Security Theatre Doesn’t Make You Any Safer
My friend Stephen Mann showed me this picture of the back gate to his house, after he had asked someone to fasten the padlock. The padlock has indeed been locked, and it does have a “TOP SECURITY” marking; but as you can see, it is doing nothing to protect Stephen’s property. After we'd finished laughing at the person who thought this was a reasonable response to the request to “fasten the padlock”, I was suddenly struck by how typical this approach to security is.
Security experts are pretty good at designing solutions that should keep everything safe and secure. What we are not so good at is explaining things to the people we rely on to make those measures work. We don’t explain exactly why the controls are there, and how they should work in terms that are easy for the people implementing them to understand, particularly when those people aren’t security experts and have fairly limited technical knowledge. As a result, they may follow the instructions they’ve been given without actually achieving anything useful.
We often talk about security needing a combination of people, process and technology controls, but sometimes we act as if these are completely separate. They are not. Every technology or process control requires people to make sure it works. You could have a firewall capable of providing excellent protection for part of your network, for example. But it will only be effective if you have a rigorous process for ensuring that only the correct access is allowed through the firewall, and if your people take appropriate care when making any changes. A firewall that has been misconfigured is about as useful as the locked gate in my picture. In fact, it works exactly the same way, giving the appearance of security but not actually protecting anything.
Good controls spoiled by inadequate implementation is only one common way to create potential lapses in security. A related issue that I have seen is the creation of highly visible security controls in response to a management demand for improved security, often in the wake of some traumatic incident. These highly visible controls are often known as security theatre. They look like active security, and they do help to make people feel safer, but they just fool people into thinking that security is in place. They create a great illusion, but they don’t actually protect your assets.
Here are some examples of security theatre:
- Insisting that people use long, complex, passwords that must be changed very frequently. This sounds like you are providing great protection, but in practice often results in people choosing weaker passwords and reusing the same password on multiple accounts – in other words a rule that looks good results in worse security.
- Using security guards to search visitors’ bags at the door. These searches can cause significant inconvenience but there is no evidence that they are an effective way to increase security. They may make people feel safer, but they are unlikely to protect your building from attacks.
- Providing staff with a badge to access entrance to a location. Doors that require access badges seem to provide security, but it is usually very easy to simply walk through the door when someone else has opened it. Most people won’t challenge a stranger walking confidently through the door with them.
Security theatre usually causes inconvenience, without actually helping to make your assets more secure.
Even perfectly good security controls can turn into security theatre if staff don’t understand and support their use. Here are some examples:
- I have worked with a number of organizations that required two people to sign cheques, to help prevent fraud. In EVERY SINGLE CASE I discovered that one person had a number of cheques pre-signed by the other person, because it was too inconvenient to wait till they were both available.
- One of my customers provides secure cloud-based file-sharing services to allow their staff to share confidential files with customers and suppliers. Each time someone wants to share a file with a new contact it takes two or three weeks to process the request for a new account, so the employees circumvent the control by using commonly available insecure cloud services to share data.
When you create security controls you must think about the balance between enabling people to be agile and productive, and providing sufficient protection to your assets. If you only think about the need for protection, then your staff will find creative ways to do their jobs, often circumventing all your carefully designed controls and rendering them effectively useless.
Maybe it’s time you took another look at your security controls. Do your people know not just what they do, but why? Do they really protect your assets, or are they just security theatre?
Image Credit: Stephen Mann