It's Time to Close the Curtain on Security Theater

A shift of focus to cyberattack prevention strategies will more effectively mitigate risk.

Jason Rebholz, CISO, Corvus Insurance

January 9, 2024

4 Min Read
Closed, red curtains in a theater in front of seating
Source: Brownstock via Alamy Stock Photo


Another day, another ransomware attack or security breach at a brand-name company. And that's just the tip of the iceberg when you add the cyberattacks at lesser-known companies. This raises the question, "Are businesses focused on security efforts that mitigate risk, or are many falling prey to security theater?" There's no better time than now to have a conversation about security theater — what it is, why it is holding the industry back, and most importantly, what security controls and processes should be in place instead.

What Is Security Theater?

Security theater is the practice of implementing public, superficial policies and measures intended to give the perception of heightened security, or just "feel" like they are improving the organization's security. Examples include strict password policies that go unenforced or mandatory security awareness training for new employees that hasn't been updated in 10 years. 

You may ask: Why do companies throw resources at expensive security products and ill-conceived programs in hopes of securing a rubber stamp in the eyes of employees, customers, and shareholders? 

It's a complex problem that stems from many areas. In some cases, it's the inexperience of security leadership. In others, it might be due to the lack of quantifiable data to support or focus efforts. And in others still, it's the copious amounts of controls that some security vendor or third party once said they must do, with little to no context on why.

The cybersecurity industry could benefit from a sober analysis when it comes to the effects of security theater on organizations. 

How Security Theater Hurts

Security is not a one-size-fits-all T-shirt. Generic security frameworks and compliance requirements cast a wide net — they have to in order to set a baseline and be as applicable to as many as possible. The unintended consequence is mass adoption of solutions, programs, or processes that have little to no impact because they don't allow organizations to actually mitigate risk. 

Security theater hurts organizations in several ways, including:

  1. Spending on resources that don't reduce risk. Companies are investing in cybersecurity solutions and services at a record-breaking pace. But are they chipping away at the right problems? Are the products installed and updated properly? Are the services themselves vulnerable based on the increased attacks on third-party vendors? Has a program been set up to support and use the security solution after it is implemented? 

  2. Providing a false sense of security when little is being done to achieve it. When you declare victory with an arbitrary scorecard, you're more likely to let your guard down. Without the right testing, monitoring of effectiveness, and honest conversations around the state of security, you are only setting up a ticking time bomb.

  3. Opening a larger attack surface. Cybercriminals are getting more sophisticated by the day, and having only baseline security measures in place (e.g., passwords, antivirus software, weak remote access) leaves organizations extremely vulnerable. In addition, with the prevalence of multicloud environments, company data and applications are no longer behind the castle walls, adding complexity to security management.

Security theater thrives when security leaders, IT teams, vendors, and employees don't know better, have limited resources, or consider the job done when baseline controls are in place — putting organizations at cyber-risk. 

Kick Security Theater to the Curb

The good news is you can eliminate security theater by shifting your focus to a proactive approach to risk mitigation. 

Here's how to get started:

  1. First, conduct an inventory of all of your assets. This should include all of your systems, devices, networks, third parties, and data. The overarching goal is to have a solid understanding of the shape of your environment and data sprawl.

  2. Next, conduct a risk assessment of your organization. Be specific based on your environment and the threats you face based on your industry, business size, and compliance requirements.

  3. After that, inventory the current controls and programs in place and perform a gap analysis to determine what's missing and what needs to be enhanced. 

  4. Prioritize security enhancements based on the greatest opportunities to reduce risks — and therefore reduce security theater. This will include various implementation projects and new programs to actively manage your risk. 

Cyberattack Prevention Strategies

Proactively implementing effective cyberattack prevention strategies like those outlined below helps mitigate risk in today's cyberattack climate and strengthen processes and systems against breaches. 

Some examples include:

  1. Identity access management: Attacks target user credentials to gain access to environments. Securing user identities with passkeys while applying zero-trust principles to access can help stop attacks before they begin. Monitoring for drift away from baseline controls ensures you are modeling from a position of "secure by default."

  2. Protect endpoints: Ensure endpoints are monitored and secured with EDR technologies. These should be fully deployed throughout the environment and monitored 24/7 to quickly respond to and contain attacks.

  3. Resilient environments: Assume failure of existing security controls and build your environment in a way that can withstand an attack. This includes immutable backups and network segmentation that mitigate the blast radius of an attack and provide quick recovery.

  4. Rethink security training: Human error remains the No. 1 security risk for organizations. The focus must change from compliance to engagement and interactive approaches that improve awareness and create a security culture.

Don't give security theater any more airtime. Instead, shift your focus to cyberattack prevention strategies. Not only will you check the compliance boxes, but you will more effectively mitigate risk. 

About the Author(s)

 Jason Rebholz

CISO, Corvus Insurance

Jason Rebholz is the Chief Information Security Officer at Corvus Insurance. He has over a decade of experience performing forensic investigations into sophisticated cyberattacks and helping organizations build secure and resilient environments. As Corvus’s CISO, Jason leverages his incident response, security, and infrastructure expertise to drive security strategy and reduce the risk of security threats internally at Corvus and for Corvus's policyholders. Prior to joining Corvus, Jason held leadership roles at Mandiant, The Crypsis Group, Gigamon, and MOXFIVE.

Jason is the TeachMeCyber Guy on LinkedIn and YouTube. Subscribe to his weekly newsletter The Weekend Byte.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights