8 hallmarks of a proactive security strategy

CISOs have long been tasked with building response and recovery capabilities, the objective being to have teams that can react to a security incident as quickly as possible and can restore business functions with as little damage as possible.

The need for those activities is certainly not going to go away, but many security chiefs are seeking to take more proactive steps to balance out reactive ones.

“On the proactive side, you’re trying to predict what kind of attack can occur in your environment and find your vulnerabilities before others do, so you reduce risk before it materializes,” says Pierre-Martin Tardif, cybersecurity professor at Université de Sherbrooke and member of the Emerging Trends Working Group with the professional IT governance association ISACA.

According to Tardif and other experts, a proactive strategy can do much more to ensure organizational resiliency than having only or mostly the ability to rapidly respond once an attack or breach has been detected.

“Our ultimate goal as a cybersecurity professional is to prevent cyber risks from being exploited by protecting our assets. Proactive programs are very successful in doing just that,” says Sandra Ajimotokin, a senior security program manager at a large global company and another member of ISACA’s Emerging Trends Working Group.

So, what sets CISOs who have embraced a proactive strategy apart? Here’s a look at what they commonly do:

1. They understand what they have, what they must protect, and what they’re protecting against

To build a proactive cybersecurity stance, multiple sources point to the need for CISOs to first understand what they have, know what requires the highest levels of protection, and recognize the risks an organization is willing to accept. This helps CISOs identify which threats pose the biggest risks to their organizations and therefore require the most attention.

“A proactive cyber team understands their organizations risk profile and can identify risks that the organization hasn’t faced yet,” Ajimotokin explains. “This is a key component of being able to prevent attacks from occurring, because they understand what needs to be protected and can think through all the ways it’s vulnerable.”

John Deskurakis, chief product security officer for Carrier Global Corp. concurs, adding that CISOs need to do this on an ongoing basis, calling for the need for “continuous identification.”

 “Know what you are defending and why. Understand all the associated risks and continuously do so. Be the expert in terms of your attack surface and know it well, as it will grow and change.”

2. They have strong user authentication policies and a zero-trust approach.

Proactive security teams have a good understanding of not only their IT environments and their organization’s risk profile, but they also have a rock-solid understanding of who and what is accessing their network and each of their systems through strong user authentication policies, says Bryce Austin, CEO of TCE Strategy, a virtual CISO and cybersecurity consulting firm. Policies such as multifactor authentication help ensure that only authorized users get into the enterprise IT environment and work to keep all others out.

Tardif notes that many CISOs are implementing strong authentication requirements as part of their move to zero-trust architecture, in which all users – whether humans or devices – must verify they’re who they say they are before gaining access. But he notes that zero trust goes even further: it also restricts authenticated users access to only those systems and data they need to do their jobs. Tardif says following this principle of least privilege is one more way for security to move its focus away from responding to incidents to proactively preventing them.

3. They’re agile and adaptive.

Another key for getting ahead of hackers is the ability for CISOs and their teams to pivot as quickly – if not more so – than the bad actors.

To that end, Deskurakis says proactive CISOs have adopted “attack-centric thinking, [where you] avoid static and prescriptive check-box approaches, continuously evolve your tactics, and think like an attacker. A solid proactive defense capability is flexible and often shifting to meet ever evolving threats.”

Andrew Retrum, a managing director in the security and privacy practice at management consulting firm Protiviti, agrees. He draws on an ice hockey-based axiom about skating to where the puck is going to be – not to where it is, adding: “You want to get out in front of what’s coming your way.”

4. They’re plotting for the future.

Similarly, proactive CISOs have their eye on emerging tools, techniques, and regulations; moreover, they incorporate them into their strategies and their security programs before they become mainstream or mandatory.

For example, Retrum points to a CISO who had engaged his firm several years ago when it became clear that the New York Department of Financial Services would issue new cybersecurity requirements. “He wanted to get in front of that so he could advise other senior leaders about it. He wanted to make sure they were aware of what was to come,” Retrum remembers.

Retrum says he sees other CISOs take that approach as they look to what’s changing in their own enterprise environments or in the broader market, an approach that lets them ready their security departments in advance of those changes. For example, he knows some CISOs who are already considering how the anticipated rise of quantum computing will impact their security program, identifying which current security measures will become ineffective and determining what protections they’ll use instead.

“Proactive security functions are thinking about all that now, and they’re putting together a roadmap for three to five years out,” he says, adding that there’s value in “looking ahead and knowing the future.”

5. They’re watching for impersonators.

Proactive security teams are looking for any misuse of their domain names, company logos, and other identifiers, says Carlos Rivera, principal research advisor with Info-Tech Research Group.

“They’re proactively searching for illicit use of their brand,” he says.

Security teams typically use SaaS-based tools or work with a managed security service provider for domain name monitoring that searches for spoofing and other forms of brand impersonation. This monitoring, Rivera says, can alert security teams early to hackers trying to use spoofed websites, hijacked corporate logos, and other forms of impersonation for phishing and other types of socially engineered attacks – thereby enabling security teams time to counteract or even completely shut down those attack attempts before they become full-scale assaults or have any level of success.

6. They hunt for threats.

Bad actors frequently try to obfuscate their activities as they try to make their way through corporate networks and systems in search of a big payoff. (IBM’s 2022 Cost of a Data Breach Report, for example, found that organizations took an average of 207 days to identify a breach.)

That delayed identification has been a longstanding issue, one that puts security teams into reactive mode. To counter that, security teams are increasingly turning to threat hunting to find any bad actors lurking in their environment before a breach or other attack occurs.

“Another element of a proactive security approach is participating in active threat hunting by looking for threats before they are able to be actively exploited. This can be from the technical angle (the vectors) as well as those that may wish to exploit (the actors),” explains Jon France, CISO at (ISC)², a nonprofit training and certification organization.

Threat hunting pays off. According to the SANS 2022 Threat Hunting Survey, 85% of respondents said threat hunting has improved the security posture of their organization. Meanwhile, experts say the use of machine learning and artificial intelligence should boost such figures even higher by helping enterprise security teams find threats even more quickly.

“Security professionals can benefit from ML’s ability to recognize patterns and predict outcomes, providing a level of visibility never seen before,” Ajimotokin says. “This could allow cyber teams to quickly scale, identify threats as early as possible, and mitigate an attack faster than ever.”

7. They hunt for vulnerabilities.

A strong vulnerability management program that identifies which known vulnerabilities exist within an organization and prioritizes patching those that present the highest risk is an important mark of a good security strategy.

But France says security teams that want to be proactive should go one step further and add vulnerability hunting to their programs. He points out that vulnerability management programs have traditionally focused on addressing known problems, whereas vulnerability hunting challenges security teams to uncover unknown ones – such as insecure software code or misconfigurations that are unique to their own IT environments.

France and others recommend CISOs undergo regular penetration testing to seek out weak spots and create vulnerability disclosure programs and bug bounties to encourage and reward workers to search, find and fix such issues.

8. They practice their response

France says it may seem counterintuitive, but proactive security teams also regularly practice how they’ll respond and react in the event of a successful attack. This practice (typically in the form of running table-top drills) lets organizations get ahead in a few ways, France explains.

Because drills imagine and articulate how attacks could happen, they help security teams identify the vulnerabilities in their existing security programs. They can then work to close those gaps and – hopefully – prevent their imagined scenarios from happening, France says.

The drills also help identify deficiencies in response plans, which allows CISOs to close those gaps as well. These drills also build muscle memory, France adds, meaning the organization can move more quickly, efficiently and effectively when an event occurs so they can minimize the damage and get back to normal sooner.