The cyber security framework is often- if not always, setup as Identify, Protect, Detect, Respond and Recover. The US Department of Commerce through the National Institute of Standards and Technology (NIST) lists the Cyber Security Framework as thus:
That very important bottom right 40% is sometimes conflated but more often set up as a choice- the understanding being that the CISO has limited resources and must choice to either focus on Protection as opposed to Detection. And so, there is a thought within the industry that it is only the better-resourced organizations that actually have the time, tools and talent to focus on Detection. So we find a theory in the industry that classifies most organizations as Reactive and only best in class organizations as Proactive.
We asked a number of cyber security executives to share perspective. While the global pandemic did come up in answers, if anything- it was presented as an opportunity to continue a mindset shift had already begun. This new threat landscape, while more immediately dynamic- was noticeable. 100% remote wasn’t something that could have been predicted, but the tools that have opened up new threat vectors were already being used in limited remote work. Cyber security executives were in a good place to be able to deal with our new reality before it was completely defined.
For the most part- the cyber security community was already simultaneously reactive and proactive.
Reactive & Proactive not Reactive vs. Proactive
University of Wisconsin-Madison CISO and CSHub Board Member Bob Turner provides his headline assessment, “yesterday's news, is the reactive stuff which you have to be doing. Conceiving of tomorrow's news is how you migrate to proactive.”
Jamal Hartenstein who’s worked with the department of defense on military bases, as a part of joint task forces, and has experience with every branch of service notes that there was a glimmer of industry realization that organizations needed to be more proactive and better focused on detection and that the global pandemic has accelerated that focus.
Florida Crystals CISO Christine Vanderpool has a slightly alternative point of view. She notes that a shift in mindset is not needed if you had the right mind all along. “Your breathing exercises produce muscle memory and when you do something over and over again it becomes intuitive.” Her thinking is that if you are an intuitive cyber security executive, by definition- you are proactive. While every situation is different, if you have a good playbook- you have a good idea of what to do in a somewhat unique situation. “The team practices, the plays in the playbook over and over and over again. They don't just roll out there on any given Sunday and just start throwing the ball around.”
Parag Deodhar is the Director - Information Security, Asia Pacific for VF Corporation. VF Corporation has been in business for 120 years with 50,000 associates focused on 19 brands including The North Face, Timberland, Vans, Dickies, Eastpak, Jansport, Kipling, Kodiak and others. Prior to VF, Parag was at AXA holding various regional CISO roles. Prior to AXA, Parag was at Deutsche Bank as Head - Business Continuity & Data Protection. He’s got international experience working for global brands and he sees cyber security as a moving target.
When asked if there is a mindset shift occurring from reactive to proactive, Parag does not budge from the fact that it has to be a combination of proactive and reactive. “I'm never going to be able to catch up and say that we are completely secure now on any given day. On any given day, there are going to be new zero-day vulnerabilities. We are always going to have to be reactive. From a strategy perspective though, we do put it all on paper and plan- so we are always proactive as well.
Vice President and Group Director, Cybersecurity at Enterprise Strategy Group, Doug Cahill notes that no matter how you do it, “you want to prevent everything that you possibly can while recognizing that the adversary will move the goalposts and will find a way to successfully penetrate your environment.”
[inlinead-1]
Reactive = Tactical = Defense = Protection = The Known
Bob and his team spend plenty of time on protection and being efficiently reactive. Bob notes that ‘the reactive stuff is what you have to do’- he is noting ‘the known.’ The known can be dealt with tactically. ‘The known’ is yesterday and today. We have seen it, we have processes for how to deal with it and we have solutions to address it. The cornerstones of your SOC are built with the tactics of how to react to a known threat.
Reactively mitigating threats through analysis from your SOC, an audit or an assessment is a great way to spend some of your time. Being a great tactician is extremely important, but the time has come to ensure that more time is spent being strategic.
Proactive = Strategic = Offense = Detection = The Unknown
Conceiving of tomorrow’s news has your team gleaning insights from ‘the known’ and projecting and applying those insights to ‘the unknown.’ This has you moving from a tactical mindset to a strategic mindset. So that ultimately as Bob puts it, “in our proactivity where we're getting ahead, we're, studying ahead, we're learning about new technology.”
Jamal follows with what might be the best advice in this piece. “To be proactive is to get a foresight- to be communicating with other cyber security professionals, maybe even being a member of CSHub.com and getting insight from professionals around the world, finding out what questions others in your peer groups are asking,” so says Jamal Hartenstein. If being reactive is ‘knowing the answers,’ being proactive is ‘knowing the questions.’
Bob comes around to focusing on the image at the top of the piece, which highlights Parag’s insight but sets it as a SWOT analysis. “The perfect mix is if you were to plot out your dots, which activity is tactical, which activity is strategic, which activity is proactive, which activities reactive, the blob should be moving accordingly.
Per Bob, move the blob.
Each of the contributing executives is saying in their own way. It is not Reactive vs. Proactive- its Reactive & Proactive. Always allow yesterday to inform today and ensure that today’s action prepares you for tomorrows threats.