In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.
When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭
As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.
How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:
- Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.
- Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.
- “Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.
- The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.
- MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.
- Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.
Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”
The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.
Stop the performance. Start the protection.
Niel Harper 