On With the Show: Examples of Cybersecurity Theater

Cybersecurity guru Bruce Schneier has identified what he calls the latest example of ‘security theater:’ thermal imaging cameras, used to scan temperatures in crowds as an anti-coronavirus mechanism. Even though it makes people feel better about the pandemic, it won't actually work, he warned. He knows all about security theater because he coined the term back in 2003. It describes any security measure that acts as a placebo to reassure people without doing anything useful, and you’ll find it wherever there’s a clear and present danger that makes people feel uneasy. The cybersecurity industry is one such place, and it’s littered with those. Here are a few.

Technology Buzzwords
The easiest thing for a panicked CISO with a budget to do is drink the Kool-Aid and buy a product with a buzzword on it, trusting it entirely for protection. This year, AI/machine learning is the marketing buzzword of choice to help people feel safe. Last year, it was Blockchain. These technologies can have a place in a cybersecurity or information security portfolio, but they’re not going to save you on their own. AI is not a substitute for good security analysis or training. Blockchain might make information immutable, but it’s useless if the processes for producing and entering that information are flawed in the first place. Just as diet drinks only work as part of a calorie-controlled diet, new-fangled tech only helps as part of a well-rounded security solution.

Data Gathering
For many organizations, the best way to feel in control of a situation is to collect more data. If executives document everything (and everyone), they must be in control, right? Wrong. You can’t necessarily spot dangerous activities in an ocean of data, and even if a tool manages to highlight something, your analysts might not have the resources to investigate it. Just ask Target, which ignored flashing lights on its expensive security dashboard, opening itself up to a disastrous breach.

Countless Security Alerts
It isn’t just infosec pros who suffer from cybersecurity alert fatigue. Everyday users end up ignoring them too. They face a barrage of certificate warnings, permissions alerts and privacy warnings on social networks. Their software applications warn them that they need to update. Their computers ask them if they really want to install that software, and now they have to cope with cookie permission screens on websites, too. Many users aren’t that great at understanding these technical messages, let along following their advice. On the other hand, alerts make managers feel more secure because they can claim that they’ve given people fair warning. All of this needs a rethink.

Password Changes
If you think that forcing people to change their passwords for new, equally complex ones each month will help your cybersecurity stance, think again. GCHQ explicitly advised against this in 2015, and current government recommendations warn that it “harms rather than improves security.” A better approach involves reducing your reliance on passwords in the first place through mechanisms including multi-factor authentication and single sign-on. That involves more work, though, and probably more technology investment.

Crummy User Awareness Campaigns
Training users is important, but there’s a wrong and a right way to do it. The wrong way involves lots of finger-wagging in an airless room, lecturing users with no interaction at all, and failing to follow-up by checking on their cybersecurity practices. The training company gets paid, a manager gets to tick a box and everyone moves on with a false sense of security.

The better way involves shorter, interactive sessions that engage users, perhaps by linking cybersecurity practices to their own lives to make it more relevant. It involves regular check-ins and updates, and security exercises and drills to ensure that they’ve got the message. This takes more thought, and regular management – which is why many companies don’t do it.

Cybersecurity is a rounded discipline with lots of factors that work in cohesion. Rather than focusing on a single sticking plaster solution, smart organizations will take the time to design best practices that support their workflows and risk profiles, and then implement technologies that support them. That may not be as sexy as dropping in an AI tool, but it will offer better protection.

What’s Hot on Infosecurity Magazine?