Sergey Nivens - Fotolia
Closing the curtain on cyber security theatre
Leaders must redefine expectations, rethink responsibility, and eliminate unproductive practices to move towards real security, says Gartner vice-president analyst Richard Addiscott
For a term coined by Bruce Schneier more than 20 years ago, ‘cyber security theatre’ is still surprisingly common. This is when security measures appear to reduce risk without actually doing so, and it’s endemic.
The problem is that the size and complexity of the digital asset base is now so significant that cyber security leaders can’t keep up with the demand to pretend to protect everything, let alone do so.
In the newly remotely accessible world of the 1990s, password ageing and complexity seemed like they’d be useful, but that ignored human behaviour. Today, security questionnaires, awareness training and governance, risk and compliance (GRC) tools often lead to superficial exercises that have little or no impact on security status.
In reality, many theoretically useful security practices turn out to be too complex to implement, while others that are simple enough to expect reliable levels of compliance have little use.
How do we keep getting trapped this way? It’s because theatre is a common organisational response to “do something” about an urgently perceived risk when there isn’t much data about the significance or the cost-effective mediation of it.
That said, theatre isn’t necessarily entirely negative. It can reassure people who otherwise would let their fears preclude their participation in a useful business activity. Highly visible control processes can also send a signal to attackers, employees, customers and auditors that the organisation is spending resources on security.
The return on investment for cyber security theatre, however, has always been questionable. At a time when technology-related change is the second biggest business priority for CEOs, cyber security leadership must concentrate on security controls that aren’t just effective, but also recognised by busy employees as being worth the effort.
Reframing organisational expectations
Arguably, the rest of the organisation has always had unrealistically high expectations about the scope and efficacy of the security programme. This is no longer sustainable. The enterprise digital presence is huge. It’s not just growing; it’s changing, often very rapidly, in ways that often reduce the significance of existing security controls.
Cloud and other service providers are growing in significance, offering convenience and capability, but in an abstract and faceless way that makes an in-depth risk assessment difficult or impossible. Business units want more technologists on their teams, with decisions about the use of applications, endpoints and code deployment increasingly outside of the control of security functions. The broad adoption of generative AI (GenAI) and its ease of use have also introduced new risks across the organisation.
It’s no longer practical to provide a high level of assurance for the countless digital assets that a typical organisation has in use. Implications of a diminishing ability to exert central control is further exacerbated by external stakeholders demanding higher levels of organisational governance and risk transparency.
Reframing the role of cyber security isn’t just about explaining what the function does; it’s increasingly about making it clear where the team’s responsibility ends. Without expectation management, unrealistic and counterproductive assumptions about the security team’s purpose and scope of contribution will continue to grow.
Reimagining the responsibility model
It’s no longer realistic to expect security functions to continue to be responsible for all cyber risk implications. Organisations have increasingly become matrix-oriented, and many digital decisions have been pushed to the edges, or to the cloud.
Developers and business unit technologists want unprecedented levels of flexibility, without all the annoying governance and policy from headquarters. They’ll pay lip service to security and resilience, but not if it reduces the convenience of cloud computing or the ability to experiment with the ever-growing number of GenAI use cases.
It’s convenient for business unit leaders to pretend that the security leader is responsible for all security risks, but taking cyber security for granted quickly devolves to theatre.
The only way to escape from cyber security theatre is to develop a new responsibility model that aligns digital risk and digital benefit. Some security processes will continue to be the responsibility of the security team, but others might be the responsibility of a developer or business unit technologist, or a cloud or other service provider.
“Responsibility ambiguity” is an inevitable counterproductive outcome for organisations that fail to reimagine their approach to assigning accountability and process responsibility. Although the security team is responsible for a decreasing set of processes, it’s still accountable for developing risk control policies and providing expert support for risk acceptance decisions.
Identifying and eliminating theatre
The recognition that cyber security theatre is no longer scaling is a good starting point for security leaders in identifying policies and processes that never lived up to expectations, or that have lost efficacy after circumstances changed.
Those who have trained themselves to identify security theatre are better positioned to assess the potential of new industry initiatives, and the tools and processes that would be required to try to implement them. The significant challenges inherent in trying to secure a rapidly changing digital world encourage a lot of technology and process experimentation.
Are software bills of materials going to lead to practical risk reduction measures, or will it be too much effort for too little benefit? Zero trust network access has theoretical advantages for cloud-based applications, but would your organisation be disciplined enough to usefully follow through?
Awareness of the emotional appeal of security can help security leaders identify non-productive processes. It also helps the security team effectively communicate why they’re changing a process, or why they aren’t stepping up to yet another unrealistic expectation.
Richard Addiscott is a vice-president analyst at Gartner, focused on cyber risk and cyber security leadership.
