skip to Main Content

Why CISOs Resort to Toxic ‘Security Theater’

Gain visibility for internal security measures without headaches and drama.

Laws and industry regulations require that organizations keep customer, employee, and partner information adequately secured from prying eyes. Protecting sensitive data is central to a Chief Information Security Officer’s role.  

No matter the size of your organization, it’s difficult to get security right. Often, it’s even more challenging to convince your stakeholders that important assets are secured—even when it’s been done properly. However, CISOs, security executives, and other security leaders are obligated to ensure security and calm fears about cybersecurity measures, especially given the frequent news of numerous companies being breached despite their many certifications and public assurances.

How can CISOs instill confidence in their stakeholders that their information is actually secure?

At the most fundamental level, all stakeholders must be assured that security is a top priority and is being managed with appropriate care and diligence. Security leaders often enforce these ideas by making claims about adhering to compliance standards, implementing effective solutions and policies, engaging key partners, and leveraging relevant security services. These assurances are included on the company’s website, in contracts, customer engagements, shareholder reports, product documentation, and conference presentations, among numerous other places, including media relations. These public-facing statements are crucial, especially when security leaders are responding to a breach. 

However, these practices are often insufficient to provide adequate peace of mind for those whose livelihood and personal information are at stake. Not only do these claims have to be specific, but they must also often be accompanied by some form of concrete evidence. Evidence may be in the form of audit reports, internal assessment reports, or even third-party assessments. The primary issue with these reports is they are often generated by people who are not deeply engaged in, or even knowledgeable about, the intricacies of an organization’s security technologies and operations.  

In other words, information must be both accessible and straightforward with a clear view of the reality of a situation. It must be consistently updated, easily consumable, and convincing to people outside the security organization. It must be able to be read and understood by people who are not experts on the subject. These reports must be authoritative to help inspire confidence from internal and external stakeholders, clients, and the general public. 

How can a CISO prove that the myriad protocols and policies needed to build and operate an effective security apparatus are being implemented? Solutions include, but are not limited to proving that all systems are properly patched, all code is written in a manner conformant with secure development practices, and that all vulnerabilities and defects are being addressed in a timely manner.

This leads us to “Security Theater,” a term coined by renowned security technologist Bruce Schneier, who describes it as referring “to security measures that make people feel more secure without doing anything to actually improve their security”.

Another way to think about Security Theater is that it is the adoption of some security measures for their visibility rather than their efficacy. Even if the measures look good, the level of risk mitigation is negligible or even nonexistent. Examples of Security Theater might take the form of implementing password policies that encourage employees or users to simply add an exclamation point to the end of their usual password, third-party vendor questionnaires that are self-reported, or latching onto social signals and implementing a policy because “it’s what everyone else is doing.” A CISO at a small or medium-sized organization might think, “If this well-known organization I respect believes that requiring a number and special symbol in a password that’s not longer than 12 characters is sufficient, then why shouldn’t my organization follow the same ‘best practice?’” 

The allure of Security Theater is that it yields easy kudos from customers, plaudits from the CEO and board, recognition at conferences, and even career advancement for security leaders. In sum, Security Theater is a cheap shortcut to real security. Security theater is the candy jar of the industry and when you overindulge, you will certainly suffer the ill effects of doing so.

Every security leader knows that it is not a question of if your systems will be breached but when and, most importantly, with what consequences. Will the breach result in catastrophic loss of data and be difficult to contain or will it be contained, allowing for a loss of less critical data. The latter will allow your organization to recover more swiftly and gracefully. The former could cause the organization to lose customers’ trust and damage the company’s reputation. 

The path to real and effective security and high customer trust is not easy, but it is obvious. Each leader must develop the skills to execute security measures correctly and become an educator and evangelist for excellent security. Thought leadership is a crucial tool to communicate how to effectively secure information. Leaders can and should leverage conferences, blogs, tweets, and other public-facing channels to educate the market so customers understand sound security practices. 

Throughout 2023, the WTIA CISO and InfoSec Executive Peer Group will be bringing together top CISOs from around the country to have honest and transparent conversations surrounding  and ways that we can avoid the pitfalls of implementing measures that feel safe, but actually aren’t. If you’re an information security executive who is interested in joining these conversations and growing your peer network in an environment that’s curated for you to safely and confidentially discuss your challenges, we’d love to have you join us!


  • Khaja Ahmed

    Khaja Ahmed is former Senior VP of Product and Application Security for SAP and former Head of Google Enterprise Cloud Security. Connect with him on LinkedIn.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top
Skip to content