Imagine a straw house. Its walls are all made of straw. It has a front door made of straw, a back door made of straw, and windows all around that are framed in straw. Now imagine that someone tells you that they can completely secure this straw house by replacing just the front door with a solid door constructed of steel or titanium. Would you believe them? Would just replacing the front door secure the whole house?
Welcome to the world of security theater. It is a world where people install steel doors on straw houses, and then, believing the claims of the vendors of the steel doors, imagine that they have completely secured their houses.
Welcome also to the world of mainstream cybersecurity. From businesses and industries to academic institutions and government agencies, the cybersecurity world is rife with steel doors installed on straw houses — doors that are being marketed and regarded as comprehensive and complete security solutions.
So why then is security theater so widespread? Why are so many organizations dazzled by “steel doors on straw houses” — spectacular, yet imaginary, sartorial splendor? In this article, we will explore how security theater took hold, why it persists, and the real risks it poses to critical infrastructure.
Why Is Security Theater So Prevalent?
Fear, Uncertainty, and Doubt (“FUD”) Sales and Marketing
FUD is, and has been for many years, a very reliable weapon in the sales arsenal of the technology and security vendors. Typically, FUD is accompanied by a parade of platitudes and seemingly meaningful, but actually nonsensical, jargon. These typically consist of terms that are designed to further confuse the customer. For example, consider such au courant terms as:
- Zero trust – Taken at face value this phrase is totally meaningless. It is almost an oxymoron. No system can operate without at least some individuals being trusted. Zero trust is essentially an impossibility. And yet, the zero trust mantra has become so prevalent that it has even been endorsed by a recent President of the United States.
- Artificial intelligence (AI) – AI is a very broad field and includes some very powerful technologies. It is not, however, very widely understood. Regardless, the term “AI” is today bandied about as if it were a mystical phrase, somewhat akin to a magical talisman that can be invoked to solve all of one’s problems. AI is being misapplied in countless ways across cybersecurity — yet vendors continue to market it as a cure-all solution.
- Strong password policies – The proper use of strong passwords and strong pass phrases can be a very effective cybersecurity tool, but one which is grossly misunderstood and misused. Consider policies like requiring “upper case, lower case, numeric, and special” characters to be present in a password. This policy has been in vogue now for more than twenty years, but actually weakens security. Yet, the cybersecurity industry continues to propagate this and other policies under the guise of security.
- Zero-day attack – This is a term that has gained considerable traction, but it is one that has two distinctly different meanings. A zero-day attack can be either a previously unknown vulnerability (i.e., a security bug) in a computer program, or it can be a previously undocumented piece of malware. Either way, less jargon and more specificity of language would help remove the confusion.
The cybersecurity industry remains deeply wedded to its love affair with arcane jargon and technobabble. These are the trusted instruments of its FUD-driven sales playbook — tools so effective they’ve become the sine qua non of modern cybersecurity marketing. They don’t clarify; they mystify. They don’t empower; they confuse. And in that confusion, vendors establish the illusion of superior knowledge — a false facade of mastery that persuades customers to invest in steel doors for straw houses.
There is an old adage: “If you can’t dazzle them with brilliance, baffle them with BS.” The cybersecurity establishment has taken that to heart — and to the bank. Complexity becomes the disguise. Confusion becomes the tool. Complacency becomes the narcotic. And gapping security holes become the outcome. When vendors peddle security theater, they sell a comforting illusion that leaves our critical infrastructure wide open to myriad dangers.
Living in Denial in the Presence of a Clear and Present Danger
Security theater does not just materialize from thin air. It is rooted in a culture of fear and a culture of denial. When the danger is real, imminent, and possibly beyond one’s own abilities to confront it, a natural response is denial. Years of research have confirmed this. Combat soldiers often operate under many contradictory, and often coexisting, denial mindsets. These include:
- “It is not going to happen to me. Others may be killed, but not me.”
- “My destiny is predetermined. When it is my time, I will be killed, but not before.”
- “I am going to be killed no matter what I do, so I might as well fight.”
All of these mindsets are, in a way, denials of the objective reality. No one is invincible. Not all soldiers are killed. A similar, but slightly different set of denials is rampant in the cyberworld:
- “Others may be hit by cyber attacks, but we will not be.”
- “The criminals are so sophisticated and their technology so complex that we can never understand the dangers. However, the tech and security vendors must know what they are doing, so we will accept everything they say.”
A Real World Example
Unfortunately, mass denial is the norm. Without a true leadership mandate, most people are reluctant to embrace changes on their own. Consider the example of the infamous NotPetya attack on the shipping giant Maersk. The attack cost Maersk upwards of $300 million. Maersk’s Chairman Jim Hagermann Snabe called it a “very significant wake-up call.”
Prior to the attack, many of Maersk’s cyber systems were woefully outdated and some lacked even a modicum of real defense. Afterward, a security overhaul was green-lighted and budgeted, but never prioritized. Its success wasn’t tied to key performance indicators for Maersk’s senior IT executives. It didn’t affect their bonuses. So, it was never carried forward.
Had those executives truly believed in the danger — had they not been entrenched in denial — it’s unlikely they would have ignored the mandates so completely. But for them, the new directives were just another unwelcome item on an already overflowing to-do list.
It’s a familiar scenario — one that has unfolded repeatedly across Operational Technology systems over the years. Denial leads to disaster. Without a conscious awareness of the danger, and without the appropriate tools to confront the danger, the status quo stays the same.
“Standards” That Are Not
For many executives and organizations, conformity to industrial or governmental standards presents a far more attractive “solution” than confronting uncomfortable truths about vulnerabilities and increasingly sophisticated cyber threats. Rather than engage in critical thinking or question whether their systems are truly secure, they default to letter-of-the-law compliance. For them, adhering to standards is tantamount to achieving security. Unfortunately, it’s not.
Most of these standards are developed, promoted, and maintained by the same FUD-loving members of the cybersecurity establishment who profit from the illusions of security theater. As such, many standards function less as tools for true defense and more as enablers of the very theater they are meant to replace. Like much of the industry’s technobabble, they are crafted to confuse and dazzle rather than enlighten and protect.
Consider, for example, the MITRE ATT&CK® Framework. While it provides a valuable reference for categorizing known malware tactics, it also enables cybersecurity vendors to make bold and misleading marketing claims. Take this example:
“SentinelOne Continues to Set the Standard in MITRE ATT&CK® Evaluations | 100% Detection, Zero Delays and 88% Less Noise – December 11, 2024.”
At first glance, “100% Detection” seems astonishing — especially in an industry where detection rates for previously documented malware rarely rise above 50%. But the amazement fades quickly when you realize what’s actually being tested. As SentinelOne itself states:
“[The MITRE ATT&CK Evaluations replicate] the playbooks and tactics, techniques and procedures (TTPs) of well-known and prolific adversaries … [they are designed] to simulate these sophisticated yet common attack techniques.”
In other words, the evaluations test performance only against what’s already known — yesterday’s attacks, not tomorrow’s. In military terms, these standards measure preparedness to fight the last war, not the next one.
Is that misleading? Absolutely. Today’s “standards” are built to serve the interests of the cybersecurity status quo — and they do so quite effectively. But in doing so, they offer a false sense of security. They fail to address novel, undocumented, or AI-generated threats. And they certainly don’t evaluate a system’s ability to defend against modern malware that evolves faster than any standard can.
As currently implemented, these standards are not benchmarks for protection. They are benchmarks for appearance — a mechanism for assuaging the consciences of FUD-befuddled executives while perpetuating the pernicious plague of security theater.
The Danger Behind the Curtain
Security theater is not just a misstep — it’s a systemic failure. It replaces clarity with complexity, substitutes trust for confusion, and allows organizations to feel secure without actually being secure. When flashy marketing overshadows real protection, the result is a house built of straw with a titanium door — impressive at first glance, but utterly ineffective when the real threats arrive.
This illusion thrives because it is comfortable. It gives decision-makers a checklist to follow, a product to install, a box to check. But in environments where the stakes are high, comfort is the enemy of safety. The longer organizations rely on these theatrical defenses, the longer their most vital systems remain exposed.
In Part 2, we will leave the stage and step into the real world — where security theater takes shape in critical infrastructure, where traditional IT tools fall short, and where the illusion of protection becomes an operational liability.
Tired of steel doors on straw houses? Reach out to our team to learn how Crytica Security approaches cybersecurity in critical infrastructure.
.jpg)
.jpg)
.jpg)