Many organizations assume they’re under-secured — but Grant McCracken argues the opposite: most companies are overspending on the wrong things. In this episode, Grant explains how “security theater” drives waste across the cybersecurity industry, where teams focus on compliance checkboxes instead of real protection. He also breaks down why traditional penetration testing remains slow, expensive, and inefficient, often involving layers of consultants and inflated costs. Grant shares how automation and platform-based approaches can dramatically reduce cost and speed up vulnerability discovery, while making proactive security more accessible to organizations that typically can’t afford it. The conversation explores how legacy security practices persist simply because “that’s the way it’s always been done” — and why leaders should rethink how they approach proactive defense. Key points: Many organizations engage in “security theater,” performing compliance activities that appear secure but don’t necessarily improve real security outcomes. Compliance frameworks like SOC 2 or PCI can help — but only when implemented in the spirit they were intended, not as a checkbox exercise. Proactive security practices that identify vulnerabilities before attackers exploit them can offer some of the highest ROI in cybersecurity. Traditional penetration testing often relies on consultancy models that are slow, expensive, and involve multiple people touching a single engagement. Automation and platform-based penetration testing can reduce setup time, simplify the process, and lower costs by removing service layers. Who this is for: CTOs and engineering leaders responsible for security spending CISOs evaluating penetration testing and proactive security strategies Technology executives trying to reduce security waste while improving protection Take the firefighter CTO diagnostic at firefightercto.com and find out what's really breaking your engineering organization.