Proactive Security versus Reactive Compliance

Monday, October 11, 2010

Robb Reck


See previous article: Maturing from compliance to security

Proactive: Plan ahead, think through what issues may come up, and put in the effort on the front end to reduce unexpected issues. This allows fewer surprises down the road and higher quality product the first time. But the up-front work is more resource intensive. Proactive work requires planning and spending for things that may never happen.

Reactive: Create your product with only the features and functions that are required right now. This is faster and easier than proactive work. It's much more cut and dried. But the lack of foresight may end up requiring significant duplication of work down the road.

A reactive organization creates its security program based solely on complying with a certain regulation or passing a particular audit. This organization takes a point in time snapshot of regulations and sets that as a target for their program.

Proactive organizations craft programs based on both current requirements and projectable future requirements. To be clear, this does not mean they forego building in features to meet compliance requirements.

On the contrary, those requirements will be one of many ingredients. But the proactive organization is also looking toward what it coming down the road, what their peers are doing, and where the attackers are coming from.

Example: PCI-DSS does not specifically require encryption of data at rest. They do require that all cardholder data be protected (Requirement 3) and that, if the primary account number is stored, it must be truncated, hashed or encrypted, but a merchant can decide not to store the data and avoid having to encrypt data at rest.

A reactive organization might give a sigh of relief and leave it at that. But a proactive organization should spend some time considering this, especially as they are creating a new IT system.

What is the cost of implementing encryption of data on the servers? What would the scope be? What is the impact of not storing the account number?

By performing that analysis they change the decision from a Compliance mindset to a Security mindset, with a focus on the business itself.

A reactive company, just trying to achieve their PCI compliance, will be happy to finish the checklist and call it done. A proactive organization will seek out what else is going on in the world of security.

As a private company they wouldn't be subject to Sarbanes Oxley, but a proactive security practitioner might look to implement SOX safeguards for two reasons. First, the minimum requirements for PCI-DSS are bound to change as technology changes.

By looking to other InfoSec the proactive organization can position itself for the changes to their regulations. Second, the organization may someday decide to go public.

Having built-in those SOX protections from the beginning will reduce the work-load during an IPO or acquisition, a time when resources are generally at a premium.

A proactive company will keep an eye on what the bad guys are doing. If the InfoSec standard you follow says you just need a firewall but you find that your employees have been setting up unprotected WiFi on your network, and all the folks at the coffee shop next door have been surfing your network, your company's needs just changed.

The nature of your industry, company and the technologies you utilize will determine the nature of the attacks against you. You cannot depend on a framework or regulatory agency to know what threats are most dangerous to your company.

Self awareness and active monitoring are needed.

Considering whether your organization is proactive or reactive is a great start. But it's not the end. An organization that is proactive one day can become reactive the next as new business pressures emerge and new priorities are assigned.

It takes diligence from each level of the organization to keep a proactive security posture. If you want to read more about enterprise security maturity, see McAfee's new maturity model.

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Possibly Related Articles:
PCI DSS Compliance
Post Rating I Like this!
Anthonie Ruighaver Nice post, but touches on a lot of issues. Probably the most important one is being able to reflect on your security efforts. Reflection on the truth and rational of your beliefs about security is the cornerstone of a good security culture. The second most important issue that will influence how proactive you can be is situational awareness. Active monitoring and fostering situational awareness are crucial if you want to be proactive. And don't forget you cannot be proactive if you cannot be reactive. Prevention only strategies will always fail.
Robb Reck Thank you for the thoughts Anthonie. My experience has been that most organizations get a lot of experience in reacting to issues. They get so used to reacting that they don't work to move beyond that.

I agree with your statement that you cannot be effective proactively if you're not good at reacting. But the reverse is true. If you have not planned and created procedures for reacting to a situation, you will not be good at reacting when an incident occurs.
Anthonie Ruighaver I agree Robb, but planning is only part of being proactive. My experience is that many organizations plan, but few plan to improve learning from their incidents. Organizational learning, in particular double loop learning, is crucial if you want to improve your planning and your preparedness for incident handling.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.