TL;DR
Most security tools are theater. I sat through endless vendor pitches for products with huge dashboards full of blinking widgets that looked impressive and did almost nothing. Security is genuinely hard because the attack surface is enormous, phones, laptops, servers, cloud, even charging cables, and you cannot protect all of it. So you protect the most likely vectors, lock down the normal stuff, and pass every standard you can. The flashy tool is not the answer. The boring discipline is.
Walk a trade show floor and you will see security sold as a light show. Giant screens, glowing maps of the world with attacks streaking across them in red arcs, dashboards covered in widgets and gauges and live-updating numbers. It looks like the future. It looks like command and control. Most of it does nothing.
I ran technology and security for a national retailer for two decades, and I sat through more vendor pitches than I can count. Now I ghostwrite books for security leaders. I can tell you that the gap between what security tools promise and what they deliver is enormous, and the flashier the demo, the wider the gap usually is.
The flashier the security dashboard, the less it usually does. Real protection is boring. Theater has better graphics.Share on X
The vendor circus
The number of vendors trying to sell us tools was not funny. Most of the tools did not work. They were overly complicated, with huge interfaces and lots of doodads that looked really cool and did not actually do anything useful. The screen was the product. Underneath the dashboard there was very little.
You learn to see the pattern after enough pitches. The demo is gorgeous. The salesperson is polished. The slide deck has the logos of impressive companies who supposedly use it. And when you ask the specific question, what exactly does this do when an attacker tries X, the answer gets vague. It correlates threat intelligence. It provides visibility. It leverages machine learning. Those are not answers. Those are words that sound like answers, and the more of them you hear, the less the tool actually does. The good tools, the few of them, can tell you plainly what they protect and how. The theater hides behind the dashboard.
This is security theater. Spending money on something that produces the feeling of safety without the substance. A company buys the impressive tool, puts the glowing dashboard on a wall, and everyone feels protected. Meanwhile the actual work, the patching and the access reviews and the backups, still is not getting done, because that work is boring and nobody sells a light show for it. I cover that work in the boring security work that actually keeps you safe, and it is the exact opposite of theater: invisible, unglamorous, and the thing that actually protects you.
Why security is genuinely hard
Here is the thing the theater hides. Security is legitimately difficult, because the attack surface is enormous and getting bigger every year.
The attack surface is every single thing an attacker could possibly target. Think about everything you have to protect now. Servers. Desktops. Laptops. Phones. The Internet of Things, every smart device on the network, every sensor and camera and thermostat that someone connected without telling you. And the cloud, which everybody forgets, because they assume it is automatically secure. It is not. Your data sitting in someone else’s data center is still your problem to protect. The cloud provider secures the building and the hardware. What you put inside it, and who you let reach it, is still entirely on you.
The surface goes further than most people imagine. It turns out attackers can build a charging cable that is secretly a tiny computer. They leave it at an airport or a conference, you plug in your phone to get some power, and you have just handed them a way in through the power socket. The threat can hide in a cable that looks exactly like the one in your bag. That is how wide the surface has become, and it is why the idea of protecting all of it is a fantasy.
The cloud isn’t automatically secure. Your data in someone else’s data center is still your problem. People forget that constantly.Share on X
You cannot protect all of it
Once you accept how large the surface is, the honest conclusion follows. You cannot protect everything. It is not possible. Anyone selling you a tool that claims to cover it all is selling theater, because the surface is effectively infinite and growing, and no product covers infinity.
So you do the realistic thing. You figure out the most likely vectors and you protect those well. You lock down the normal stuff, the servers and the endpoints and the access. You watch the places attacks actually come from, which, as I describe in what actually gets attacked first, are mostly social engineering and the insider, not the exotic charging cable. And you accept that some far edge of the surface will always be exposed, because chasing all of it is a fantasy that drains your budget and your attention while leaving the likely vectors underprotected. The company that spends a fortune defending against the airport cable while its people click phishing links has its priorities exactly backwards.
Pass every standard you can
The last piece of real discipline is this. Pass whatever standards apply to you, and pass the ones that do not apply too, whenever you reasonably can. Not because the certificate makes you safe, it does not, but because the work of meeting a good standard forces you to do the boring things right.
A real standard makes you patch, log, control access, and test. It drags you through the unglamorous checklist that you would otherwise skip, and it does so on a schedule, with someone checking. The discipline is the value, not the badge. A company that genuinely meets a serious standard has done the unglamorous work, which is worth far more than the most expensive dashboard ever sold. That said, passing the standard is a floor and not a finish line, a distinction I get into in what eight PCI audits taught me about real security versus checkbox security. The standard makes you do the work. Staying secure means doing it every day after the auditor leaves.
When I work with a security leader on their book, separating the theater from the substance is often the heart of it. The market is loud with vendors and noise. The person who has actually defended an organization knows what mattered and what was a light show, and that judgment is exactly what a book can preserve.
Frequently Asked Questions
Get the Free Guides
Join the list and get my condensed books, free. No spam, unsubscribe anytime.
By subscribing you agree to receive occasional emails. Unsubscribe anytime.
Spending money on security that produces the feeling of safety without the substance. An impressive tool with a glowing dashboard goes on the wall, everyone feels protected, and the real work, patching, access reviews, backups, still does not get done. The screen is the product, and underneath it there is very little.
Ask exactly what it does when an attacker tries a specific thing. A real tool answers plainly. Theater retreats into vague phrases, it correlates threat intelligence, it provides visibility, it leverages machine learning. The more of those word-clouds you hear instead of a straight answer, the less the tool actually does.
Because the attack surface is effectively infinite and growing. Servers, laptops, phones, IoT devices, the cloud, even malicious charging cables. No single tool covers all of it, and anyone claiming theirs does is selling theater. The realistic approach is to protect the most likely vectors well and accept that some far edge will always be exposed.
No. People assume it is, which is exactly the problem. The cloud provider secures the building and the hardware, but what you put inside it and who you let reach it is entirely your responsibility. Your data in someone else’s data center is still your problem to protect.
Because the work of meeting a good standard forces you to do the boring things right, patching, logging, access control, testing, on a schedule with someone checking. The discipline is the value, not the badge. But passing is a floor, not a finish line. Staying secure means doing the work every day after the auditor leaves.
Yes. I ghostwrite for CISOs, security founders, and technical executives who can separate real protection from the vendor light show. That judgment, earned by actually defending an organization, is what makes a security book worth reading. You can see how I work on the cybersecurity ghostwriting page.