What is ‘security theater’ and how can we move beyond it?
Conventional wisdom assumes that the more vulnerabilities a security tool flags, the easier it will be for a company to secure its infrastructure. In theory, layering more tools into a tech stack should equal more effective attack surface monitoring, right? Well, reality isn’t quite panning out like that.
If anything, tool sprawl has created an illusion of security, drowning security teams in the performative theatrics of squashing countless alerts — most of them false positives. Observability solutions are getting more innovative, flagging more and more threats, but when you can’t tell which threat is more dangerous, any perceived security is just that: perceived.
Think back to large-scale breaches in 2024: Ticketmaster, Snowflake, Transport of London, or National Public Data (2.9 billion people’s personal information exposed). Data breach victims surpassed 1 billion, a 409% increase from the year before. Notification spam hasn’t materially reduced the impact of these attacks; in fact, most security practitioners call many alerts “useless.” So many alerts, and yet the attack surface still widened almost 80% in the past two years.
Another common fallacy is to believe that just because an organization made an investment into a cybersecurity solution, it can consider itself secure. But is it actually used by their employees? This is particularly common in engineering, when an access management solution procured by IT/security is simply ignored by engineers due to real or perceived inconvenience and a belief that such measures will inhibit productivity. For example, only 23% of IT professionals said they have visibility into their team’s tool usage.
Alert fatigue and shadow access are just two examples of “security theater.” The broader problem is that most organizations are being swept up in security theatrics instead of adopting meaningful security measures.
Treat the cause, not the symptom
When you see your doctor, you trust he will treat your illness, not just your symptoms. Otherwise, you’d return to your doctor pretty quickly once the momentary relief passes. The security theater is like a doctor who only treats symptoms. It does little to solve the underlying cause of vulnerabilities.
The “notification fatigue era” is just a bad doctor, wasting inordinate time for security teams on actioning alerts. It’s dire enough that 73% of security professionals failed to act on high-priority security alerts due to time constraints. Given these time constraints, which alerts do you prioritize? With thousands of alerts, the “one true threat” to your company’s defenses is basically a needle in the haystack.
No matter how good the observability tools become at spotting malware, observability for the sake of observability will never be a winning strategy.
Even more dangerous are shadow access paths that become unmonitored backdoors into critical systems. These paths arise when employees, particularly engineers, bypass official access management tools in favor of home-grown solutions like personal proxies, jump hosts, or bastion servers. These alternatives are typically implemented for convenience or to avoid perceived productivity blockers but lack the stringent controls, monitoring, and updates that IT-sanctioned systems provide. These paths often go unnoticed until a breach happens — at which point it is too late to remediate the issue.
That’s why we need to shift security teams’ attention toward the threat vectors causing the most hurt.
Target human error for security that’s not just performative
It starts with reducing the attack surface, and to do that, security teams have to target human error, which to this day is still the leading cause of cyberattacks, appearing in most breaches.
For perspective, of the 600 million identity attacks Microsoft logged in fiscal year 2024, 99% were password attacks. That’s a scary image of how effective phishing campaigns now are at extracting credentials — and not just passwords, but browser cookies, API keys, and more. Why does this keep working? It’s because attackers know it’s a lot cheaper and easier to trick a human than it is to launch a complex malware attack that exploits a software vulnerability. Add generative AI-powered social engineering to the mix and those attacks might just become even more frequent, and easier, too.
If security teams want to make a difference, they can’t play “spot the software vulnerability.” Software vulnerabilities still only represent a fraction of breaches. As for social engineering attacks, security teams don’t need to meticulously monitor for alerts related to suspicious human behavior patterns. It would be smarter to make infrastructure immune to human error altogether. There are ways to do this, like basing all employee identities on real-world attributes, like the user’s biometrics, the device’s hardware identity, and a PIN code (just look at the iPhone — when was the last time you heard of one being hacked?).
The most lethal security problems are often the most easily avoided. This should be obvious after a former Disney employee tampered with allergen information on a restaurant menu, all because they weren’t offboarded. It should be obvious after repeat breaches of the Internet Archive, all because access tokens weren’t rotated. No one should have persistent network access through standing privileges. The default access model should only ever be based around granting entry to users who meet the right conditions. What’s the user’s role? Where are they located? Which resources are they trying to access, and at what time? This way, even if an identity does get compromised, the harm is limited — because its access to resources was limited to begin with.
Moving beyond performative security
It’s time to leave behind the theatrics. We already hear enough about burnout levels in cybersecurity. An overwhelming number of alerts flagged by complex security solutions without context won’t change that.
Eliminating static credentials and standing privileges is ultimately about more than just securing infrastructure. The amount by which these measures would cut the scale and duration of threats could also see engineering teams drastically cutting down on stress levels. So, the next time you’re looking at a “notifications” number in the thousands or above, just remember: that number is never as important as you think.
Ev Kontsevoy is the CEO of Teleport, an identity & access management software company.
