We love the phrase "Security Theater." It's perfectly descriptive while also being pejorative. You may also hear us say "Performative Security" as another way to describe doing things under the guise of cyber risk management that aren't actually reducing or managing risk but merely putting on a show.
We see this quite often in companies with a cybersecurity compliance requirement. Healthcare is the worst. Several things we hate to hear when working with a compliance client are:
- What's the least we can do to pass?
- We dislike [insert regulatory agency] for making us do this.
Both of these statements show us that the organization misunderstands the purpose behind the compliance requirement and that they just want to do something performative to get a regulatory agency "off their back."
Cybersecurity compliance requirements were created to foster a risk management mindset in regulated organizations. Unfortunately, bean counters have gotten in the way to make measurement the more important factor. Security Awareness Training is a prime example where measurement is more important than actual effectiveness. The goal has become to measure clicks in terribly fabricated environments rather than measure the users responses to real phishing attacks.
Additionally, some compliance requirements have not been adequately updated over time and are now more of a burden than a help.
How do we overcome these obstacles?
First, we have to point our ire at the correct enemy. The regulatory body is not actively trying to attack your systems and steal your sensitive information. The threat actors are, though. Funnel your disdain and hatred at the right target and you'll do a much better job of protecting yourself.
Second, we need to seek out and prioritize the measures that give us the best bang for the buck or the most ROI on our risk management effort. These can vary business by business but with the right assistance you can find what reduces your risk most for the least resource cost (e.g., money, staff-hours, etc.). Do those first but don't stop there. Work your way down the list until you are comfortable with your residual risk. Remember, security isn't an ON/OFF switch, but a slider. Find your comfort spot.
Finally, we document our reasoning, decision making, and justifications when we make risk management decisions. Of course, that means that we have to make deliberate and well-founded risk management decisions in the first place. Get the right people at the table with your decision makers and document those well-reasoned decisions before you are knee deep in a breach or audit scenario. These justifications are going to show why you chose one solution over another or why you chose to accept a certain low risk rather than spend a large amount of money remediating it for little gain.
You may have also noticed that we haven't mentioned technology yet in this article. That's because technology is merely one tool in our toolbox for managing risk. This is why you should consider cybersecurity as a risk management function that transcends your IT team and is not wholly contained within it. We don't just throw tools at the problem and expect the outcome to be cost-effective.
Think of it this way. There are many vehicles out there to get you from point A to point B. You wouldn't fly a rocket to the grocery store just like you wouldn't drive a car to the moon. Just as those vehicles aren't appropriate for those use cases, certain technology platforms may not be useful for your use case.
Discover the risks you need to manage most, determine the appropriate methods to manage those risks, and then find tools to do the managing. Those tools may be technology, but they may also be administrative or physical.
And as you continue your security program, for each task you are doing "for security" ask yourself if this is actually reducing risk or just putting on a show for someone else.
