A field guide to the rituals we perform so everyone can feel safe without actually being safe.
Here's an uncomfortable truth security professionals know: a significant percentage of what passes for "security" in most organizations is theatre. It exists only to satisfy auditors, check boxes, and make executives feel like something is being done. It does not make anyone meaningfully safer. We all participate in it, knowing the alternative—admitting the truth—is professionally inconvenient. Let's talk about it anyway.
The annual pentest is a sacred ritual where an organization pays a firm one to two weeks to look for vulnerabilities, remediates the "reds," and then ignores security for eleven months.
Why it's theatre: Attackers are not constrained by fiscal calendars or narrowly defined two-week engagement scopes that exclude embarrassing findings. A point-in-time assessment is merely a snapshot; it says nothing about past, future, or out-of-scope vulnerabilities.
The tell: When leadership uses the pentest report as a security scorecard instead of a snapshot of known issues.
What actual security looks like: Continuous assessment, bug bounty programs, red team exercises with realistic scope, and a culture that treats vulnerabilities as expected.
Compliance frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA) are the alphabet soup of standards that define minimums. They are lowest-common-denominator checklists optimized for auditability, not security.
Why it's theatre: A company can be fully compliant—passing an audit—and still have critical vulnerabilities or get breached. The frameworks measure the existence of policies and controls, not their quality or effectiveness, nor whether documentation is actually read.
The tell: When "we're SOC 2 certified" answers questions about actual security practices.
What actual security looks like: Using compliance as a baseline, not a ceiling. Understanding that passing an audit means meeting a minimum bar, not being secure.
Once a year, employees click through generic, boring slides about phishing and passwords, optimized for completion metrics, not behavior change. The training exists so the organization can say "but we trained them!" after someone falls for a phish.
Why it's theatre: The training is usually generic, boring, annual (one hour per year does not build lasting habits), and disconnected from consequences. Meanwhile, actual phishing emails are crafted by professionals optimized for clicks.
The tell: When security training completion percentage is reported to the board as a key security metric.
What actual security looks like: Regular, short-form training tied to real incidents. Simulated phishing that teaches rather than punishes. Technical controls that reduce reliance on human judgment. Designing systems based on the acceptance that some percentage of people will always click.
Complex password requirements (uppercase, number, special character, 90-day rotation) ensure employees use predictable patterns like "Summer2024!" or "password1, password2".
Why it's theatre: Complex requirements don't produce strong passwords; they produce predictable patterns that meet complexity rules with minimum effort. Forced rotation actively makes security worse, a fact NIST recognized years ago, but the requirements persist due to compliance and habit.
The tell: When the IT helpdesk's most common ticket is password resets, and leadership views this as normal.
What actual security looks like: Long passphrases instead of complex passwords. Password managers. MFA on everything. Eliminating passwords where possible and not rotating credentials unless there's evidence of compromise.
A vendor must complete a 400-question security questionnaire to sell software, answering "yes" to everything, after which the document is filed and never reviewed.
Why it's theatre: Questionnaires are self-reported, giving vendors every incentive to answer "yes" and no incentive to be accurate. The questions are often vague enough for "yes" to be technically defensible. Its true purpose is liability theatre, allowing the organization to claim "due diligence" when the vendor is breached.
The tell: When your third-party risk process consists only of sending, receiving, and filing the questionnaire.
What actual security looks like: Actual assessment of critical vendors. Reviewing their pentest and audit reports. Contractual requirements with teeth. Assuming vendors will get breached and planning accordingly.
The organization invests heavily in a Security Information and Event Management (SIEM) system that generates thousands of alerts.
Why it's theatre: The SIEM generates so many false positives that the overwhelmed SOC team learns to ignore most alerts, burying the critical incident in noise. A SIEM is effective only if properly tuned, which is a dedicated, full-time job that most organizations fail to staff. Organizations buy the tool for compliance ("log monitoring") but not the expertise required to make it useful.
The tell: When the SOC team's primary metric is "alerts closed" rather than "incidents detected".
What actual security looks like: Fewer, higher-fidelity alerts. Detection engineering as a dedicated function. Regular testing of whether detections actually fire. Acceptance that security is provided by people using tools well, not the tools themselves.
These are the five most meaningless words in corporate communications, usually found in breach notifications, marketing, or responses to security researchers.
Why it's theatre: It is a thought-terminating cliché that conveys no information. Every company, including those catastrophically breached or threatening researchers, says it.
The tell: When it appears in official communication without being followed by specific, concrete details.
What actual security looks like: Describing and publishing your security program and practices. Having a bug bounty program and responding to researchers professionally. Demonstrating security through actions rather than asserting through words.
The organization implements multi-factor authentication (MFA) to satisfy compliance, but the implementation is flawed.
Why it's theatre: The MFA may be SMS-based (vulnerable to SIM swapping) or email-based (compromised if the password is). It might only be on the front door while service accounts roam free, or users can simply click "approve" on push notifications without thinking. Checkbox MFA satisfies the yes/no requirement without engaging with whether the implementation resists real attacks.
The tell: When "we have MFA" is the answer, but the percentage of authentication events that actually require it is unknown.
What actual security looks like: Phishing-resistant MFA (hardware keys, passkeys). Universal coverage, including service accounts. Monitoring for MFA bypass attempts. Understanding that MFA is a layer, not the entire solution.
Security theatre persists because the people implementing these measures are constrained by misaligned incentives:
The incentives are misaligned, making theatre a rational choice given the environment.
If radical changes were possible:
Security theatre is deeply embedded and likely isn't going away. The key is to be honest within your own organization about which activities are theatre and which are substance. You must ask uncomfortable questions:
The goal is to gradually shift resources towards real security. Are you?