It's Time to Close the Curtain on Security Theater

We Keep you Connected

It's Time to Close the Curtain on Security Theater

A shift of focus to cyberattack prevention strategies will more effectively mitigate risk.
January 9, 2024
Another day, another ransomware attack or security breach at a brand-name company. And that's just the tip of the iceberg when you add the cyberattacks at lesser-known companies. This raises the question, "Are businesses focused on security efforts that mitigate risk, or are many falling prey to security theater?" There's no better time than now to have a conversation about security theater — what it is, why it is holding the industry back, and most importantly, what security controls and processes should be in place instead.
Security theater is the practice of implementing public, superficial policies and measures intended to give the perception of heightened security, or just "feel" like they are improving the organization's security. Examples include strict password policies that go unenforced or mandatory security awareness training for new employees that hasn't been updated in 10 years. 
You may ask: Why do companies throw resources at expensive security products and ill-conceived programs in hopes of securing a rubber stamp in the eyes of employees, customers, and shareholders? 
It's a complex problem that stems from many areas. In some cases, it's the inexperience of security leadership. In others, it might be due to the lack of quantifiable data to support or focus efforts. And in others still, it's the copious amounts of controls that some security vendor or third party once said they must do, with little to no context on why.
The cybersecurity industry could benefit from a sober analysis when it comes to the effects of security theater on organizations. 
Security is not a one-size-fits-all T-shirt. Generic security frameworks and compliance requirements cast a wide net — they have to in order to set a baseline and be as applicable to as many as possible. The unintended consequence is mass adoption of solutions, programs, or processes that have little to no impact because they don't allow organizations to actually mitigate risk. 
Security theater hurts organizations in several ways, including:
Spending on resources that don't reduce risk. Companies are investing in cybersecurity solutions and services at a record-breaking pace. But are they chipping away at the right problems? Are the products installed and updated properly? Are the services themselves vulnerable based on the increased attacks on third-party vendors? Has a program been set up to support and use the security solution after it is implemented? 
Providing a false sense of security when little is being done to achieve it. When you declare victory with an arbitrary scorecard, you're more likely to let your guard down. Without the right testing, monitoring of effectiveness, and honest conversations around the state of security, you are only setting up a ticking time bomb.
Opening a larger attack surface. Cybercriminals are getting more sophisticated by the day, and having only baseline security measures in place (e.g., passwords, antivirus software, weak remote access) leaves organizations extremely vulnerable. In addition, with the prevalence of multicloud environments, company data and applications are no longer behind the castle walls, adding complexity to security management.
Security theater thrives when security leaders, IT teams, vendors, and employees don't know better, have limited resources, or consider the job done when baseline controls are in place — putting organizations at cyber-risk. 
The good news is you can eliminate security theater by shifting your focus to a proactive approach to risk mitigation. 
Here's how to get started:
First, conduct an inventory of all of your assets. This should include all of your systems, devices, networks, third parties, and data. The overarching goal is to have a solid understanding of the shape of your environment and data sprawl.
Next, conduct a risk assessment of your organization. Be specific based on your environment and the threats you face based on your industry, business size, and compliance requirements.
After that, inventory the current controls and programs in place and perform a gap analysis to determine what's missing and what needs to be enhanced. 
Prioritize security enhancements based on the greatest opportunities to reduce risks — and therefore reduce security theater. This will include various implementation projects and new programs to actively manage your risk. 
Proactively implementing effective cyberattack prevention strategies like those outlined below helps mitigate risk in today's cyberattack climate and strengthen processes and systems against breaches. 
Some examples include:
Identity access management: Attacks target user credentials to gain access to environments. Securing user identities with passkeys while applying zero-trust principles to access can help stop attacks before they begin. Monitoring for drift away from baseline controls ensures you are modeling from a position of "secure by default."
Protect endpoints: Ensure endpoints are monitored and secured with EDR technologies. These should be fully deployed throughout the environment and monitored 24/7 to quickly respond to and contain attacks.
Resilient environments: Assume failure of existing security controls and build your environment in a way that can withstand an attack. This includes immutable backups and network segmentation that mitigate the blast radius of an attack and provide quick recovery.
Rethink security training: Human error remains the No. 1 security risk for organizations. The focus must change from compliance to engagement and interactive approaches that improve awareness and create a security culture.
Don't give security theater any more airtime. Instead, shift your focus to cyberattack prevention strategies. Not only will you check the compliance boxes, but you will more effectively mitigate risk. 
Jason Rebholz
CISO, Corvus Insurance
Jason Rebholz is the Chief Information Security Officer at Corvus Insurance. He has over a decade of experience performing forensic investigations into sophisticated cyberattacks and helping organizations build secure and resilient environments. As Corvus’s CISO, Jason leverages his incident response, security, and infrastructure expertise to drive security strategy and reduce the risk of security threats internally at Corvus and for Corvus's policyholders. Prior to joining Corvus, Jason held leadership roles at Mandiant, The Crypsis Group, Gigamon, and MOXFIVE.
Jason is the TeachMeCyber Guy on LinkedIn and YouTube. Subscribe to his weekly newsletter The Weekend Byte.
You May Also Like
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
SANS ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses
IT Zero Trust vs. OT Zero Trust: It’s all about Availability
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
Migrations Playbook for Saving Money with Snyk + AWS
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.