Loading ...BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
-
Recent Comments
- Bouch on Who’s In Charge Here? The Problem of Information Security Governance
- SecurityExec on Who’s In Charge Here? The Problem of Information Security Governance
- dustin on Patent No. 7,124,197: ARP Poisoning Hack!
- Rob on Agility and Risk Compensation: Exploring the Connection
- Navin on Why Information Security Professionals Should Learn Texas Hold ‘em Poker
Tags
agility algorithms application security assessment awareness Awareness / Education awareness instruction awareness training bloginfosec Annoucements Books on InfoSec breach incidents Budgeting for Security business continunity CIA triad CISO CISO savvy CISO skills COBIT Coding Securely / SDLC compliance Conferences / Events / Meetups contingency plans counterfeit counterfeit equipment data breaches data breach notification laws data classification digital signature disaster recovery education Encryption end-point security equipment Exploit Code / Malware facebook fake FBI featured FFIEC Forensics / Incidents FUD FUD Theater GLBA governance government Gramm-Leach-Bliley hackers hash HIPAA honeynet honeypot identity management identity theft IDM incident Industry Commentary Information security Interviews ISACA Jobs in Information Security Johnny Long KPMG law leadership Legal & Regulatory Issues malicious insider malware metrics nation states network News Commentary No Tech Hacking OWASP Patching PCI Penetration Testing perimeter Phishing Policies and Procedures Privacy Privacy Rights Clearinghouse Reverse Engineering risk Risk Analysis risk management ROI ROSI SB 1386 Security security awareness Security Breaches self-awareness Social Engineering soft skills Solutions / Workarounds SPAM spotlight successful behaviors Tools training Uncategorized Virtual Trust Viruses / Worms vulnerability assessment Vulnerability Commentary Vulnerability Disclosure Wireless Wireless Client Wireless Discussion Wireless Security Wireless Vulnerability Discussion
Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
“Security Theater” is now “Theater of the Absurd”?
The New York Times recently ran a piece on airport security in which airport security is described as the “theater of the absurd.” It’s funny to watch certain terms and concepts play themselves out from a small community (infosec) to the larger pop culture. A few comments below the piece mention “security theater” but the term is not used in the larger article. It makes me wonder if “security theater”, “theater of the absurd” or simply “theater” will win as the dominate popular term for security measures taken that do not correct the root issue.
I happen to have strong feelings about the term “security theater.”
Personally I’m against the term “security theater.” Red tape makes changing the infrastructure at the root cause difficult. That’s the unfortunate reality. The intermediate steps are usually band-aids — especially when an immediate response is necessary — while the larger issue is being addressed at its core. These band-aids — temporary solutions — are what are usually designated as “security theater.” They do have a positive value: they comfort the end user for that situation. Temporary solutions should not replace long-term solutions that fix the root issue.
Time is the key factor between when something is a valid “security theater” and when it’s not. “Security Theater” should be shouted when the temporary measures become the permanent measures and the root cause has not been addressed. It should not be shouted when a band-aid solution is used as a response to an immediate problem. This leaves the possibility of an architectural design error. Bad design is not “theater”; it’s not pretending to correct an issue and skirting the root cause. Bad design is simply that: bad design. And, there may be many reason why such architectural design errors happen.
I was very happy when Schneier wrote In Praise of Security Theater: