ISHPI

Let's Shut Down the Theater-Security Theater that is.
ISHPI CyberBytes Newsletter Vol 1 Issue 11
Read all CyberBytes Newsletters

As I try to do every month, here is some [hopefully] thought-provoking information for you as we look to the excitement and uncertainty to come in 2024. This time of year, it is customary for some to undertake challenges to test themselves or create resolutions to better themselves. I’m no different. I like to use the start of the new year like a well shaken Etch-o-Sketch [clean]. For me, one is to continue to work to improve my cyber security vigilance and awareness, apply effective changes to reduce risk, increase IT security for ISHPI (and you and me) [yes, I’m that dull!] and I would like you to think about joining me in a resolution. This past week, I recalled an old opinion piece by an IT security guru, it was about moving “Beyond Security Theater”. Ironically, it has nothing to do with IT Security, but physical security, terrorist type activity.

The BLUF is (and I recommend reading the article as well) if we stop to look, there is a lot of “Security Theater” or “security measures that make people feel more secure without doing anything to actually improve their security”. The big question is, does the security measures we are using really help make us safer and remove risk today or is it akin to the pretend protection of hiding under a blanket?

How did I get here you may ask, well after reading some of the end of year cyber reviews this week, this concept was touched upon by a fellow CISO that some of what we do in IT Security is just for show now (Theater) and really isn’t helping secure us anymore. It either stems from “that’s the way we have always done it” or it is part of “checking the box” syndrome. To be fair, the control might have been effective 30 years ago or is an appropriate application of a control that has evolved out of being applicable anymore but is still mandated by compliance (think password and length requirements). Increasing the requirement for password length is just “Security Theater” today, it makes us feel like we are more secure [heck that is an 18-character password, no one could guess it right?!] but it doesn’t really hinder a bad actor very much with today’s compute power. An analogy would be having a lock on your screen door, then adding to that lock by putting a pole to stop the screen door from sliding open. Yes, it will stop a person from easily opening the door in a traditional manner, but it is just a screen door, easy to circumvent the controls you put in place. Please don’t think I’m saying that locks and passwords don’t have their place, they do. This is just an example [a stepping off point, if you will] to start critically thinking about how we implement controls to prevent malicious behavior (physical and technical) so that what we spend time (and money) on is actually providing the desired security and risk reduction – not just making us feel like we are secure. That is my goal for 2024, to critically assess and adjust how we (ISHPI, our clients, and ourselves) implement and verify the security controls we are using are appropriate and looking for those “locks on a screen door” that really aren’t doing much for us than providing a false sense of security (and probably hindering productivity)!

Newsletter By:  Rob Collings, ISHPI’s VP of Cybersecurity | CISO

January 2, 2024

Share this Newsletter