Proactive Proactivity in Security…and Why It’s Not Redundant

SIA's Cybersecurity Advisory Board is a Champion of Cybersecurity Awareness month. Do Your Part. #BeCyberSmart

October is Cybersecurity Awareness Month, and the Security Industry Association (SIA) Cybersecurity Advisory Board is marking the occasion with a series of blogs, articles and videos containing helpful tips and guidance on key cybersecurity topics. In this blog from SIA Cybersecurity Advisory Board Chair John Deskurakis – chief product security officer at Carrier learn about the key role proactivity plays in a larger security strategy.

John Deskurakis headshot
John Deskurakis, chief product security officer at Carrier, serves as chair of the SIA Cybersecurity Advisory Board.

Cybersecurity practitioners have historically been rather reactive in their strategic approach, and there are many reasons as to why this has been the norm. If one considers that the cybersecurity domain is somewhat new in comparison to other technical concerns that a physical security practitioner must consider, it seems natural that it has most likely rolled into the fray as an add-on to a longstanding, preexisting super-system, operation, organization, etc. It is quite common that this newer focus area, which may impact the greater security posture of a site, is only considered after an event occurs.

What do we mean? As an example, let us consider an event wherein a cybersecurity exploit of a physical security system results in a protected asset being lost, ransomed, revealed or damaged. And that event triggers an asset owner to respond and act. An obvious primary action would be to close and remediate the specific weakness. A secondary action may be to consider (or reconsider) one’s cybersecurity strategy and enhance capabilities such that future attacks of this nature may be avoided.

At first glance, it may seem one action is reactive and the other is proactive. But in truth, both actions are triggered by the original event. And this is what we mean when we say the tendency leans toward reactivity generally. The problem with proactivity is that it likely means we are planning for the unexpected. But how do we really do that? And let’s face it, acquiring funding for “things unknown” is likely a cultural challenge for anyone within most traditional organizations.  

Truly proactive strategies are instituted before events transpire. And the reason cyber proactivity is important is that it will save time and money. The goal is event avoidance. Avoiding everything may be unlikely, but one should attempt to be able to avoid most problems because of their proactive planning. But what does real proactivity look like?

For physical security experts and practitioners, the hallmarks of cyber proactivity will probably look familiar. After all, cybersecurity and electronic security are similar and very much interdependent within the physical security space.

The hallmarks of a truly proactive cybersecurity strategy include:

  1.  Continuous identification: One should always know what they are defending and why. Understand all the associated risks and continuously do so, because they will evolve and change.
  2. Dynamic planning: When planning for the unknown, one must be able to shift and flex whenever needed. Critical risk management tools such as awareness and education, contingency planning, continuous analysis and improvement, maturity modeling and, of course, funding are keys.
  3. Attack-centric thinking: Security practitioners must avoid static and prescriptive checkbox approaches when it comes to cybersecurity. Continuous evolution of your defense tactics is crucial. One must think like an attacker who will always be evolving to work around your defenses.
  4. Failure planning: Expect to fail. Expect events. Truly proactive operators must expect attackers will breach the walls. Acceptance of this inevitability will not only ensure better walls are built, but also ensure other defenses (and responses) will be raised.

Does this mean we shouldn’t be reactive at all? Of course not. Proactivity and reactivity are complementary and required elements of any solid cybersecurity strategy. Moreover, one will find that things like proactive failure planning help improve and enable one’s reactive capabilities are world class. Expectation of and planning for failures means you are far better prepared to react to, respond to and recover faster and at lower expense. Proactivity is a key enabler in the larger security strategy.