corporate governance – Niel Harper

The Dangers of Relying on Security Theater

February 1, 2026February 1, 2026nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.

Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.

“Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.

The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.

MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.

Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

How the ISACA Board and Executive Management Address Cyber Risk

December 9, 2024December 11, 2024nielharper

“Notes from the Boardroom” is a series of blog posts from ISACA board directors providing transparency, context and perspective on how the ISACA board is carrying out its governance responsibilities.

“Cyber risk is a major risk facing virtually all organizations, including ISACA, and the ISACA Board of Directors and executive management, particularly, acknowledge their fiduciary duty to govern cyber risks effectively. ISACA leadership realizes that our management of the broader portfolio of risks, including cyber, demonstrates to our members, customers, staff and partners that digital trust is not only a commitment that we promote commercially, but it’s also an internal ethos that guides our business.”

Check out my recent blog which discusses the various ways in which we – the Board of Directors and executive management – address cyber risk and corporate governance within ISACA.

The Lacework Modern CISO Network: Board Book

June 30, 2024June 30, 2024nielharper

“When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.”

The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

Transitioning from a techie to a business leader is one the most valuable steps that a CIO or CISO can take, and provides immense value to both the individual in their professional journey and to the organization in terms of addressing pervasive business risks.

I am happy to be featured in the Board Book alongside some of the most outstanding board-ready CISOs in the world. I tip my hat to each and every one of them!