Cybersecurity theater: Being secure vs. being sold security

David Zey Gerry Pitt

December 29, 2025

Part two of our business discernment series for leaders making technology decisions focuses on discernment in a crowded market.

Business leaders today operate in markets saturated with technology solutions that promise confidence, control and protection.

Few areas reflect this saturation more clearly than cybersecurity.

The language is sophisticated, the tools are impressive and the consequences of getting it wrong are well understood.

Yet despite significant investment, many organizations discover too late that they misunderstood what they were actually buying.

This article is not an argument against cybersecurity tools, monitoring platforms or managed services.

Those are essential components of modern operations.

Instead, it is an examination of how cybersecurity is presented in the market and how business owners can distinguish between value-driven security and security that is primarily performative.

Cybersecurity theater exists because it satisfies visible needs.

It reassures boards, supports compliance and simplifies risk into dashboards and reports.

But discernment requires looking beyond presentation to understand what happens when circumstances change.

Security is not ultimately tested in planning meetings – it is tested in the aftermath.

Appearance: What cybersecurity theater looks, sounds, feels like

Rather than describing cybersecurity theater directly, it is often easier to recognize it through experience.

A familiar setting – a boardroom or leadership meeting.

Screens display dashboards filled with alerts, trend lines and risk scores.

Threats are counted, incidents are categorized and the visuals suggest constant vigilance.

Certifications are cited, vendor logos are recognizable and a roadmap shows steady improvement over time.

Everything appears orderly, contained and controlled.

The organization looks secure because security is being shown.

The language is polished and confident:

• “We monitor 24/7”
• “Thousands of threats blocked”
• “AI-driven detection”
• “Industry best practices”
• “Compliance aligned”

Questions about risk are answered with features.

Questions on responsibility are answered with scope.

Breaches are discussed abstractly, often as events that happen elsewhere or to less prepared organizations.

Leadership is asked to approve, renew and trust.

For many business owners, there is an initial sense of relief.

The complexity appears managed, the risk feels distant and the system seems capable.

For more discerning leaders, there is often a more subtle sensation.

Not alarm, but incompleteness.

A sense that while much is being presented, less is being explained.

Especially the parts that would matter if the situation deteriorated.

That feeling is easy to ignore.

The presentation is convincing, and most organizations have not yet experienced the alternative.

Discernment for owners: Questions that cut through the theater

Nontechnical business owners don’t need technical expertise to evaluate cybersecurity – they need clarity.

These questions expose whether a provider is showing activity or delivering true readiness:

Operational readiness

• If we were hit with ransomware tonight, who would make the first five decisions?
• How fast could we restore our most critical systems, and when was that last tested?

Ownership and responsibility

• Who owns recovery, not just monitoring?
• Where does the provider’s scope end, and who takes over after that point?

Insurance and legal alignment

• If cyber insurance requires a forensic hold, who helps us balance that with the need to continue operations?
• Who coordinates between insurance, legal and operations during an incident?

Business continuity

• What parts of our environment cannot be rebuilt quickly?
• Do we have a clean standby environment, or is recovery dependent on the compromised system?

These questions shift the conversation away from dashboards and reports, and toward the real-world outcomes owners care about: continuity, recovery and accountability.

What is the risk: When facts collide and decisions must be made

The risk of cybersecurity theater does not fully reveal itself until multiple, reasonable constraints collide at once.

A breach is detected, alerts fire, monitoring works as designed and reports arrive quickly and with confidence.

Cyber insurance is notified, and their guidance is clear – the affected production environment should be quarantined until a forensic investigation can be completed.

Preserving evidence protects coverage and limits legal exposure.

The timeline is measured in weeks.

At the same time, the general manager and owner are facing a different reality.

The production line is down, orders are delayed, customers are waiting and employees are idle. 

The business impact is being measured in hours and days.

Waiting weeks is not operationally viable.

Infrastructure reports introduce another constraint.

The request for additional backup and restore capacity was deferred during last summer’s budgeting cycle.

There is not enough capacity to set up a clean production environment while the original system is quarantined.

That option exists only in theory, not in practice.

Each position is rational and supported by facts – none are wrong.

This is where cybersecurity theater becomes dangerous.

Dashboards do not resolve tradeoffs.

Monitoring tools do not reconcile insurance requirements with operational survival.

Contracts do not decide which loss is acceptable.

Information accumulates rapidly, advisors speak with confidence, risks are articulated and recommendations are made.

But the system itself does not decide – leadership must.

The real risk is not the breach alone.

It is discovering, under pressure, that the organization was never prepared for this convergence of truths.

Decisions must be made without rehearsed paths, clear ownership or aligned expectations. 

Every option carries cost.

Every delay compounds another risk.

This capability is not built during an incident.

It either exists beforehand or is improvised afterward.

Why cybersecurity theater happens even when everyone means well

Most cybersecurity theater isn’t intentional.

It emerges because several reasonable dynamics collide:

Tools are easier to demonstrate than capabilities

Dashboards show activity, not preparedness.

It’s far simpler to display blocked threats than to explain recovery dependencies.

Scopes are narrow by design

Monitoring agreements, helpdesk agreements, infrastructure support and insurance requirements all operate in separate lanes.

Each group sees a slice of risk, not the whole picture.

Budgets create gaps

Critical resilience investments like backup capacity, redundant systems and clean failover environments are often deferred because they don’t feel urgent… until they are.

Assumptions fill the space between vendors

Internal teams assume the MSP handles recovery, while the MSP assumes insurance will take the lead.
Insurance assumes operations can withstand downtime.
No one is wrong, but no one owns the entire aftermath.

Understanding these structural forces can help business owners avoid treating security as a product to buy and instead treat it as a capability that must be rehearsed, coordinated and shared across the organization.

What is better: Knowing which actors remain when the scene shifts

In Shakespeare’s tragedies, the turning point is rarely subtle.

The audience watches as messengers arrive in the forum.

Advisers speak with conviction – each voice carries authority within its domain.

The tension does not come from a lack of information, but from its abundance.

Competing truths demand a single decision.

A value-driven cybersecurity posture anticipates this moment.

It recognizes that when an incident occurs, the organization has moved from performance to consequence.

The lighting changes, the applause stops, the cast thins.

What matters then is not who spoke most confidently before the incident, but who remains when conditions become constrained and uncomfortable.

When cyber insurance recommends quarantining the environment, that voice enters the forum with legitimate authority.

In a healthier model, this actor does not deliver guidance and exit – they remain to help interpret flexibility, tradeoffs and downstream implications.

When the general manager insists production must resume quickly, that urgency is not dismissed as reckless – it is treated as another truth spoken into the forum.

The business must continue to function.

When infrastructure limitations surface, they are not introduced defensively – they are understood as part of the organization’s prior narrative.

The audience recognizes that today’s constraints were written into the script long before the incident occurred.

In cybersecurity theater, many actors deliver their lines and leave.

Monitoring hands off to infrastructure; infrastructure hands off to insurance; insurance hands off to legal; and leadership is left, like the Senate after Caesar’s fall, to reconcile incompatible advice while the city still needs to function.

In a value-driven approach, the actors stay.

They remain present as consequences unfold, help leadership weigh which truths must yield and which cannot, and acknowledge that no option is clean and that the decision will disappoint someone.

This is where the difference becomes tangible.

The situation is still tense, the outcome is still uncertain – but there is continuity.

There is coordination, and the organization is not discovering roles in real time.

For business owners, trust is not optional – it is the foundation of delegation and scale.

But, discernment asks a harder question than whether advisors are competent or well intentioned.

In Shakespeare, Caesar’s final realization is not that danger exists – it is that the voices closest to him are not the ones who remain to carry the consequences forward.

“Et tu, Brute” is not an accusation, so much as a recognition of misplaced reliance.

In cybersecurity, this moment arrives quietly.

It is the realization that responsibility often ends at detection.

That escalation is out of scope, recovery belongs to someone else and the organization is now alone in the forum.

The caution for owners is not to distrust those they rely on – it is to understand, before an incident, whether trust extends into the aftermath.

Are you ready for the aftermath?

A breach doesn’t test your technology – it tests your coordination.

Business owners can gauge their readiness quickly by answering the following:

Crisis leadership

• Do you know who is authorized to shut systems down?
• Do leaders understand their roles during an incident?

Insurance integration

• Do you know when you’re required to notify cyber insurance?
• Do you understand how long forensic holds might delay recovery?

Operational continuity

• What is the maximum downtime your business can survive per system?
• Which systems must be rebuilt first to keep the company functioning?

Technical preparedness

• Have you ever practiced restoring from a clean environment and not just a backup?
• Do you have the infrastructure to rebuild production while the original environment is quarantined?

If these answers aren’t clear today, they will become unavoidably clear during a crisis when the cost of uncertainty is highest.

Discernment that changes outcomes

Cybersecurity theater thrives in environments where security is evaluated by appearance rather than endurance.

Discernment allows business owners to look past performance and ask better questions.

• Who remains when systems fail?
• Who coordinates when constraints collide?
• Who owns outcomes rather than tools?

Security is not proven in presentations – is proven in the aftermath.

The most valuable actors are rarely the loudest ones on stage.

They are the ones who remain when the lights go out, when facts accumulate and when imperfect decisions must still be made.

The question is not whether your cybersecurity strategy looks convincing in the light – it is whether anyone stays beside you in the dark.