While sitting in a board meeting for a healthcare service provider, veteran CISO John Rouffas was struck by a disconnect he said was impossible to ignore. The security update was familiar: Training metrics were high, patching was on schedule, and vendor relationships were in place. Board members walked away reassured about the provider's security program.

They shouldn't have.

The board heard about the 72% completion rate for the security awareness program but not that employees were failing phishing simulations. The success rates had been stuck at 52% for the past two years. Patch reporting sounded thorough, but, in reality, critical Linux servers were not being patched due to internal friction and vendor misunderstandings.

"I was shocked to see the level of security theater in use to provide the board with a false sense of security," Rouffas later wrote on LinkedIn.

The fact that the security awareness program had a 72% completion rate "sounds like a good number, but it doesn't mean anything," Rouffas noted. "What was reported to the board was a false message that all was fine. Security theater is not just an IT problem. ... It is a governance failure."

Read the Full Article on Dark Reading

• Preparing for the Autonomous Era in ITOps

  Tuesday, December 9, 2025 at 1 PM EST

• Your Enterprise Cyber Risk Assessment

  Thurs, Nov. 6, 2025 at 1pm EST

• IT Automation in 2026: It Isn't ALL About AI (Just Mostly)

  Oct 23rd, 2025 from 11am - 5pm ET | A Sponsored Virtual Event | Doors Open at 10:30am ET

• Uncovering and Thwarting a Coordinated Identity-Based Attack at Enterprise Scale

• Top Airline Identity Challenges in 2025

• Modernizing MFA Enrollment for Stronger Security

• The Architecture of Trust

• Just-in-Time Step-Ups: Balancing Security and User Experience at Authentication