Defining security-related objectives can be hard, but they can prove to be a valuable tool in signaling both strategic intent and an understanding of a team’s role in delivering it. What about those objectives that ultimately signal little else than organisational dysfunction though?
The Three Theatres
From past experience, I’ve noticed three recurring patterns: each a form of performance that substitutes real impact for the illusion of activity, creating an impression of something that isn’t quite real. I refer to them as the “Three Theatres”, and I expect they’ll be familiar to the majority of those working in and around information security.
Security Theatre & Objectives without Threats
The term “Security Theatre” is widely understood to describe situations where actions are disconnected from actual threats. This is especially apparent when objectives and measures are defined without an understanding of the threat landscape that an organisation operates within, and - perhaps uncomfortably - the concerns that its clients and partners have.
Some key drivers behind Security Theatre include an over reliance on generic frameworks, industry trends, or dubious vendors, but the root cause is always a lack of prior research. At best this leads to “busy work” that’s created for the purpose of being seen to do something, at worst it diverts resources away from addressing the real risks an organisation is vulnerable to.
The correction is simple though: ground your objectives in evidence. Consider security incident statistics for organisations of a similar size or operating within the same sector. Seek out threat intelligence relevant to actors known to target similar organisations. Decipher what your clients’ and partners’ actual concerns are when they perform due diligence.
Most organisations wouldn’t invest R&D time in a potential product without considering market fit, nor would a competent engineering department embark on a new project without documenting any requirements… so why do so many security functions operate like this?
Performance Theatre & Objectives without Capacity
I use the term “Performance Theatre” to encompass situations where objectives are isolated from the operational reality that reactive (or “business-as-usual” (BAU)) work must continue for an organisation to operate. Progress cannot happen in a vacuum, and without separate resources available for existing and reactive work, objectives will need to be scoped tightly to what realistic capacity is available. Security teams are often notoriously under-resourced, and as a result, most organisations do not have the luxury of capacity!
This failure mode occurs when objectives are set without an understanding of existing demands that are placed upon a team. Ambitious plans look good during planning sessions, and will undoubtedly receive a warm welcome at board meetings, but they’re prone to collapse the moment an incident lands, audit preparation is required, or a particularly in-depth questionnaire from a client arrives.
A good analogy for this comes from the world of policing, where there’s a clear need to make use of limited resources to balance the acts of prevention and response, but also an understanding that the activities required for these two priorities are vastly different - and the required context switching would be an implausible expectation to place upon the officers involved. The task of handling emergencies is usually handled by dedicated response teams, whilst prevention and engagement work often comes under the remit of dedicated community safety teams.
Whilst most organisations go through periods of operating at a capacity-deficit, the obvious corrective action to prevent this jeopardising security objectives is to have an honest understanding of the baseline demands imposed on the security team. Consider measures such as delivery capacity (the percentage of time available once baseline demands are met), and acknowledge that reactive and proactive security are separate functions - if they can’t be resourced separately then there may need to be explicit trade-offs rather than pretending both will somehow get done.
If Security Theatre poses the risk that a dangerous threat may go unmitigated due to a misplaced priority, then Performance Theatre poses the risk of staff churn and wellbeing issues… both result in undelivered commitments though.
Compliance Theatre & Objectives without Authority
Finally, we come to the last pitfall - “Compliance Theatre”, where legitimate objectives are often defined without the identification or involvement of those truly responsible for their execution. A large amount of security work should be consultative, advisory, and supportive (at least, if Performance Theatre isn’t in play!). The ultimate role of the security function should be providing the tools, guidance, and training which enables the organisation to operate in a secure manner… they’re rarely best-placed to force adoption though.
This trap is often particularly contentious too, as the objectives are usually both reasonable and measurable, and - as the name suggests - often arise from legitimate compliance requirements. After all, it’s very difficult to dispute the value of something as innocuous as ensuring all staff complete mandatory training. However, when that objective is assigned to the security function - rather than say HR or Line Management - it conflates influence with authority, and completely omits the involvement of those directly able to drive the outcome.
To underline this point, consider a standard Information Security Management System (ISMS) (i.e. as defined by the requirements of ISO27001) and the range of stakeholders who are required to provide input: there’s an explicit understanding that security operations extend across the organisation, and that responsibilities are shared across numerous roles and departments.
The corrective action is, as should be obvious, the identification of individuals who truly are best positioned to achieve the stated outcome - not just with influence, but also authority. In some cases this will mean objectives have multiple owners - one responsible for implementation and guidance, and one for outwards-compliance. Usually this action is best served by including the objectives within your ISMS - i.e. as per ISO27001 6.2 - where relevant parties from across the organisation will likely already be represented.
A Common Cure
Whilst these three failures all present in different ways, they do all share a common antidote: treat security initiatives (and their resulting objectives) as you would any other project. Understand the relevant threats, understand the available capacity, and understand where authority is held.
Anything less is just theatre.