Cybersecurity Theater: The Show Must (Not) Go On

Doctor shows can make for great entertainment, but you’d (hopefully) never depend on even the most convincing actor to protect your health. Yet, when it comes to addressing existential risks to their data, many organizations rely on cybersecurity measures that have about as much real-world relevance efficacy as a sound-stage hospital set. There’s a term for this tendency to focus on appearance rather than substance: security theater.

First coined by InfoSec expert Bruce Schneier back in 2009, security theater refers to actions that make people and organizations feel safer without actually improving their safety. Security leaders implementing these processes, policies, and solutions aren’t playacting on purpose; each step they take has a basis in reality, whether a high-profile past incident, a perceived best practice, a handy checklist, or a common-sense gut feeling. But as any doctor knows, real healthcare has to be patient-centric, not one-size-fits-all. That means beginning with a thorough medical history and examination of the individual to understand their current health, the risks they should most be concerned about, and how best to address them.

The problem with security theater isn’t just that it expends time, money, and effort for minimal return. It’s also that these superficial measures take the place of funding and resources that could be better spent elsewhere—while leaving the impression that security has been taken care of. Meanwhile, the most relevant and significant risks to sensitive data remain unaddressed.

Are you practicing security theater?

It’s important to note that not all security theater measures are equally pointless. Some do have a role to play in a comprehensive, multilayered enterprise data protection strategy—albeit a smaller one than companies may imagine. Others, though, can be counterproductive at best. Here are a just a few of the most popular items in the security theater toolbox.

  • Security awareness training – Every article and blog post on enterprise security best practices includes a robust discussion of user awareness. Fair enough—even in this day and age, the prevalence of successful phishing attacks reveals how many employees are sitting ducks for a dodgy email. With the explosion of remote work and consumer-grade apps used for business, one can only imagine how much enterprise data is accessible through the same jailbroken smartphone used for gaming by an employee’s kids. But how effective are security awareness presentations, videos, and quizzes at actually reducing risk? The fact that 82 percent of breaches continue to involve the human element suggests something far below a cybersecurity cure-all.
  • “Strong” password policies – The harder a password is to remember, the harder it must be to hack, right? That’s a popular perception; we’re all familiar with annoying “15 character, special character, no sequences, frequent rotation”-type password hygiene requirements. In reality, if your password ends up on a leaked website, it doesn’t matter how long or hard-to-remember it is. And if its obscurity leads you to write it down on a piece of paper or—worse yet—jot it in the notes app of the device itself, you might as well put it on social media. Even NIST recommends abandoning 90-day rotation policies and replacing keyboard-smash strings with plain language passphrases. For all the appearance of security they provide, strong passwords simply erode user productivity while diverting attention from far more effective steps like multifactor authentication and context-based authentication policies.
  • Checkbox compliance – Checkboxes make people feel good. Look at all these things we’ve done; we must be getting amazing results! But what really matters is what those things include—and what’s missing from the list. To begin with, consider that most checklists likely include security awareness training and strong password policies, and we’ve seen how much of a difference they make. Antivirus software might do a bit more good against known threats, if not the zero-day kind. Vulnerability scanning seems worthwhile, though the fact that unpatched known vulnerabilities figure so prominently in ransomware attacks makes you wonder what companies are doing with those reports. Vendor security questionnaires are more popular with lawyers and insurance companies than cybersecurity experts. And even aside from the effectiveness of individual items, an audit reflects a moment in time, not a persistent state. Security yesterday doesn’t imply security today or tomorrow.

From make-believe to real security

When it’s time for a check-up, a doctor often spends a few minutes talking about general measures people should take to stay healthy—eating a balanced diet, getting regular exercise, and so on. Patients nod and say all the right things, but what they really want to know is: what’s the best way for me, specifically, to minimize risks? Security practitioners should be asking the same question. As Schneier pointed out, security should “follow the evidence.” In the enterprise, that means assessing your own environment and workflows, identifying the biggest risks and their likelihood, and designing your security strategy, processes, policies, and solution set accordingly.

While each company’s risk profile is unique, an area that’s often overlooked in this type of analysis is privilege abuse—a top vector for data breach. Simply put, privilege abuse is the use of legitimate credentials for illegitimate purposes. This can include the use of stolen credentials by bad actors; malicious acts by authorized users with bad intentions; or any situation where a company’s own authentication and authorization mechanisms have been turned against it.

Mitigating the risk of privilege abuse is one of the most targeted and effective ways to strengthen data security. After all, it’s your data that matters most; protecting how and by whom it can be accessed is the very opposite of security theater. The elements of privilege abuse prevention can include:

  • Data discovery, visibility, and classification – By gaining a full understanding of who has access to what data across your hybrid environment, as well as a comprehensive view of all data activity, you can more easily identify unnecessary, outdated, or inappropriate entitlements, limit exposure to attack, and enforce least privilege access to data as dictated by Zero Trust.
  • Consolidated data access controls – By consolidating authorization data from disparate systems into a single identity-to-data map, you can apply enterprise rules and security protocols more consistently across data sources to avoid gaps.
  • Regular entitlement reviews – Data access is often highly dynamic as users come and go, projects begin and end, roles change, and business requirements evolve. Regular entitlement reviews are essential to maintain least privilege access over time.

Veza helps organizations move beyond security theater to real protection with a robust and comprehensive authorization platform for data. By enabling companies to control who can and should take what action on what data across their entire ecosystem, Veza reduces the risk of privilege abuse as a vector for data breaches. Instead of going through the motions with feel-good measures and checklists, security teams can actually limit their attack surface. And nothing feels better than that!