“Cybersecurity theater refers to actions that purport to reduce risk, without actually doing so, and it’s endemic. The size and complexity of the digital asset base is now so significant that cybersecurity leaders can’t keep up with the demand to pretend to protect everything, let alone do so.” (Gartner, 2023)
It was a true pleasure reading this piece by Gartner! It addresses the question I’ve had for years now…Why are so many people/organizations spending time, effort, and money on security where the value is unclear, but the ROI is calculable? It seems that the focus is often placed on SLAs (Service Level Agreements), rather than on the actual value of security.
It’s important to understand that compliance often gets confused with cyber resilience. That is why, instead of maintaining the status quo of dependency on vendors and consultancy, we should be focusing on growing actual responsibility by building self-reliance in security operations. Meaning, we need more theater critics and even one step beyond - to become mavericks!
But, in life, it is a human trait to keep our illusions intact. While this sense of control is important for us, and I totally get it, we need to be more brave! Because often, this feeling of control might be misleading, as criminals continuously exploit it to expand their attack surface.
My personal theater story
Let me share with you my personal theater story, which totally dazzled me some years ago. I was working for a company with an exceptionally high quality SOC (Security Operation Center). Or at least, everyone was telling me so…;) As product managers, we were challenged to explain why our SOC would beat the competition, and create a sound ‘battle card’ for our salesforce.
However, It wasn’t easy to get empirical proof of the higher value of our services as market definitions were still blurry. For instance, what are the differences between a trigger, event, alarm, alert, incident, case, and so forth, and what can be expected from a SOC-service? Is the service considered to be a good one when the SLA is met? Or when you don’t have any incidents, at least that you know of? Or is it when the impact of a breach is low?
In our case, some customers complained that they didn’t hear from us often enough. This was already quite interesting, as in my view of the world, that is a good thing, when considering a security service. But the issue was, we were security oriented and not illusionair or SLA focussed. Meaning, everyone's goal was to limit the impact of any security issue at hand, rather than having the whole operation follow SLA guidelines on what exactly was agreed upon. Which was clearly a mismatch with the world of security theater.
Meeting the client
At some point, I was invited by a sales colleague to a customer's site to meet their security operations team. It concerned a large enterprise with six SOC providers, each specializing in different areas or overlapping from a risk perspective. You can imagine my enthusiasm and curiosity to learn from this!
As soon as I arrived, the first thing that struck me was their overwhelming frustration. Their daily operation was in a clear state of alert fatigue, and they were still suffering severe impact by breaches.
Each day, their team of seven received an overwhelming influx of 75-100 alarms from just one SOC service while having the capacity to handle 15 to 20. To tackle this, they developed their own system. First, they had to understand which alarms had higher risk and/or relevancy before deep diving into the original data sources from where the alarm was triggered. This was followed by gaining a better sense of context to determine its risk and severity. And when needed, they would create tickets or incidents for further analysis or remediation, which were handled by another team within their organization.
At this stage, my mind got frenzied by cognitive dissonance. So, our customers were complaining about too much silence from our SOC analysts, as on average they were receiving only 1 case (!) per month. Meanwhile, I was listening to a security team that was clearly overwhelmed and not feeling in control, while their organization was still being affected. And that is despite the fact that SLA’s were met, meaning they provided all the alarms when rules were triggered. So getting back to Gartner's piece, to me, these 'alert factories' are definitely part of the great theater act.
When traveling back home, questions arose, such as: 'How much time, effort, and money do managed security service customers invest in their own operations while receiving such a service?' In other words, what are the total costs? If you would calculate the cost for your MSSP/MDR/XDR provider and add up all costs associated with receiving and managing the service, along with the actual security value it provides…what would the battle cards look like then?
The total cost of ownership
We decided to start a small research project on the Total Cost of Ownership (TCO) aspects of SOC services. We questioned about 40 organizations, both customers and non-customers, interviewing people who were accountable for risk and/or budget owners. We asked them if they were aware of the overall total cost and whether this was taken into consideration in the process of partner selection and contract management. The results were very clear - none of the interviewed professionals had a clear understanding of the total costs, and most of them had to admit that they never considered it to be part of the procurement process… To me, this proved that security theater is a real thing.
On the one hand, I was happy we found a blind spot in our ‘competitive advantage’, and to be honest, I think we were miles ahead. But on the other hand, it clearly showed that as an industry, we need to step up to the plate.
“One, you can make people actually secure and hope they notice. Or two, you can make people just feel secure and hope they don't notice.” (Schneier, 2011, 07:09).
Bringing us right back to the start of this epistle, as humans, we tend to like the sense of control better than the actual reality of things. And unfortunately, this sells better than plain old honesty. We need to be brave, we need to get real, we need to focus on the real enemy, and we need to start evolving together!
Because, why are we wasting time and energy creating battle cards to outdo the competitors in the security space when we could be working together to build a global defense against nations state actors and cybercriminals? But this discussion will still follow.
It is time for us, the theater critics, and the mavericks, to get off our seats and rise up to the stage…
Written by: Renza Gruter
Heiser, J. (2023). Stop Performing Cybersecurity Theater: It Is No Longer Scaling. Gartner. https://www.gartner.com/en/doc/779000-stop-performing-cybersecurity-theater
Schneier, B. (2011). The security mirage [Video]. TED Conferences. https://www.ted.com/talks/bruce_schneier_the_security_mirage