matter. The Securities and Exchange Commission (SEC), Federal Trade Commission (FTC), Department of Justice, and state-level attorneys general have investigated companies and filed civil and criminal claims against companies and individual leaders, alleging wrongdoing. Sen. Ron Wyden (D-Wash.) wrote to the FTC and SEC suggesting that CEOs should be held personally accountable for ineffective cybersecurity programs.

It is time to wake up to the security, economic, and legal risks associated with security theater. Its toughest critics — global lawmakers — are paying a lot more attention to this show. It is time to stop focusing on making the audience comfortable and start making them feel the discomfort that comes with risk, change, and, eventually, growth.

This will be particularly difficult in organizations that have long valued comfort over growth — leadership will not know they are watching security theater when they have cultivated a culture of being entertained at the expense of being educated. Boards and C-suites must therefore eschew the role of spectator and instead become the most effective critic in the audience.

Growth does not need to be at record-breaking speed, nor does it have to be tied to a certain end state. There are many ways to do security and compliance in a manner that is both risk-based and appropriate for the business. But it takes work. Growth always takes work.

A competent, experienced cybersecurity leader with curiosity and a growth mindset can help build an amazingly effective security program — when they are listened to. Listening to these folks can cause uncomfortable feelings of inadequacy and overwhelm. So it is time to get comfortable with being uncomfortable. Kill the culture of comfort and demand to hear things that are not easy to hear. Growth is what will truly provide the customers in the audience with lasting satisfaction and happiness, and it will ensure that the protection of our digital world evolves with the technology that has created it.