Anytime you see security policies or practices implemented in a way that seems to be more for appearances than for genuine security protection, beware that you may be witnessing Security Theater. Be skeptical if and when you see it.
At Havoc Shield we have no interest at all in helping companies go through the motions: we're interested in helping companies improve their security posture every week, every month, every year, reducing the chance that they fall victim to cyberattacks. In this article, we'll share some of the key indicators of Security Theater -- each of which are practices that we strongly dislike.
Ever been in an organization that received a request for a copy of a particular policy they didn't have? What happened next is about the clearest indicator you could ever have of an organization's seriousness about cybersecurity.
Some companies google for a policy template that seems like it would probably pass the sniff test of what the recipient is expecting. And they drop it in a policy folder that their team has access to, and call it "official" with little more than a brief attempt to skim the document. That's security theater.
Other companies pose hard questions and then make real policy decisions that they can stand by. By way of example, if asked for an Email Retention Policy, they reflect on their actual practices. Do they have Google Suite (or Office 365, or whatever else) set to forcibly delete emails outside of a particular timeframe? Do they have a process for implementing "litigation hold" or other exceptions if an email needs to be retained for longer? Or do they let individual employees use their judgement about email retention, with many employees keeping emails indefinitely?
Companies that aren't playing "security theater" reflect on how they actually handle the subject area that could be covered by the policy, and they evaluate whether/not they are proud of the status quo. If they are proud of the status quo -- for example, that their Employee Handbook has a document retention section covering email retention and that they enforce it in Google Suite -- they defend their approach. If they aren't proud of their approach, or their policies and approach are out of sync with what they'd be proud of, they take action to bring their policies and practices up to a state that they are proud of. Never just the policies. Always the policies and the practices.
What would you say, if a company of 50 people claimed (in a policy) that they require full-disk encryption, but the extent of the "implementation" of full-disk encryption was a months-old companywide email with instructions for employees to follow to turn on full-disk encryption. What would you figure the ACTUAL compliance level is, relative to the company's policy?
If you guessed something close to 0%, then your guess is similar to ours. We define "improbable compliance" as a situation where a company has a policy, has communicated that policy and described how to comply, but has done so in a way that provides no tooling to help employees comply, and no audit to check if they did. Put simply, we're not buying it: our guess is that very few employees will comply. Your policies might look wonderful on paper, but you've barely (if at all) improved the company's cybersecurity. Its security theater at its worst.
A counterexample is a company that rolls out tooling that allows central management of certain system-level settings, including reporting to discern the current state of system-level settings. When a company in that situation rolls out full-disk encryption in a policy -- and follows through with a well-announced transition where all workstations in the company are forcibly brought into compliance -- that's the kind of company that is making a bonafide improvement to their security posture.
Here's a version of security theater that is especially upsetting because it's the most likely to go undetected by partners, customers, and other stakeholders. And it's counterproductive to any future effort to persuade employees that the company is taking a genuine interest in improving security.
Suppose a company wants to be able to claim SOC 2 compliance, and chooses the SOC 2 Type I approach instead of SOC 2 Type II, for now. No problem. There are justifiable reasons for going that route.
However, further suppose that the company is pursuing SOC 2 Type I because that approach only requires SOC 2 compliance at one moment of time, rather than compliance across an audit period (e.g. 6 months). Still, that's not necessarily a problem; there are some defensible reasons for that, including the fact that SOC 2 Type I tends to be cheaper from a professional services fee perspective.
Lastly, imagine that the company is taking this "moment in time" compliance approach because they plan to catch everyone up to a compliant level for that very brief time during which the audit professional is present -- but with no real plan to make compliance sustainable.
We'll be super candid here: if that final paragraph describes your company, we're not a good fit for you -- we seek to work with companies that have a genuine desire to improve their security on an ongoing basis. Companies that want to get better every week, month, and year -- and lock in those wins by continuing to improve over time.
These three examples of security theater -- policies with no intention of compliance, ignoring improbable compliance, and the "one-time initiative" are all worth steering clear of. No matter how good you look to outsiders, you'll have done very little to improve your cybersecurity, and in many cases you'll have gone to great effort only to receive no material benefit. Depending on your motivations (e.g. to satisfy an enterprise security questionnaire) you may also have opened up yourself or your company to liabilities that have substantial impact to your company's viability.
If you'd like to stay away from security theater and instead implement security policies that tie out policies, practices, and tools, we'd love to work with you.