Proactive Security: What It Means for Enterprise Security Strategy

Automotive icon Henry Ford is credited with saying, "If you do what you've always done, you'll get what you’ve always got."

It rings true for enterprise cybersecurity as well. It is considered standard operating procedure for CISOs to invest in the tried and true "assembly line" of enterprise cybersecurity solutions: firewalls, intrusion prevention, endpoint agents, SIEM, SOAR, and so on.

What do these solutions have in common? They deliver a measurable return on investment only after an active threat is targeting an organization.

Even though these product segments account for multiple billions of dollars in annual cybersecurity spending, according to Omdia research, the reality is that the vast majority of the security solutions enterprises use today are effective only if and when a threat is already on its doorstep, or, even worse, has broken down the door.

Make no mistake, these products do serve an important purpose; threat actors are remarkably creative, and enterprises will never be able to avoid all the threats likely to come their way. But enterprises should be able to avoid some threats, and certainly many more than they do today.

The only way to change the result is to change the approach. That new approach, one that finally pulls enterprise cybersecurity out of its traditional defensive posture, is what Omdia has termed Proactive Security.

Defining Proactive Security

Omdia formally defines Proactive Security as technologies (including those provided as services) that enable organizations to seek out and mitigate likely threats and threat conditions before they pose a danger to the extended IT environment.

Proactive Security creates the opportunity for enterprises to consistently and programmatically address the specific circumstances — unknown IT assets, vulnerable software, misconfigurations, and the like — that create opportunities for threats to exploit the extended enterprise environment.

Proactive Security isn't a radical concept, but it can be challenging to grasp at first because it represents not only a divergent technological approach versus what many organizations may be used to but also requires embracing a new philosophical approach to cybersecurity.

From a technological standpoint, many of the solution categories that Omdia catalogs under Proactive Security, such as patch management, cloud security posture management, and DevSecOps/pre-runtime security, are well established.

But a variety of evolving or emerging segments, such as risk-based vulnerability management (RBVM), extended security posture management (xSPM), and incident simulation and testing (IST), among others, are quickly gaining traction because enterprises understand the growing importance of investing in solutions that interrupt attacks as early in the attack chain as possible. The ideal approach is to disrupt attacks before they can ever take place.

In turn, Omdia endorses what it calls a Continuous Security Protection model. By combining traditional preventative and reactive approaches with Proactive Security, organizations can ensure their cybersecurity architectures stop active threats as well as identity and diffuse threat conditions before they can create opportunities for threats.

A New Way of Thinking

From a philosophical standpoint, Proactive Security encourages enterprise cybersecurity decision-makers to rethink what successful security programs look like, specifically in the context of cybersecurity risk reduction.

A Proactive Security strategy requires developing a full view of an organization’s attack surface; measuring cybersecurity risk-based, in part, on unique business context; and programmatically executing on prioritization and remediation.

This philosophical approach to Proactive Security will not only serve as a means of maturing key processes related to defining and measuring cybersecurity risk, but also enable organizations to consistently reduce cybersecurity risk in a demonstrable way, while also supporting broader business risk management efforts.

Omdia believes that enterprises should and will increase the percentage of their cybersecurity technology budgets allocated specifically for Proactive Security solutions. Proactive Security is the undercurrent behind a whole new wave of industry innovation that will help organizations become more resilient; it's also the long-missing technological approach that will enable organizations to reduce cybersecurity risk and improve cybersecurity outcomes.

For all enterprises, Proactive Security will be a journey; for some, it will come with the need for significant change. Different approaches always do, but there is little question that the industry as a whole is eager for a better approach that will reduce the number of potentially successful attacks that organizations face.

The era of Proactive Security is here, and it is long overdue.

For more information on Proactive Security, read the Omdia research report, "Fundamentals of Proactive Security," from analysts Eric Parizo and Andrew Braunberg (Omdia subscription required).