The security theatre continues¶
The Patrician has observed that Ankh-Morpork’s approach to security involves substantial investment in impressive-looking guards at major gates while the actual security depends on a complicated arrangement involving the Thieves’ Guild, informants throughout the city, and the widely understood principle that causing too much trouble brings unfortunate attention from parties capable of making trouble stop permanently. The visible security reassures visitors and provides employment for people who look intimidating in uniforms, while the actual security happens through mechanisms nobody discusses in polite company.
Technology security follows remarkably similar patterns. Companies invest heavily in visible security measures that reassure customers and auditors while the actual security depends on a few competent people scattered throughout the organisation, informal practices that evolved because the formal ones don’t work, and the widely understood principle that making problems visible embarrasses executives who prefer problems remain invisible. The visible security involves certifications, compliance frameworks, and impressive-sounding technology. The actual security involves people who understand systems fixing problems before they become breaches and hoping that attackers don’t notice the gaps that budget constraints prevent addressing.
The gap between security marketing and security reality is substantial and widening. Companies announce advanced threat detection, zero trust architectures, and AI-powered security while simultaneously experiencing breaches from attackers exploiting unpatched systems, default credentials, and social engineering that no amount of advanced technology prevents. The announcements are not technically false but they’re misleading about what actually keeps systems secure versus what sounds impressive in press releases.
The Patrician notes that security theatre serves important purposes for everyone except the people who actually need security, that the theatre is often more expensive than actual security would be, and that the persistence of security theatre despite its inadequacy suggests that the people funding security are optimising for appearing secure rather than being secure, which is rational for them even if unfortunate for everyone else.
The compliance checkbox security¶
Security frameworks and compliance requirements provide structured approaches to security that are simultaneously useful and completely inadequate. Organisations pursue compliance certifications that reassure customers and satisfy contract requirements while creating minimal actual security improvement beyond what they would have done anyway.
The ISO 27001 certifications, SOC 2 reports, and similar frameworks establish that organisations have security policies and follow documented processes. This is valuable for establishing baseline practices but tells you nothing about whether the policies are adequate or whether the processes are followed rigorously versus perfunctorily. The certifications demonstrate that someone wrote documents and that auditors verified the documents exist. Whether the organisation is actually secure is a different question that the certifications don’t answer.
The audit process incentivises documentation over security. Organisations ensure that required policies exist in writing and that audit trails demonstrate compliance with those policies. The actual effectiveness of the security measures is secondary to demonstrating that documented processes were followed. An organisation might have excellent documented security that’s routinely bypassed for operational convenience, and the audits wouldn’t necessarily detect this as long as the documentation is proper.
The focus on documented controls rather than actual security creates situations where organisations invest in meeting compliance requirements rather than addressing actual risks. Budget goes to compliance certification costs, audit preparation, and maintaining documentation rather than fixing the unpatched servers, improving authentication systems, or training employees about phishing. The compliance spending is justified because contracts require certifications while security improvements are discretionary spending that provides no contractual benefits.
The recertification cycle every year or two creates situations where organisations prepare for audits rather than maintaining continuous security. The preparations involve updating documentation, conducting internal audits, and ensuring that whatever auditors check will show compliant. Between audits, the urgency decreases and security practices drift until the next audit cycle begins. The rhythm is predictable and the gaps between audits are when actual security degrades while compliance remains technically adequate.
The Patrician observes that compliance frameworks serve to establish minimum standards and provide auditable evidence that those standards are met, but that treating compliance as security rather than as evidence of minimum practices is a category error that organisations make because compliance is measurable while security is not.
The expensive technology that doesn’t help¶
Security vendors offer impressive technologies that promise to solve security problems through advanced detection, automated response, and AI-powered analysis. Organisations buy these technologies believing they’re investing in security when often they’re investing in additional complexity that provides minimal security improvement.
The AI-powered threat detection systems analyse vast quantities of logs and network traffic to identify anomalies that might indicate attacks. These systems generate enormous numbers of alerts, most of which are false positives requiring investigation. The security teams become overwhelmed sorting legitimate threats from noise, which means real attacks are missed among the false alarms. The technology works as designed but the design assumes unlimited analyst time to investigate alerts, which no organisation has.
The security information and event management platforms aggregate logs from throughout the infrastructure and provide dashboards showing security posture. The platforms are expensive, complex to configure, and require substantial ongoing maintenance. They provide visibility that’s valuable when someone knows what to look for but overwhelming when they don’t. Many organisations deploy SIEM platforms to satisfy compliance requirements and then struggle to extract value from them because the effort required to tune them properly exceeds available resources.
The endpoint detection and response systems monitor every device for suspicious activity and can isolate compromised systems automatically. These systems work when configured properly but require substantial tuning to avoid false positives that disrupt operations or false negatives that miss actual compromises. The configuration and tuning requires expertise that many organisations lack, which means the systems are deployed with default settings that are either too sensitive and disruptive or too permissive and ineffective.
The identity and access management systems promise zero trust architecture where every access is verified and every user is authenticated continuously. Implementing this properly requires redesigning authentication throughout the organisation, which is expensive and disruptive. Many organisations deploy IAM systems partially, which creates security theatre where authentication is strong for some systems and weak for others, and where the strongest security is often on the least important systems because those are easiest to change.
The vulnerability scanning systems regularly identify thousands of vulnerabilities across infrastructure that require patching. The volume of identified vulnerabilities exceeds the capacity to patch them, which means organisations must prioritise. The prioritisation is often based on what’s easiest to patch rather than what’s most dangerous to leave unpatched, which means critical vulnerabilities in complex systems remain while minor vulnerabilities in simple systems are fixed to demonstrate progress to management.
The Patrician observes that expensive security technology often serves to make executives feel that something is being done about security rather than to actually improve security, and that the correlation between security spending and actual security is weaker than anyone wants to admit.
The people problem nobody’s solving¶
Security depends fundamentally on people making good decisions consistently under time pressure with incomplete information. Technology can assist but cannot replace human judgment, yet organisations consistently under-invest in the people while over-investing in the technology.
The social engineering attacks that bypass all technical security by convincing people to provide credentials or access succeed regularly because training people to resist manipulation is difficult and because attackers need to succeed only occasionally while defenders must succeed constantly. Organisations provide annual security awareness training that checks a compliance box but provides minimal actual resistance to targeted social engineering from competent attackers.
The phishing simulations that organisations run to test employee awareness often measure compliance with clicking rather than actual security judgment. Employees learn to avoid clicking suspicious links in simulated phishing emails while remaining vulnerable to sophisticated attacks that don’t match the simulation patterns. The simulations provide metrics that management can report but minimal improvement in actual phishing resistance.
The security culture challenges where security is viewed as obstacle to getting work done rather than as essential practice create situations where employees bypass security measures to meet deadlines or accomplish tasks. The security team implements controls that employees circumvent through sharing credentials, using unapproved tools, or finding workarounds. The controls exist on paper while actual practice ignores them whenever they’re inconvenient.
The insider threat problem where trusted employees or contractors misuse access either maliciously or accidentally is extraordinarily difficult to prevent through technology because by definition insiders have legitimate access. Detecting misuse requires monitoring that employees often resist as invasive, and distinguishing legitimate unusual access from malicious access is contextual judgment that automation handles poorly.
The burnout in security teams who are perpetually understaffed, dealing with endless alerts, and responsible for security across organisations that under-resource security creates turnover that degrades security. The experienced people leave for less stressful positions while replacements require time to develop expertise. The churn means that security is often handled by relatively junior people who lack context about the organisation’s systems and threats.
The Patrician observes that organisations spend millions on security technology while paying security people poorly, staffing security teams inadequately, and wondering why the expensive technology doesn’t prevent breaches that result from human factors the technology was never designed to address.
The incentives that guarantee failure¶
The structure of organisational incentives ensures that security remains inadequate regardless of how much organisations claim to value it because the people making decisions are optimised for goals other than security.
The executive incentives that prioritise growth, features, and time-to-market over security create situations where security recommendations are declined because they would slow development or cost too much. The executives are measured on revenue growth and product launches, not on breaches that didn’t happen because security prevented them. Investing in security provides no credit when successful but provides blame when breaches occur despite the investment.
The development team incentives that prioritise shipping features on schedule create pressure to skip security reviews, defer security fixes, and accumulate security debt that will be addressed later. The “later” rarely arrives because new features are always more urgent than fixing old security issues. The teams are measured on delivering features, not on security quality, which means security is deprioritised whenever deadlines are tight.
The budget allocation decisions that treat security as cost centre rather than risk mitigation means security spending is scrutinised more carefully than revenue-generating investments. Security cannot demonstrate ROI in the same way that sales and marketing can, which means security budgets are cut when financial pressure increases. The cuts are justified by observing that security spending hasn’t prevented all breaches, which proves it’s not working, which is circular reasoning that ignores that security prevented breaches that didn’t happen.
The vendor incentives that prioritise selling products over solving security problems create situations where vendors oversell capabilities, understate limitations, and discourage organisations from developing internal security expertise that would make them less dependent on vendors. The vendors profit from complexity that requires consulting, from inadequate products that require upgrades, and from security incidents that increase demand for security products.
The insurance incentives where cyber insurance provides financial protection against breach consequences create moral hazard where organisations invest less in security because insurance covers the financial damages. The insurance also creates perverse situations where paying ransomware is financially rational because insurance covers the ransom while recovering from attacks without paying would cost more and wouldn’t be covered.
The Patrician observes that incentive structures that systematically undervalue security while creating careers and profits from security theatre guarantee that security theatre continues regardless of its ineffectiveness, and that changing this would require aligning incentives which would disadvantage everyone currently profiting from the existing arrangements.
The breaches that teach nothing¶
Security breaches occur regularly, generate temporary attention to security, and then are forgotten without meaningful changes to practices that allowed the breaches. The cycle repeats with impressive consistency.
The breach disclosure process where organisations reveal breaches months or years after they occurred means that detailed information about what went wrong is rarely available. The disclosure statements are written by lawyers to minimise liability, which means they’re uninformative about actual security failures. Learning from others’ breaches is difficult when nobody explains what actually happened beyond vague statements about sophisticated attacks.
The post-breach investments in security are often misguided because organisations don’t understand what actually failed. They invest in impressive technology that wouldn’t have prevented the breach while failing to address the basic security practices that would have. An organisation breached through unpatched servers might invest in AI-powered threat detection rather than fixing their patching process because the technology is more impressive than process improvement.
The blame assignment after breaches focuses on immediate causes rather than systemic problems. An employee clicking a phishing link is blamed rather than the training programme that failed to prepare them, the security controls that failed to detect the compromise, or the access controls that allowed the attacker to access sensitive data after the initial compromise. Fixing the immediate cause without addressing systemic problems ensures that similar breaches continue.
The insurance payouts that cover breach costs reduce the financial pressure to improve security. The organisation pays higher premiums after breaches but the costs are spread over time and are less visible than the immediate cost of security improvements would be. The insurance allows organisations to treat breaches as insurable incidents rather than as failures requiring fundamental changes.
The competitive disadvantage of admitting security problems means organisations minimise breach disclosures and emphasise their security investments rather than their security failures. The market rewards appearing secure rather than being secure, which means organisations optimise for appearance. The companies that are honest about their security challenges are punished through customer loss while companies that maintain security theatre face no consequences until breaches become public.
The Patrician observes that the breach cycle of incident, disclosure, temporary attention, investment in wrong solutions, and return to normal ensures that breaches continue because the system is not learning from failures and has no incentive to learn as long as breaches remain survivable incidents rather than existential threats.
The Patrician’s assessment¶
Looking at the state of technology security with appropriate cynicism about the gap between marketing and reality, The Patrician concludes that security theatre is rational response to incentive structures that reward appearing secure rather than being secure, that this theatre is expensive and ineffective but persistent because it serves everyone’s interests except actual security, and that meaningful improvement would require changing incentives in ways that would disadvantage the people who would need to approve the changes.
The compliance-focused security provides measurable progress that management can report while providing minimal actual security improvement. This serves organisations’ needs to demonstrate due diligence without requiring the difficult work of actually securing complex systems. The certifications and frameworks are useful but treating them as security rather than as minimum standards is self-deception that organisations engage in willingly because actual security is harder to measure and harder to achieve.
The expensive security technology serves to create the impression that something is being done while often adding complexity without corresponding security improvement. The technology vendors profit from selling solutions to problems that the solutions don’t actually solve, and organisations profit from appearing to take security seriously without making difficult changes to practices and processes that would actually improve security.
The people problems that are fundamental to security remain largely unaddressed because solving them requires changing culture, investing in training and staffing, and accepting that some security problems cannot be solved through technology regardless of cost. The organisations prefer buying technology to changing culture because technology purchases are discrete events while culture change is continuous effort.
The incentive structures ensure that security remains inadequate because the people making decisions are optimised for other goals and because security provides no credit when successful but attracts blame when failures occur. Rational executives under-invest in security relative to other priorities because the personal and organisational incentives favour this allocation even though it’s suboptimal from security perspective.
The breach cycle continues because organisations survive breaches without fundamental changes, because the costs are insured and distributed, and because admitting security problems is competitively disadvantageous. The market does not punish inadequate security sufficiently to motivate actual improvement as long as everyone’s security is similarly inadequate and as long as breaches remain survivable incidents.
The path to better security would require changing incentive structures so that executives are measured on security outcomes, so that security teams are adequately resourced and empowered, so that compliance is treated as minimum standard rather than as security itself, and so that security investments are evaluated on actual risk reduction rather than on impressiveness of technology. None of this is happening because it would disadvantage the people who would need to approve it.
The realistic assessment is that security theatre will continue, that breaches will continue, and that the gap between security marketing and security reality will persist because the system is working as designed for everyone except the people who need actual security. The theatre serves to reassure customers, satisfy compliance requirements, demonstrate management concern, and generate vendor profits. That it doesn’t actually produce security is unfortunate but not sufficient to change the system.
The Patrician suggests that the wise approach for individuals is assuming that any system you depend on has inadequate security regardless of its certifications and marketing, that planning accordingly through redundancy and defence in depth provides better protection than trusting security theatre, and that the security you personally implement is more reliable than the security that organisations promise but may not deliver.
The security theatre will continue its performance to appreciative audiences who prefer the reassuring show to the uncomfortable reality that actual security is difficult, expensive, and never complete. The show must go on because acknowledging that it’s theatre rather than security would require uncomfortable questions about why substantial security investments produce such modest security improvements. Better to applaud the performance and hope that the attackers are distracted by security theatre elsewhere.