Security Theater: Don’t Hang your Hat on Compliance

Apr 18, 2024
7 minutes

Security breaches can cost millions. Everyone answers to someone — whether it's a manager, director, CISO, CEO or the company board. They’re going to want to know how security teams are protecting their infrastructure.

Prologue: Intro to Security Theater

Security theater. What are you talking about?

Security theater is essentially the illusion of security. It often results from a misunderstanding of what’s required for effective cloud security. Organizations may prioritize actions that appear effective but fail to improve security. Theater prioritizes appearances over effectiveness, optics over substantive outcomes.

Is your organization doing work for a “show” that they are being secure? Or are they providing the best security for your organization?

In this blog series we’ll challenge the various ways organizations can fall into performing security theater. We’ll also turn your focus to best practices you should follow if you're serious about security.

Act 1, Scene 1: Compliance Standards and Security

We open our series with a hot topic, one of the most blatant examples of security theater — compliance.

Security compliance, to some extent, boils down to ticking boxes to show standards are met. Standards, of course, are necessary in many domains. But real security begins where meeting compliance requirements ends. Real security ensures that measures contribute to securing your organization.

Compliance standards, whether it’s PCI DSS, HIPAA or GDPR, are often seen as indicators of systemic failure, in that they arise from our inability to maintain basic security protocols. PCI, for instance, was introduced because our initial attempts to secure payment card data were lacking, prompting the establishment of a minimum framework to help prevent further failures.

Standards such as these provide guidelines that offer an easier option than navigating the complexities of emerging threats. For this result, many organizations focus on compliance. Not only is it easier to demonstrate, but it’s also tied to financial accountability. Prior to the 2018 introduction of GDPR, TalkTalk was fined £400,000 for their beach. Had the same incident happened after GDPR, it would cost 4% of their 2015 revenue, approximately £72 million. Organizations understandably prioritize compliance.

Evolving Compliance Standards

Compliance standards are often reactive, not proactive. Quite simply, they struggle to keep up with evolving threats. The nature of cybersecurity is that you often don't know what threats you've prevented. You only know about the ones that succeed. For this reason, compliance standards often address issues only after they've become apparent.

This reactive nature of compliance can lead to standards that quickly become outdated. The shift from PCI DSS 3.2.1 to 4.0, for example, followed the discovery of the Log4j vulnerability. Though the update didn’t directly address Log4j, this example emphasizes a more proactive approach to security. By requiring a stronger vulnerability management program and automated detection tools, PCI DSS 4.0 helps ensure organizations are prepared to identify and remediate future security threats like Log4j.

Act 1, Scene 2: The Limits of Compliance Regulations

Security is about staying ahead of threats, not just responding to them. Compliance can give a false sense of security if not paired with rigorous, proactive security measures. Organizations often make the mistake of treating compliance as the end goal rather than the minimum standard.

And that’s a critical distinction to consider. The goal of security isn’t merely to avoid regulatory penalties but to protect data and systems from breaches. With compliance as the end goal, you’re not necessarily stopping breaches.

Organizations should see compliance as an aspect of their security posture, not the whole picture. They need to build security strategies that go beyond compliance, integrating advanced security practices that adapt to the dynamic nature of cyberthreats.

Compliance Standards Don’t Equate to Achieving Security

It's a common misconception that compliance with standards guarantees security. Compliance alone is an unknown in the sea of unknowns when it comes to security. Without a comprehensive, risk-based approach, you can't truly know how secure you are. Compliance covers the basics, but it doesn't guarantee security against novel or sophisticated attacks.

Compliance should be viewed as the starting point — the minimum threshold from which to build more rigorous, dynamic security practices that address both known and unknown threats.

Act 1, Scene 3: The Remedy: Best Practices for Security and Compliance

CISOs that view security as an enabler would proactively get in front of the problem. Security should be ingrained in every aspect of the organization, from the top down. Creating a culture that values security and sees it as an enabler, rather than a blocker, is imperative to eradicating compliance security theater in your organization.

Build on Top of Compliance Baselines

Organizations should start with compliance and then integrate standards like NIST, which aren’t compliance-based but provide a framework for a comprehensive security strategy. This approach helps navigate the complex security landscape, particularly in areas like cloud-native environments.

Shift from a Compliance-First Approach to a Security-First Mindset

Culture is fundamental. A strong security culture promotes proactive security measures that transcend compliance. It requires buy-in from all levels, especially leadership, to foster a mindset that values security as a cornerstone of organizational integrity.

Continuous monitoring is essential. It helps verify that security practices are not only compliant but genuinely effective at mitigating risks.

Leadership must promote security initiatives by setting clear expectations and providing the necessary resources. They should encourage ongoing education and foster an environment where security is everyone’s responsibility.

Developing a security champions program breaks down silos that commonly exist between SecOps and DevOps. Collaboration fosters a culture of security awareness and shared responsibility across the organization, the lack of which can hinder effective cybersecurity practices.

Stop Relying on Checklists

Relying solely on checklists embodies what we’re calling security theater — the focus on visible versus effective measures. This approach often misses underlying vulnerabilities that aren't covered by compliance checklists and yet are critical to securing your organization.

Prioritize Security Outcomes over Mere Compliance

Tools and strategies should address security comprehensively, with compliance following as a byproduct of security. Automation plays a critical role here. It helps align compliance with security by ensuring consistent application of security policies and procedures, which enhances both compliance and security posture. Integration should also focus on scalability and adaptability, allowing security measures to evolve as new threats emerge and compliance requirements change.

Leverage DevSecOps

The DevSecOps approach addresses security problems immediately by integrating security into all stages of software delivery. Shifting security left ensures that code is being tested for problems as soon as it's written — before it is deployed. DevSecOps allows organizations to maintain and even accelerate their pace of deployment to the cloud because integrating security into the CI/CD pipeline reduces the possibility of security becoming a blocker at deployment.

Test the Effectiveness of Your Organizations Security

Security chaos engineering, penetration testing and red teaming are great ways to verify the effectiveness of security measures. Security chaos engineering is a proactive and innovative approach to identifying vulnerabilities in an organization's cybersecurity posture before attackers can exploit them. It can highlight early redundancies in security measures and the tolerance, response and normalization of systemic alert noise often present within a security tooling strategy.

A significant by-product of security chaos engineering is the encouragement of active cross-team collaboration. This approach necessitates coordination between security, operations, development and other teams to successfully plan, execute and learn.

Act 1, Scene 4: Closing Remarks

Security and compliance begin to converge as organizations shift from seeing compliance as a static checklist to a dynamic framework that supports comprehensive security strategies.

Future trends will likely involve more integrated approaches where compliance standards dynamically adapt to new security technologies and threats. As technology advances, so too will the tools and methodologies that enable organizations not only to meet regulatory requirements but also to genuinely protect against emerging threats.

Make no mistake — compliance standards are incredibly well intended and have done wonders to standardize security measures. But in a world of AI and evolving threats, don’t hang your hat on the bare minimum.

— End of Act 1 —

Interlude: What's Next?

If you’d like to learn more about how Prisma Cloud can ensure compliance and go beyond to protect applications from code to cloud, request a free trial.

And check back as we explore more Security Theater. Act 2, Scene 1, coming soon …


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.