The Reason Only 15% of Organizations Have a Proactive Approach to Cybersecurity

CISO of Major UK Retailer Weighs in on Enterprise IoT Security:
https://securityintelligence.com/post...

The current security workforce shortage leaves security functions in a reactive mode, with few resources to spare on proactive tasks.

Traditional approaches to purchasing security technology have resulted in a heavy focus on point products to address specific threats. These products are frequently centered on prevention, with insufficient focus on detection and response.

A proactive approach to cybersecurity means that instead of focusing on the latest threat and purchasing technology or a service to address, instead enterprises take an end-to-end view of their security controls (including people and process, alongside technology). This requires investment in time, assuming in the first place that there are the people available within the existing workforce.

Established frameworks are a great starting point for the move to proactivity. The NIST framework is probably the most well-known and respected. It covers the security control buckets of prevent, detect, and respond that Ovum refers to in its security coverage. Additionally, the NIST framework uses “identify”, which is the preparation stage (Ovum rolls this into prevent), and recover, which in Ovum speak is incorporated into respond.

Projects that are part of digital transformation initiatives (digital transformation is an overused term but reasonably well understood) should have security reviews incorporated from the outset. This is not only privacy (as per GDPR and similar legislation) but should encompass broader security to understand how operationalizing the project expands the threat landscape. This is the start of a proactive approach. Business Impact Assessment and Business Impact Reference tables are helpful in developing a proactive approach to cybersecurity and digital risk as they help build understanding of the risks and impacts.