One of my favorite scenes in any movie across all time, this is probably going to surprise a few people, is from The Wizard of Oz. And I’m not talking about just Wicked, I’m talking about the OG, the original Wizard of Oz. And what I love so much is after Dorothy and the Tin Man and Toto and the Scarecrow and the Lion have finally reached the Wizard.
They’ve completed this long journey and they go before the Wizard. They meet this powerful and this scary and this frightening Wizard, only to find out that it’s just a man. That behind the curtain, behind the charade, it is just a man.
And we actually do something very similar in a lot of our own lives when it comes to security. And today’s tech topic is security theater. Now what security theater is, it’s the idea that we want to create an appearance of security.
We want it to feel like we have gone those extra steps, those extra miles. And it’s not necessarily saying that we’re being deceptive with it. Now yes, The Wizard of Oz was being deceptive, but in some cases it’s because we may not understand something, or it’s because we may not necessarily be at the level yet to implement something we want or we need.
But creating that false sense of security or that false security blanket, if you will, is the definition of security theater. And we see this very heavily in our industry because we have such heavy compliance already. So things with the FTC safeguards rule, the Gramm-Leach-Bliley Act, SEC regulations, and so much more.
We tend to focus on what do we need to check off of a list and less about what is the actual security that needs put in place. Yes, I need to check these items off my list, but in a lot of cases there’s more that we could be doing. Just checking an item does not necessarily implement it, let alone implement it correctly.
So we allow security theater to kind of rouse and grow in our world. But what does this ultimately come from? Again, we have a lot of policies. The policies, and let’s be honest here for a moment, we sit there and say, what is the real chance of getting caught? Or what is the real chance that something is going to happen? And I do kind of chuckle at this one because I feel like we get frustrated with our clients for saying the same thing.
The number of times I’ve heard a client say, well, what’s the chance of me even getting audited because they have so few resources? And that frustrates me. But then we turn around and we want to say the same thing with the FTC safeguards rule and say, well, what is the real chance that this will ever get caught or that I’ll get fined? And again, that creates that false sense that, well, maybe we don’t need to do it. But beyond that, we work with a lot of vendors and the vendors don’t always have our best interests in mind.
They need to sell a product and in many cases they will wordsmith or they will give you marketing content, rather than the actual in-depth detailed understanding that you need of how their product operates. In some cases, they are being actually deceptive. In others, they’re just trying to sell and they don’t necessarily understand.
But working with vendors, not performing due diligence is also another means of security theater. Another one, and this one is very near and dear to me, is the lack of education. There’s a lot of free one-hour cybersecurity education out there.
And I’ve been through some. Some aren’t terrible. Some are actually really, really concerning.
Because if we’re being completely honest, one free, extremely high-level course a year that really just reiterates the same four or five topics, really is not ingraining that sense of security or understanding that we need. So we really do need to focus on trying to get better security education as well. We then can look at things such as, are we pushing out multi-factor authentication appropriately? The big push with this lately has been trying to push it out to text or to email, all of which majority of every security provider has stated text and email are no longer secure methods to do multi-factor authentication.
We should be looking at newer means such as pushing past keys and actually physical keys. So continuing an older style is an ongoing version of security theater as it allows us to feel or feign that we are maintaining those high security standards. But as we continue to go through some things that really allow this to persist, if we’re being honest, compliance in a lot of cases is just easier to measure than risk.
We can sit there and say, it’s going to take this to be compliant, but it’s hard to say, well, what is the risk and what is the real protective measure? Sometimes it’s just a visibility matter. There’s a lot that needs to go on. And in many cases, our focus is on a tax return or a planning engagement or running payroll reports and sometimes that visibility just isn’t there.
And if we’re being completely honest, this is the one that I hear a lot and I feel it too, is real effective security is inconvenient. We have to add these new measures. It now takes an extra step to do something and I feel that as well.
I’ve measured and in some cases, it’s taken an hour additional time out of my day managing and implementing security in every single thing I do. It is extremely inconvenient, but if we state that we’re doing something and we’re not, again, that is security theater. So it really comes down to, are we trying to continue the charade like the Wizard of Oz? Are we trying to create this idea that we have security when in fact we’re just trying to hold things together on the back end? And I’m not trying to call anyone out.
I’m not trying to make anyone feel ineffective or down. I’m just trying to be transparent and honest that security theater is a real growing concern. And as compliance grows and as technology and risks continue to grow and expand, the concern over security theater continues to grow as well.
So this is actually one of the reasons why I started Financial Guardians is because there’s so much happening. My goal and my passion is really just to try to educate and partner and help people move from that theater to a real life, hardcore, maybe not hardcore, a real life implementation that is effective, easy to manage, and will protect their client data. So I hope I didn’t scare you too much on this one.
This one was a tough one for me because I really wanted to talk about it, but I also appreciate that it is a very sensitive topic because it’s about decisions we’ve made. So thank you so much for joining. And as always, if you have any questions, please feel free to ask.
Have a great day, everyone.
If you do not fully understand an issue or if you need assistance working through a resolution, the team here at Financial Guardians is available for Individual Support Calls to assist with any individual or specific matters.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
