The security theatre continues¶

The Patrician has observed that Ankh-Morpork’s approach to security involves substantial investment in impressive-looking guards at major gates while actual security depends on a complicated arrangement involving the Thieves’ Guild, informants throughout the city, and the widely understood principle that causing too much trouble attracts attention from parties capable of making the trouble stop permanently. The visible security reassures visitors. The actual security happens through mechanisms nobody discusses in polite company.

Technology security follows remarkably similar patterns. Companies invest heavily in visible measures that reassure customers and auditors while actual security depends on a few competent people scattered throughout the organisation, informal practices that evolved because the formal ones do not work, and the widely understood principle that making problems visible embarrasses executives who prefer problems remain invisible.

The gap between security marketing and security reality is substantial and widening. Companies announce advanced threat detection, zero-trust architectures, and AI-powered security while simultaneously experiencing breaches from attackers exploiting unpatched systems, default credentials, and social engineering that no amount of advanced technology prevents. The Patrician notes that the theatre serves important purposes for everyone except the people who actually need security, that it is often more expensive than actual security would be, and that its persistence suggests the people funding security are optimising for appearing secure rather than being secure. This is rational for them. It is unfortunate for everyone else.

The compliance checkbox¶

Security frameworks establish that organisations have policies and follow documented processes. This is valuable for establishing baseline practices and tells you very little about whether those practices are adequate or followed rigorously versus perfunctorily. The certifications demonstrate that someone wrote documents and that auditors verified the documents exist. Whether the organisation is secure is a different question that the certifications do not answer.

The audit cycle creates organisations that prepare for audits rather than maintaining continuous security. The preparations involve updating documentation and ensuring that whatever auditors check shows compliant. Between audits, urgency decreases and practices drift until the next cycle begins. This rhythm is predictable. The gaps between audits are when security degrades while compliance remains technically adequate.

The Patrician observes that treating compliance as security rather than as evidence of minimum practices is a category error that organisations make willingly because compliance is measurable and security is not.

The expensive technology that provides comfort¶

AI-powered threat detection analyses vast quantities of logs to identify anomalies that might indicate attacks. These systems generate enormous numbers of alerts, most of which are false positives requiring investigation. Security teams become overwhelmed sorting legitimate threats from noise. Real attacks are missed among the false alarms. The technology works as designed. The design assumes unlimited analyst time to investigate alerts, which no organisation has.

Vulnerability scanning systems regularly identify thousands of vulnerabilities that require patching. The volume exceeds the capacity to address them. Prioritisation tends toward what is easiest to patch rather than what is most dangerous to leave unpatched, which means critical vulnerabilities in complex systems persist while minor vulnerabilities in simple systems are fixed to demonstrate progress to management. The Patrician observes that the correlation between security spending and actual security is weaker than anyone wants to admit. He suggests admitting it anyway.

The people problem¶

Social engineering attacks succeed regularly because training people to resist manipulation is difficult and because attackers need to succeed only occasionally while defenders must succeed every time. Annual security awareness training satisfies a compliance checkbox. It provides minimal resistance to targeted social engineering from competent attackers. Phishing simulations teach employees to avoid emails that look like the simulations. Sophisticated attacks look like something else.

Security team burnout is severe, turnover is high, and experienced people depart for positions that involve fewer alerts and more sleep. Replacements require time to develop institutional knowledge. The result is that security is frequently managed by relatively junior people who lack context about the organisation’s systems and the threats against them. This is the predictable consequence of expecting skilled professionals to work indefinitely under conditions that drove the previous skilled professionals away.

The Patrician’s assessment¶

The incentive structures guarantee inadequate security. Executives are measured on revenue and product launches, not on breaches that did not happen because security prevented them. Development teams are measured on shipping features, not on security quality. Security budgets are cut when financial pressure increases because security cannot demonstrate return on investment the way that sales and marketing can. The people making decisions are optimising for other goals, and the security consequences are someone else’s problem.

The breach cycle is consistent. Incident. Disclosure months later. Temporary attention. Investment in impressive technology that would not have prevented the breach. Return to previous practices. Repeat. The cycle continues because organisations survive breaches without fundamental changes, because costs are insured, and because admitting security problems is competitively disadvantageous.

The Patrician suggests that the wise approach for individuals is assuming that any system you depend on has inadequate security regardless of its certifications and marketing, and planning accordingly. The security you personally implement is more reliable than the security that organisations promise but may not deliver. The theatre will continue its performance to appreciative audiences who prefer the reassuring show to the uncomfortable reality that actual security is difficult, expensive, and never complete. He has watched similar performances in other domains. The reviews are always positive. The outcomes are mixed.