Security theater is a phrase that gets tossed around a lot these days. Whether the topic is the TSA, PCI or receipt checks at the local wholesale club, there’s a general feeling that security has become about check boxes and feeling secure rather than genuinely securing something. The lethargy isn’t limited to just the security professionals either. Reading through even the most pedestrian review of a security function shows that the general opinion is that security is nothing more than a check-box item, something to be done to meet the “minimum requirements.”
In the InfoSec field, this viewpoint seems to be gaining momentum, and that is a sad state of affairs. Faced with an increasingly long list of regulatory requirements, the profession is finding itself scrambling to meet seemingly arbitrary requirements that seem to have little to do with the particular organizational risks. It doesn’t need to be this way.
I’m certainly not advocating ignoring the requirements of an organization’s regulatory regime. Instead, I believe that the requirements can be interpreted in such a way that genuine security becomes the deliverable. As a profession, we need to quit interpreting “to the check-box.” If there is a requirement, we should fashion solutions that contribute to the risk solutions for the organization. If PCI mandates that firewalls be reviewed every six months, don’t turn it into an exercise in minimalism. Establish a program that genuinely reviews the firewall rules, and tests the implementation. Review not just the words of the rules, but the impact and the procedures that led to them. Don’t be satisfied with what a third party states as your organization’s goals, work within that framework to truly increase the security posture of your organization.
We’ve become complacent. We preach the value of “true security” and fret away at our inability to promote such a state. We complain about the regulatory requirements, the check-boxes, and the theater. A better solution is to make the theater work for us.