Security Theatre
Insights for leaders navigating a digital world.
Welcome to Leading Digital - a three minute read designed to help you ask better questions, make smarter tech decisions, and lead with confidence in today's digital environment.
Security Theatre
Unless you've been living off the grid somewhere (in which case, how did you get here?!) you'll know that technology comes with its fair share of risks. Often, balancing the risk and opportunity of technology is what brings me in to work with an organisation and along the way I've found some pitfalls we can experience as leaders - one of the worst being something I call security theatre.
Security theatre usually stems from good intention. Leaders know they need to do something about technology risk, so we pull the fastest lever we have in front of us - paperwork. Whether written by chatGPT, a team member or your MSP, a suite of security policies spring to life. These policies often tell us everything is under control - we're implementing best practices, following the Essential Eight guidance, and there's a laundry list of technical controls in place. There might even be a plan toroll them out, or the documents are forwarded to the team or MSP in charge of IT and assumed to be handled.
A document becomes security theatre when its primary purpose is to reduce anxiety, not risk. The truth comes out when you test the connection between policies, procedures, plans and what's actually happening in practice.
To effectively manage security risk, we need to start by understanding it. Without that step there's no way to ensure you're investing in the controls that will best protect your unique organisation. As leaders, our responsibility is to understand what level of risk is acceptable and make sure we're genuinely doing what we say we are.
I've included some questions here that will help you to know whether you've fallen into the security theatre trap. If you have, there are some tips below to get things back on track.
Leaders have been asking...
Asking great questions is a leadership skill you already have. Here's some questions you can ask to better understand the reality of security in your organisation.
For your leadership team: "What level of risk can we accept in how we use technology? Do we hold any data that - if breached - would be catstrophic for our organisation?"
For your IT team or MSP: "Are the security controls we have in place mapped to a risk assessment specific to our organisation? Once those risks are treated, are they within our tolerance? "
About your policies and procedures: "When was the last time we updated these, and are we actually following what they say in practice?"
If these questions are throwing up some red flags, it's time to go back to square one and make sure the foundations of your security program is solid. This is one of those jobs that is never 'done' so make sure you set a regular schedule to review (at least annually) even if it's looking good.
Take action!
Instead of a report, set a meeting with your IT lead or MSP and ask them to walk you through how security policies are implemented. They should be able to clearly explain how they're preventing unauthorised access, how they would know if an incident has happened, how incident response would work, and how the organisation would recover.
If you can't get a straight answer on those areas, or if they don't match what's written down, that's a good sign to dig deeper.
If this edition sparked a thought or raised a question, add a comment or send me a message here on LinkedIn. I'll be back in a fortnight with more on digital leadership.
Scarlett
