Robert Duvall died recently. He made 90 films. You can stream them tonight โ The Godfather, Apocalypse Now, Tender Mercies. His career is measurable, visible, permanent. He leaves a filmography.
I have spent 30 years in a different kind of performance, and I leave something else entirely: the absence of publicity. It sounds like nothing. It is, in fact, everything.
The best performance I ever gave was the one no one saw.
Not Film. Live Performance.
The comparison to acting is tempting but imprecise if you reach for Hollywood. Duvall could reshoot a scene until it worked. An editor shaped the final cut. A director called cut when something went wrong. The audience saw only what survived that process.
What I have done is closer to live theater. There are scripts โ incident response plans, response procedures, change control procedures. There are dress rehearsals โ tabletop exercises, red team engagements the breach simulation at 2am, the regulator walkthrough, the board presentation where every answer gets pressure-tested. Hopefully everyone knows their role when things go sideways.
But when the curtain goes up, there is no second take. A board presentation during an active breach is live. A vendor failure at 3am on a Friday is live. A regulator’s surprise question in the middle of an audit is live. You perform with what you have, in the moment you are given, in front of an audience that is not there to be entertained.
And the goal โ the entire point โ is that the performance is viewed and accepted as appropriate.
Success Is Structural Silence
A perfect security operation means the audience never knows there was a show. The threat actor who probed the perimeter and found nothing does not write a review. The regulator who completed the audit and closed the finding leaves in silence. The board meeting where security is a single green slide โ that is the extended run. That is the silent โstanding ovationโ.
The press is not Variety. My name in the press is not a review. It is a score, and it is always zero out of five stars. Zero mentions means the work held. Zero headlines means the architecture did what it was built to do. Zero incidents means 30 years of rehearsal was sufficient.
This is a strange thing to build a career around. Most professions accumulate visible artifacts โ the buildings an architect designed, the cases an attorney won, the products an engineer shipped. Security accumulates something harder to point to: the negative space where the disaster was not allowed to exist. When security is done right, absolutely nothing notable happens.
I built a theater where disasters came to rehearse and were quietly turned away at the door.
The Show That Almost Opened
Every security professional carries a private list. It is never published. It barely exists in writing. But it is there.
The breach caught at the perimeter at 2am on a Tuesday. The vendor that nearly shipped compromised firmware into a production environment. The employee who nearly clicked on something that would have changed everything. The flawed configuration that sat exposed for eleven minutes before an automated control caught it and closed it without anyone senior ever knowing it happened.
These are the scenes that never made the final cut. They exist in incident logs, in postmortems written and then filed away, in the quiet professional satisfaction of a team that learned something without ever being publicly tested. No one applauded. No one even knew. That is not failure. That is the entire point of the rehearsal.
NASA Mission Control operates on the same principle. The Federal Reserve does not want headlines. Elections security โ which I worked on in California in 2006 โ succeeds when the results are certified and nobody questions the infrastructure. In every high-stakes live performance environment, excellence looks like nothing happened.
The Show That Did Open โ And What It Reveals
And then there is the other story. Because it does not always hold.
Some CISOs who were good, prepared, diligent โ watched it happen anyway. Because the adversary got creative, or the budget was cut two years before the breach, or the warning was raised and dismissed two levels up the chain, or simply because the odds finally ran out. These are not simple stories of failure. They are the price of performing live, without a net, against an adversary who is actively trying to make you fail and only needs to succeed once.
Two CISOs can have nearly identical careers โ similar preparation, similar teams, similar organizational commitment to security โ and land in completely different places based on a single event neither person fully controlled. One retires with a handshake (I am not retiring). The other becomes a case study in a SANS course, a footnote in a Senate hearing, a name attached to a company’s before-and-after.
The question is not whether the disaster defines the career. The question is what the career reveals about the person when the disaster arrives.
Preparation, culture, architecture, response โ these are what a career actually builds. The breach is not the verdict. It is the test. And the people who built well, who prepared their teams, who made the hard arguments for investment and accountability โ they perform under that pressure differently than those who did not. It shows. Even when it hurts.
Legacy Without an IMDB
Duvall leaves 90 films. I leave systems and processes and institutional muscle memory that will outlast the name attached to them. If the work held, no one will know why. The next CISO will inherit an architecture with good bones and perhaps not know the full story of what it survived. That is fine. That is actually the ideal outcome.
The board that slept soundly because the controls held โ they never knew they were sleeping soundly. The investor who closed the M&A transaction because due diligence turned up clean โ they never thanked the security team for what was not in the data room. The company that processed another year of transactions without incident โ they moved on to the next priority without pausing to consider the negative space that made it possible.
That is not ingratitude. That is how it is supposed to work. Visibility in security means something went wrong. The absence of visibility is the product.
He was brilliant at being seen. I spent a career being brilliant at being invisible. Both are performances.
What the Curtain Call Looks Like
Mine will not be at a podium or on a stage. It will be a transition plan. A final audit. A handoff call where I walk someone through the architecture and the history and the things that almost happened that they should know about. A quiet conversation where the institutional knowledge passes and the name attached to it fades.
Robert Duvall wanted you to remember his name. That was the job. That was the measure of success. He was magnificent at it.
I have spent my career making sure no one would ever need to remember my name in the context of failure โ and making sure the context of success would never generate a headline either. The performance was live. The rehearsals were real. The show never opened.
That is the whole career. That is the whole point. And it is enough.
Phil Bandy is Chief Information Security Officer at ShareVault, with 30+ years of experience spanning NASA Mission Control, Federal Reserve transaction security systems, and California elections security.
