From Reactive to Proactive: Four Strategies for CISOs to Improve Cybersecurity Foresight

How does today’s CISO understand “proactive security”? Being prepared before threats occur and planning responses in advance requires adequate preparation and the right strategy.

Hockey legend Wayne Gretzky once shared his secret to success on the ice: "I skate to where the puck is going to go, not where it has been."

Security teams would benefit greatly from adopting Gretzky’s proactive strategy in their work. Teams that focus on the future goals of their security programs are more likely to win than those that simply react to events that have already occurred.

Today, "active security" has become a buzzword in the industry, with many voices calling on CISOs to shift from reactive to proactive security. Earlier this year, research firm Omdia surveyed more than 400 security decision makers in North America, the UK, and Europe, and the results showed that 47% of respondents said that one of their top goals was to "reduce the chance of threats through proactive security."

So, what exactly does proactive cybersecurity mean? While definitions vary, in simple terms it refers to a greater focus on preparing for the future, identifying future threats and the tactics, techniques, and procedures (TTPs) used by malicious actors, and then implementing measures to counter them in advance.

Proactive safety may mean reassessing teams and strategies

“There needs to be a balance between working within the function and working on the function, and that’s what I think is the difference between reactive and proactive,” said Wolfgang Goerlich, faculty fellow and public sector CISO at IANS Research, a Boston-based cybersecurity research and consulting firm.

"Working on the function is proactive security. Security teams need to develop the habit of temporarily stepping out of their daily work and taking a break. They need to look at how to structure things from a new perspective, think about whether they have the right talents and processes, and how technology and adversaries are changing."

Of course, security teams must maintain strong response capabilities to identify, contain and recover from incidents when they occur, Goerlich and other senior security leaders said.

But they also highlight why security needs to be more proactive, as this allows CISOs, their teams and the enterprise to stay ahead of threats, improving the chances of defeating cyber adversaries.

CISO workload may hinder proactive planning

Planning ahead isn’t easy, especially in the cybersecurity space, where the increasing number and sophistication of threats has kept many defenders in a reactive mode. CISOs and their teams’ schedules are already full with urgent tasks like patching vulnerabilities and reporting to regulators and the board, leaving them with little time to shift to a more proactive security strategy. As Goerlich puts it, “The more pressure there is, the less you can look ahead.”

Then there’s the related challenge of having to track and mitigate an increasing number of risks and threats. Gretzky might only have to skate toward the incoming puck, but security teams are dealing with “multiple pucks and multiple teams on the same ice,” Goerlich noted.

There are a number of steps CISOs can take to transform a purely reactive security program into one that better balances proactive and reactive security. For example, many CISOs already have threat hunting programs in place, and some participate in ISACs and other information-sharing entities. Here are four additional actions to help CISOs stay ahead of threats.

1. Security frameworks can help build proactiveness

Chetan Anand, vice president and CISO at fintech consultancy Profinch and a member of ISACA’s Emerging Trends Task Force, said he uses security frameworks to help his team “anticipate and prevent issues before they occur,” thereby shifting his security program to a more proactive mode.

Anand uses ISACA’s Digital Trust Ecosystem Framework (DTEF), which was released in early 2024 and is designed to be compatible with other existing frameworks and best practices, including COBIT, ITIL, GDPR, and multiple ISO and NIST standards.

Following a framework can help security break down silos, focus on resiliency, improve visibility into security operations, identify potential issues before they become problems, and prepare for emerging risks (because the frameworks themselves evolve as the threat landscape changes), he said.

Anand said he integrated ISO 27001:2022 Information Security Management System Requirements, ISO 9001:2015 Quality Management System Requirements, and ISO 31000:2018 Risk Management Guidelines through ISACA’s DTEF — three standards he also follows.

This all helps optimize security costs and improve resource efficiency, which can be redirected toward proactive activities rather than reactive ones, he noted, adding, “This helps with better planning and preparedness.”

He also said that following the framework allows security teams to better support business growth because they can show new customers and business partners that they have implemented appropriate measures to address future challenges. "So it's also a strategic advantage," he added.

Other CISOs seemed to agree with Anand’s emphasis on using frameworks, with the research showing that most CISOs use at least one framework. However, this use is not ubiquitous across all enterprise security teams, indicating there is still room for improvement.

2. Adopt a continuous improvement approach to safety planning

Ahmad Jowhar, research analyst in Info-Tech's security and privacy practice, said he hears a lot of CISOs talk about taking a more proactive posture — which he described as "anticipating and responding to threats and vulnerabilities before they penetrate or impact the enterprise."

In other words, he said, it means taking action today to mitigate threats tomorrow.

Jowhar noted that safety assessments, safety training and upskilling of all employees, as well as building a safety-conscious corporate culture, all contribute to a proactive safety posture.

But he also recommends that CISOs take a continuous improvement approach to managing their security programs — similar to the continuous improvement processes used by many software product teams and other functional areas in a typical enterprise.

“We see threats evolving and becoming more sophisticated, so CISOs need to evolve as well,” he explained. “They need to always be taking steps to improve, and not assume that what was implemented yesterday will work today and tomorrow. That’s the hallmark of proactive security.”

CISOs can do this through a variety of heuristic steps, Jowhar noted.

One of these steps is to identify the key business objectives of the organization and ensure that the security policy aligns with and supports those objectives.

Another key step is to understand the current state of your security program, identify the desired future state, and detail how to get there. “If you’re at Level 2 now, figure out how to get to Level 5. List the incremental steps from Level 2 to Level 3, then Level 3 to Level 4, and finally to Level 5, and get business buy-in for those steps,” Jowhar explains.

3. Hold regular future-focused meetings

As Goerlich points out, a CISO who wants to build a more proactive security program needs to look to the future. To ensure he has time to do that, Goerlich schedules regular off-site meetings every quarter where he and his team discuss upcoming changes.

“It establishes a process and a rhythm for us that helps us step away from the day-to-day and see the bigger picture,” he explains. “We start at the beginning and see what’s going to change in the next quarter, ask ourselves what we need to be prepared for, we look back and see what went well and what didn’t, and then we set goals to keep moving forward.”

Goerlich said he often invites external security experts, such as vendor executives and other thought leaders, to these meetings to get their insights on the evolution of threats and the emerging security tools and technologies to combat them. He also sometimes invites fellow executives from within the company so they can share their own plans and strategies — which helps ensure that security efforts are aligned with business needs and drive the enterprise forward.

He’s already seeing the results of this effort, citing an example where, during an offsite meeting, the team identified challenges in its privileged access management (PAM) process, specifically the large number of manual steps it required.

“It’s one of those processes that a company has built up over the years that made perfect sense at the time, but over time circumstances have changed and the process no longer works well,” Goerlich explains.

So the team redesigned the PAM program, reducing steps and replacing old tools with new ones, creating a more automated, efficient, and secure process.

Goerlich said this example illustrates the value of regular anticipation-focused meetings and how taking proactive steps translates into better security. He explained that the redesigned PAM process has improved operational efficiency and reduced the amount of emergency response work required by the security team to support traditional processes that relied on a lot of manual work.

4. Create and own the cybersecurity narrative within the organization

Michael Clark, head of cybersecurity consulting for the Americas at S-RM, a global intelligence and cybersecurity consultancy, said one of the biggest challenges CISOs face is getting enough support and resources to build a resilient security program that strikes the right balance between future protection activities and the ability to respond.

Clark attributes much of the problem to the current state of the cybersecurity narrative in the typical enterprise, saying the CISO's narrative is often communicated to the board through another executive who often presents a "rosier picture" of the threat landscape and the company's security posture.

“The message that the CISO wants to convey is not reaching the board,” he said, adding that CISOs need a channel to communicate with the board “for them to raise their concerns in a way that is not sugarcoated by that [communication person].”

That, he said, is crucial to staying one step ahead.

“The threat and regulatory landscape is changing, and technology is evolving in sophistication. If CISOs don’t have the support they need, it’s difficult to stay ahead of these changes,” he explained.

Being able to clearly articulate security dynamics to the CEO and board of directors and successfully advocate for the required resources has been a long-standing challenge for CISOs.

This problem is reflected in the 2024 SPMB Executive Search survey data, which found that only 27% of CISOs will report directly to the CEO in 2024 (up from 22% in 2023), and only 54% of CISOs report to the board of directors at least once a quarter. The survey also found that 5% of CISOs do not report to the board at all.

While other surveys show a higher percentage of CISOs reporting to the CEO and board, the overall research suggests direct CISO access to the board is still not common or frequent.

To address these challenges and gain the resources needed to implement proactive security measures, Clark advises CISOs to "create a narrative about how security can enable the business, protect the business, support the brand and enhance investor trust."

CISOs should measure and report on key risk-related metrics, show how those security measures align with and support business needs and strategies, and then use that information to tell the story of security efforts and identify areas for improvement, he said.

“Leaders don’t want to send a negative message to the board, and CISOs don’t want to be accused of exaggerating, so they have to create and own the narrative. They need to learn how to articulate how they support the business, how they protect the brand, and then on the other side, what the problems are, how they’re going to solve them, and how they’re going to prioritize those efforts,” Clark said.

Clark worked with a CISO client who reported to the board that the security team had identified 98% of the endpoints that needed protection without explaining how the remaining 2% was identified, how many endpoints were protected, why that mattered, what was needed to close the protection gap, and the risks of not taking action.

"They should say, 'This is what we can do with the current budget, and if we want to do more or do it faster, this is what's needed for safety,'" Clark said.

Such candid discussions are more likely to get CISOs the resources they need to implement security measures that help them stay ahead of reactive mode, he added.