The RSA Conference is upon us again, and many are planning their travel to San Francisco next week and determining which talks to attend (including talks from our own Heidi Shey, Jinan Budge, Jeff Pollard, and Joseph Blankenship). But no trip to the RSA Conference is complete without a stroll through the Moscone Center to see what security vendors are up to, complete with enthusiastic messaging and wacky antics. And while generative AI is sure to be prevalent throughout vendor demos this year, I am predicting that you will find yourself challenged by many vendors asking “How proactive are you?” as they eagerly scan your badge.
We covered proactive security during our Security & Risk Forum last year, but I’m pleased to announce that we’ve just published two reports that discuss the meaning of proactive security along with the steps required to achieve it. We define proactive security as:
A strategic approach to controlling security posture and reducing breaches through strong visibility, prioritization, and remediation.
The Three Principles of Proactive Security covers how visibility, prioritization, and remediation are the foundational building blocks of your proactive program, and The Four Steps For More Proactive Security breaks down the tactical steps that organizations should take to get there.
At the RSA Conference next week, I expect to see vendors offering products such as attack surface management, exposure management, and continuous security testing, all touting themselves as proactive security solutions (expect to see vague, ill-defined phrases with words like “continuous,” “threat,” and “exposure” accompanying these products’ marketing). But before assessing whether these products will help your program, you must first understand how well your organization is currently aligned toward the three principles of proactive security:
- Visibility. Security pros must know what they’re dealing with before they can understand their risks. Visibility extends to asset and vulnerability enumeration and context.
- Prioritization. The size and scale of discovered assets and their exposures means teams need to filter down to actionable objectives. Tools that enable assessment and validation of threats, weaknesses, and controls all support prioritization.
- Remediation. Remediations are the most convoluted part of a successful proactive program due to scattered inputs, metrics, and processes (or lack thereof). Inputs toward remediation must shed light on root causes.
While you’re wandering Moscone, remember that vendors claiming to be proactive are not doing enough. Ask vendors how and why they support the above principles. Press vendors on how their solution supports the three principles but also on how they would support and integrate with your current security stack. This will help hone your focus for deploying potential proactive solutions.
Want to hear more? Get in touch with me! Schedule an inquiry or hit me up on LinkedIn.