Hockey legend Wayne Gretzky famously shared his secret to success on the ice: “I skate to where the puck is going to be, not where it has been.”
Security teams would do well to embrace Gretzky’s forward-looking strategy in their own work; those who place emphasis on where their security program needs to get to rather than reacting to incidents that have already happened can post more wins.
“Proactive security” has become an industry buzzword in the field today, and there are plenty of calls for CISOs to shift from reactive to proactive security. Earlier this year a survey by research firm Omdia of more than 400 North American, UK and European security decision-makers and found that 47% of respondents said one of their top goals was to “reduce the opportunity for threats with proactive security.”
What exactly does proactive cybersecurity entail? Definitions vary, but simply put it entails an increased focus on preparing for the future, identifying future threats and tactics, techniques and procedures (TTPs) used by bad actors then implementing measures in advance to counteract them.
Being proactive can mean reassessing the team and the approach
“There needs to be a balance between working in the function and working on the function. That’s what I think is the difference between being reactive and proactive,” says Wolfgang Goerlich, a faculty member at IANS Research, a Boston-based cybersecurity research and advisory firm, and a public sector CISO.
“Working on the function is being proactive. Security needs to create a habit of stepping out, taking a break, looking at how to structure things with fresh eyes, asking whether it has the right people and the right processes, and asking how technology and the adversaries are changing.”
Of course, security teams must maintain a strong response capability so they can identify, contain, and recover from incidents that happen, Goerlich and other senior security leaders say.
But they also highlight reasons that security needs to be more proactive, saying that it allows CISOs, their teams and their organizations to get a step ahead of threats and, thus, increase their chances of besting their cyber adversaries.
An already-full plate can hamper a CISO’s proactive planning
Planning ahead can be tough — particularly in cybersecurity where the growing volume and sophistication of threats keeps many defenders in reactive mode. CISOs and their teams have full schedules dealing with immediate tasks — those must-do ASAP items like patching and reporting to regulators and the board — which distracts many from shifting toward more proactive security. As Goerlich says, “The more stress that’s piled on, how far you can look into the future gets smaller and smaller.”
Then there’s the related challenge of having to track and mitigate an increasing number of risks and threats. Gretzky may have had to go to where the lone puck was going to be but security teams “have multiple pucks and lots of teams on the ice,” Goerlich notes.
CISOs can take a number of steps to shift from a reactive-only security program to one better balanced between reactive and proactive. For example, many already have implemented threat-hunting programs and others are part of ISACs and other information-sharing entities. Here are four additional actions that can help CISOs get ahead of the puck.
1. A security framework can help build proactiveness
Chetan Anand, associate vice president and CISO at fintech consulting firm Profinch and member of the ISACA Emerging Trends Working Group, says his use of a security framework has helped him move his security program to a more proactive one by enabling his team to “anticipate and prevent problems before they occur.”
Anand uses ISACA’s Digital Trust Ecosystem Framework (DTEF), which was released in early 2024 and is designed to be compatible with several other existing frameworks and best practices, including COBIT, ITIL, GDPR, and numerous ISO and NIST standards.
He says following a framework enables a proactive stance by helping security break down siloes, focus on resiliency, gain greater visibility across security operations, identify potential issues before they become problems, and prepare for emerging risks (as the frameworks themselves evolve with the changing threat landscape).
Anand says he uses ISACA’s DTEF to integrate ISO 27001:2022 information security management systems requirements; ISO 9001:2015 quality management systems requirements; and ISO 31000:2018 risk management guidelines — three standards which he also follows.
All that in turn helps security optimize costs and gain other resource efficiencies, savings that CISOs can redeploy to activities that are forward-looking rather than reactive, he notes, adding that “it helps with better planning and preparing.”
Following a framework also puts security in a better position to support business growth, he says, because security can demonstrate to new customers and business partners that it has implemented appropriate measures to handle whatever is next. “So, this is also a strategic advantage,” he adds.
Other CISOs seem to agree with the value that Anand places on using a framework, with research showing that a majority of CISOs use at least one framework. However, such use is not universal among enterprise security shops, indicating room for improvement.
2. Adopt a continuous improvement approach to the security program
Ahmad Jowhar, a research analyst in the security and privacy practice at Info-Tech, says he hears plenty of CISOs talk about taking a more proactive stance — which he describes as “anticipating threats and vulnerabilities that may arise before they infiltrate or impact the organization.”
In other words, he says, it’s about taking actions today to mitigate the threats of tomorrow.
Security assessments, security training and upskilling for all employees, and building a security-minded enterprise culture all help build a proactive stance, Jowhar says.
But he also advises CISOs to adopt a continuous improvement approach to their programs – similar to the continual improvement process used by many software product teams and other functional areas within a typical organization.
“We see threats evolving and getting more sophisticated, so CISOs need to be continuously evolving, too,” he explains. “They need to always be taking steps to improve. They should not assume that what they implemented yesterday will help them today and tomorrow. That’s a marker of being proactive.”
CISOs can do that through various enabling steps, Jowhar says.
One step is identifying their organization’s top business goals and ensuring the security strategy aligns and supports those goals.
Another key enabling step is understanding the current state of their security program, articulating the ideal future state, and detailing how to get to that future state. “If you’re at a 2 now, figure out how you will move to 5. Lay out the incremental steps to move up from 2 to 3, then 3 to 4, and then to 5, and get support for those steps in the business,” Jowhar says.
3. Have regularly scheduled meetings focused on the future
As Goerlich notes, CISOs who want a more proactive program need to be looking into the future. To ensure he has time to do that, Goerlich schedules regular off-site meetings every quarter where he and his team ask what is changing.
“This establishes a process and a cadence to get [us] out of the day-to-day activities so we can see the bigger picture,” he explains. “We start fresh and look at what’s coming in the next quarter. We ask what we need to be prepared for. We look back and ask what’s working and what’s not. Then we set goals so we can move forward.”
Goerlich says he frequently invites outside security pros, such as vendor executives and other thought leaders, to these meetings to hear their insights into evolving threats as well as emerging security tools and techniques to counteract them. He also sometimes invites his executive colleagues from within his own organization, so that they can share details on their plans and strategies — a move that helps align security with the business needs as the organization moves forward.
He has seen this effort pay off. He points to actions resulting from one particular off-site where the team identified challenges around its privilege access management (PAM) process and, more specifically, the number of manual steps it required.
“It’s the type of process that organizations build up over years, and it made perfect sense when it was put in place, but things change and it no longer worked well,” Goerlich explains.
So, the team reengineered the PAM program, cutting steps and replacing old tools with new ones to create a more automated, more efficient and more secure process.
Goerlich says this example illustrates both the value of having regular meetings focused on getting ahead and how taking proactive measures translates into better security, explaining that the reengineered PAM process brought operational efficiencies and lowered the amount of scrambling security teams had to do to support a manual-heavy legacy process.
4. Create and control the cyber story in your organization
One of the biggest challenges CISOs face is getting adequate support and resources to build a resilient security program that includes the appropriate balance of future-proofing activities and responsive capabilities, says Michael Clark, head of cyber advisory for the Americas at S-RM, a global intelligence and cybersecurity consultancy.
Clark puts much of the blame for that on the current state of the cybersecurity message in the typical organization. He says too often CISOs have their narrative funneled to the board by another executive who presents a “rosier picture” of the threat landscape and the organization’s security posture.
“The message CISOs want to convey doesn’t rise up to the board,” he says, adding that CISOs need a conduit to the board “that allows them to raise concerns in a way that doesn’t get whitewashed by that [liaison] they have between them and the board.”
That’s crucial for getting ahead, he says.
“The threat and regulatory landscape are changing, and complexity of technology is evolving. And if CISOs are not getting the support they need, it’s hard to stay ahead as those things evolve,” he explains.
The ability to articulate security dynamics to the CEO and the board and to successfully advocate for what they need is a long-standing challenge for CISOs.
Figures from a 2024 survey from SPMB Executive Search speak to the issue. It found that only 27% of CISOs report directly to the CEO in 2024 (up from 22% in 2023) and only 54% of CISOs report at least quarterly to the board. Is also found that 5% don’t report out to the board at all.
Although other surveys show a higher percentage reporting to CEOs and boards, the research overall points to the fact that CISO access to the board is far from universal or frequent.
To counter such challenges and get the resources required to engage in the proactive security measures, Clark advises CISOs to “create the narrative about how security is enabling the business, protecting the business, supporting the brand, and improving investor trust.”
He says CISOs should measure and report on key indicators around risk and show how those and other security measures align to and support business requirements and business strategy. And then use that to tell the security story and areas for improvement.
“Leaders don’t want to communicate bad messages to the board, and CISOs don’t want to be accused of catastrophizing, so they have to create and control the narrative. They have to learn to articulate how they enable the business, how they’re safeguarding the brand, and then on the flip side where there are areas of concern, how they can fix them and how they’re going to prioritize that work,” Clark says.
Clark worked with one CISO client who told the board that the security team identified 98% of endpoints that need protecting rather than saying how to identify the remaining 2%, what percentage of endpoints were protected, why it mattered, what’s needed to close the protection gap, and the risk of not doing so.
“They should say, ‘Here’s what we can do with our current budget, and if we want to do other things or things faster, here’s what security is going to need,” Clark says.
Such frank discussions, he adds, are more apt to get CISOs the resources they need to implement the security measures that will help them get a few steps ahead of reactive mode.
No Responses