I took this photo recently while visiting a medical office, and it stuck with me.
At first glance, everything looked fine. There was a secure container mounted high on the wall—clearly purpose-built to protect something sensitive. It was solid, out of easy reach, and had a lock installed.
But then I noticed something important.
The lock was there… and the keys were left right in it.
That’s the moment this went from “looks secure” to “isn’t actually secure at all.” And it immediately got me thinking about how often I see this exact same pattern play out in IT and cybersecurity.
The Illusion of Security
On the surface, the container checked all the right boxes:
- ✅ Locked
- ✅ Mounted out of easy reach
- ✅ Clearly labeled and purpose-built
But when the keys are left in the lock, the control completely breaks down. Anyone who can reach it doesn’t need to defeat the lock—they can just use it.
This is what false confidence looks like.
And it’s one of the most dangerous forms of risk.
Because once people believe something is secure, they stop questioning it.
When Security Exists, But the Controls Don’t
Many organizations can honestly say, “We have security in place.”
And they’re not wrong.
- Firewalls? ✅
- Antivirus or endpoint protection? ✅
- MFA? ✅
- Backups? ✅
- Policies? ✅
Just like that container on the wall, the tools are there. The intent is good. Someone clearly thought about security and took action.
But much like the lock with the key left in it, the real question isn’t whether security exists—it’s whether the controls behind it are meaningful.
Because this is what I see every day:
- MFA is enabled… but bypassed for convenience
- Alerts are generated… but no one reviews them
- Backups run… but restores are never tested
- Permissions are restricted… except for “temporary” access that never gets removed
- Policies exist… but enforcement is optional
That’s the digital equivalent of installing a lock—and leaving the keys hanging there for anyone to use.
Checkbox Security Creates Risk, Not Safety
This is what I call checkbox security.
It satisfies audits.
It looks good on paper.
It helps people sleep at night.
But it doesn’t actually reduce risk.
Just like the container in the photo, an organization can confidently say:
“We secured it.”
When the reality is:
“We secured it… incorrectly.”
And incorrect security can be worse than no security at all, because it creates a false sense of protection. When something finally goes wrong, the damage is often greater because no one expected it to.
Tools Are Not Controls
Buying security tools is easy.
Controls are harder.
Controls require discipline, ownership, and consistency. They answer the uncomfortable questions:
- Who truly needs access?
- How is that access reviewed and revoked?
- Who is responsible for monitoring alerts?
- What happens when something fails?
- How often are assumptions tested?
Without clear answers to those questions, security becomes performative instead of protective.
Why This Matters Even More in Healthcare
The fact that this example came from a medical office made it even more impactful.
Healthcare environments deal with:
- Highly sensitive personal data
- Regulatory and compliance requirements
- A deep expectation of trust
In environments like this, the difference between “secured” and “properly secured” isn’t just technical—it’s operational, legal, and reputational.
Physical security and IT security reflect the same mindset. A casual approach to controls in one area often shows up in others.
Good intentions don’t stop breaches.
Execution does.
A Simple Reminder
This photo isn’t about calling anyone out. The intent was clearly good. Someone thought about security and took action.
But good intentions don’t replace good controls.
Security isn’t about adding locks.
It’s about making sure the keys are managed correctly.
If a small, everyday example like this can spark a pause and a second look, imagine what a deeper review of your IT and security controls might uncover.
Because the biggest risks aren’t always the obvious ones—
they’re the ones hiding behind security that only looks effective.