What is security theater?

Security theater is the practice of implementing public, highly-visible security measures to give off the appearance of being safe. However, these measures often don’t do much at all to further an organization’s security measures.

Security theater explained

Organizations implementing security theater practices act on emotion rather than measurable security practices. Stakeholders within an organization may hold a psychological bias toward particular threats and act without any analysis or evidence. As a result, they launch security measures and tools without looking at the mathematical risk of a given type of attack or factoring in whether the measures are truly contributing to their organization’s protection. 

What makes security theater so dangerous is that it may have small positive effects at first. Employees within the organization may feel safe and relax due to the placebo effect or small initial benefits. 

This perception of progress can cause human error within an organization to increase, making it easier for hackers to infiltrate the network. The resulting feeling of “safety” may also stop organizations from pursuing tools that can further protect their systems.

Does security theater really exist in cybersecurity?

Most security theater examples usually refer to physical security measures. Companies may arm security guards with fake ammunition, install fake cameras, and make certain buildings on the company campus accessible by ID card only. But does security theater really exist in cybersecurity?

The short answer to the above question is yes. Security theater, or safety theater, does exist in the cybersecurity realm. The security measures system admins and IT professionals take may make people feel safer, but the root causes of real cybersecurity issues remain. Since managers implement these protocols from a place of emotion – with a lack of evidence and analysis – there’s no telling whether they will be effective. 

Fortunately, ConnectWise can help you avoid falling into the security theater trap. Download our Cybersecurity Cheat Sheet, or browse our cybersecurity center for the latest in MSP tips, tactics, and procedures (TTPs).

Security theater examples in cybersecurity

A simple IT example of security theater would be an organization’s password policy. System administrators may implement a strict password policy for all end users within the company. But, if IT technicians on the team aren’t enforcing that policy, it becomes useless. 

Elaborate but unenforced password policies, pop-up blockers, and antivirus software are measures security teams take to make people feel safe. This is due to the fact that these measures are visible to an organization’s endpoint users. Employees are also familiar with concepts like pop-up blockers and antivirus software from their home computers. This familiarity and visibility lead to a belief that these tools are accomplishing more than they actually are.

The challenge with these measures is that they aren’t enough to fully protect a company’s IT infrastructure by themselves. This is especially true in large organizations with more complex, expansive attack surfaces.

One such example would be the healthcare industry. These facilities are known for their bloated digital networks, to the point that the entire industry has become low-hanging fruit for modern-day cybercriminals. For these security measures to work, employees must have proper cybersecurity training. Most of this training in all sectors – healthcare, especially – is outdated, leaving countless cybersecurity frameworks vulnerable to attack.

Cybercriminals are constantly evolving. The sophistication of their attacks continues to increase exponentially. Organizations must be diligent about constantly reviewing and updating their training materials to protect against the latest threat actor TTPs. Effective training from as recently as one year ago may be outdated and ineffective in the current digital landscape. 

To understand how to have current and best-in-class measures like antivirus and antimalware software, view our webinar on Evolving your Cybersecurity Tech Stack

Why organizations participate in security theater

Security theater is usually the byproduct of good intentions. Team members implement security policies in an effort to help improve the overall protection of the organization. However, over time, these security measures don’t result in much of an improvement to a business’ cybersecurity level.

This “net neutral” effect of security theater measures occurs because they come from an emotional or psychological response. Without any reliance on hard data involving KPIs and actual risk calculations, impacting the company’s cybersecurity is not a consistent result.

Another reason organizations may practice security theater is negligence. Many cybersecurity protocols and tools require active participation from employees or end users, which requires proper training. IT technicians and other team members responsible for this training may allow it to fall by the wayside. As a result, these resources start to slip and may become outdated. If training isn’t current, then cybersecurity isn’t current. 

Real cybersecurity vs. security theater

The most significant difference between real cybersecurity and security theater is in the approach. Real cybersecurity protection relies on an empirical, evidence-forward approach. System admins and technicians launch effective cybersecurity protocols and tools in response to viable threats according to their analyses of system reports.

Real cybersecurity involves responding to risk assessments, implementing proper email security, effectively using antivirus or antimalware software, and more. These measures may be more subtle, but they’re effective and make real progress toward protecting an organization.

Conversely, security theater measures focus more on flashy tools and technology. IT management will implement tools that are noticeable and provide a feeling of safety, but these tools aren’t really protecting employees, sensitive data, and network infrastructure.

If you’re ready to cut out security theater and start implementing real, effective cybersecurity practices, contact us today. We’ll talk through your growing MSP business and show you how our suite of managed service and cybersecurity tools can help you better serve your clients. Consider us a trusted partner in your business here to help you grow.

FAQs

Security theater involves security measures that may make people feel safe but don’t contribute much to improving an organization’s level of protection. An example might be a retail store installing fake cameras to give the appearance of more coverage. In the IT world, an example may be an intricate password policy that nobody follows, leaving the policy ineffective.

Security theater measures are not effective. While they may give employees peace of mind, they don’t do much to improve actual security. These measures are based on an emotional or psychological response rather than empirical security evidence.