Signal: Security Theater vs Security Work

Security theater is when the appearance of protection becomes the product.

Security work is when risk actually drops.

They look similar from a distance. Up close, they behave very differently.

The tell: contact with reality

The fastest way to separate theater from work is to ask a blunt question:

What happens when reality shows up?

• A tired employee clicks a link.
• A password is reused.
• A laptop gets stolen.
• A vendor has an incident.
• Someone leaves the org and keeps access longer than they should.
• The system breaks on a day when nobody has time to be clever.

If your controls only work when everyone is careful, rested, and trained, they aren’t controls. They’re wishful thinking.

What theater optimizes for

Security theater is optimized for:

• the checkbox
• the audit screenshot
• the vendor pitch deck
• the exec update
• the “we did something” feeling
• the illusion of control

It loves glossy dashboards and big words. It avoids friction, because friction creates complaints, and complaints create meetings.

Theater also tends to over-invest in tools that look advanced while neglecting the basics that actually prevent most incidents.

What real work optimizes for

Security work is optimized for outcomes:

• reduced blast radius
• faster detection
• clearer triage
• smaller recovery cost
• fewer repeat incidents

Real work embraces boring controls because boring controls scale:

• MFA that’s actually enforced
• least privilege
• device baselines
• patching routines
• backups that are tested
• logs that exist and are retained
• incident runbooks people can follow without a seminar

It’s not glamorous. It’s survivable.

The “boring wins” inventory

If you want an unfair advantage, invest in the basics until they’re boring and reliable:

• Identity and access: MFA, strong recovery paths, reduced shared accounts
• Asset inventory: you can’t protect what you can’t enumerate
• Patch hygiene: the most common door is the unpatched one
• Backup and restore: tested restores, not theoretical ones
• Logging: receipts matter; retain what you’ll need later
• Training: not motivational posters — practical scenarios and repeatable rules

This is the stuff that still works when people are tired.

Why theater persists

Because theater is easier to sell.

You can buy theater. You can demo theater. You can show theater on slides.

Security work is earned over time and mostly looks like “nothing happened,” which is annoying for human brains that crave visible effort.

A simple test you can run

Take any security initiative and ask:

1. What failure does this prevent or reduce?
2. What’s the measurable outcome?
3. What’s the new behavior we’re enforcing?
4. What happens when someone ignores it?

If those answers are fuzzy, you’re buying costume design.

Bottom line

If it doesn’t survive contact with reality, it’s just costume design.

Security work is the boring stuff, done consistently, with clear ownership and receipts.

Everything else is theater.