The bulk of today’s security programs are reactive. We focus on events. On alerts. The flashing screens. Hyped vulnerabilities stemming from news articles. We swat at mosquitoes that have already bitten us after forgetting to apply bug spray. Focusing on proactive security behaviors will relieve the constant itch of intrusions that reactive teams must scratch.
A proactive approach is not controversial. But it is a misunderstood objective. Security programs have entire teams and programs dedicated to proactive approaches such as posture management. But proactive teams, like vulnerability risk management, and reactive teams, like the security operations center, remain overwhelmed.
The current wide array of proactive solutions only adds to the confusion. Thanks to new acronyms and changing product definitions from vendors and other industry influencers (ahem), a security leader’s email inbox resembles more of a word search than an inbox. Trying to make sense of what solutions provide proactive or reactive solutions, or how or why it would even benefit your program, is more difficult than ever.
If you’re wondering how or if a given security technology supports your proactive program, ask yourself these four questions:
- Does it give me visibility into what I have in my organization that needs to be protected?
- Does it help me prioritize my remediations?
- Does it help me orchestrate remediations?
- Does it help me report on my proactive program?
If you or the sales rep cannot provide coherent answers and examples to answer these questions, then the solution is not part of a proactive security solution suite (and it could be vaporware or snake oil).
At Forrester’s Security & Risk Forum, November 14–15, I will present a session where we dive into activating proactive security for your organization, including the supporting technologies, as well as other considerations for people, process, and measurements. It’s time that we proactivate — which means knowing what we need to protect and what postures need to be straightened out, minimizing cracks in remediation processes, and ensuring that we have appropriate reporting.
I hope to see you at the Security & Risk Forum, in Washington, D.C., or virtually, so we can discuss these considerations as you embark on your proactivation journey.