[CiPHPerCoder]

> Doing things that outwardly appear to improve security but have de minimus or less effect on actual security.

Right. And that's exactly the situation the article describes.

The accusation of "security theater" was only levied when IT departments reached for the "full disk encryption" potion to mitigate the ailment of "attacker has active, online access to our database via SQL injection", when that's not at all what it's designed to prevent.

They can insist that they're "encrypting their database", but does it actually matter for the threats they're worried about? No. Thus, security theater.

The same is true of insecure client-side encryption.