How to Break the Security Theater Illusion
June 16, 2025 – Published on Dark Reading
While sitting in a board meeting for a healthcare service provider, veteran CISO John Rouffas was struck by a disconnect he said was impossible to ignore. The security update was familiar: Training metrics were high, patching was on schedule, and vendor relationships were in place. Board members walked away reassured about the provider’s security program.
They shouldn’t have.
The board heard about the 72% completion rate for the security awareness program, but not that employees were failing phishing simulations. The success rates had been stuck at 52% for the past two years. Patch reporting sounded thorough, but, in reality, critical Linux servers were not being patched due to internal friction and vendor misunderstandings.
“I was shocked to see the level of security theater in use to provide the board with a false sense of security,” Rouffas later wrote on LinkedIn.
Security theater’s consequences are well-documented: misaligned KPIs, overoptimized compliance frameworks, and organizational cultures that prioritize optics over meaningful risk reduction. Checklist-heavy security programs are a frequent culprit.
Gary Brickhouse, CISO at GuidePoint Security, agrees. A lack of strategic intent is often the biggest red flag, he says.
“If cybersecurity leadership can’t easily answer, ‘What risk are we mitigating with this action?’ you may be in theater territory,” Brickhouse adds.
Brickhouse says he has seen data loss prevention tools implemented and never tuned, phishing programs completed but not absorbed, and KPIs that are “essentially metrics without context.” He points to organizational culture as a key driver.
“There’s a big difference between being compliant and being secure,” Brickhouse says. “When compliance becomes the end goal, that’s when security theater thrives.”
Read More HERE.