Security Risk Management: Should You Take A Reactive or Proactive Approach?
In a world of evolving threats, executives are faced with the challenge of deciding whether to allocate scarce security resources in proactive investments that may prevent attacks or in reactive investments in response to security failures. Some researchers have argued that the most effective security investments are those based on lessons from past attacks, particularly when defending against similar incidents.
They suggest that proactive strategies require large upfront investments and that it is difficult to know where to invest because the threats are constantly evolving. Rather than proactively preparing for every possible threat, they advise first observing attacks and then allocating security resources to closing security holes. By focusing on quickly fighting attacks, the reactive crowd hopes to maximize the impact of security spending by avoiding investment in phantom threats.
On the other hand, advocates of prevention argue that proactive organizations build a deeper understanding of both the weaknesses and the threats. The research literature provides some support for this notion as studies in related areas, like product recalls, have found that proactive investments are particularly effective because they stimulate organizational learning. Rather than simply reacting to failures, proactive initiatives involve identifying and quantifying risk, and investing in mitigating the largest ones (based on probability of occurrence and likely impact).
In a study appearing later this fall, my colleague Dr. Juhee Kwon and I provide evidence that proactive strategies are more effective in managing security risk. Examining the security investment decisions and breach history of 2,386 organizations in the healthcare sector over a five year period, we found that proactive investments were associated with lower security failure rates than investments made in reaction to breaches. Considering the organizational costs of breach disclosure and remediation, we also found that proactive investments are more cost effective than reactive investments.
A data driven evaluation of overall security posture is the first step in any proactive approach. Following the evidence to learn the weak points and the related risks provides clues on where best to invest. Such an evaluation should look beyond internal systems to include risks presented by business partners. Too often, ecosystem risk is ignored. But a scan of the recent headlines shows that major security failures often occur in partner firms that form the extended enterprise. An active vendor risk assessment program can provide early warning on trouble spots and guide negotiations with partners that hold sensitive data. Proactive organizations actively manage risk by continuously evaluating current risks rather than focusing on the past.