About the Author
3 Practices to Adopt a Proactive Security Stance
Modified June 6, 2022 By Resolver
Significant data breaches. Physical theft of data-rich devices. Leaked IP. Hackers. These are four of every corporate security professional’s worst nightmares, and they’re becoming increasingly common.
While there’s no way to guarantee that your company will never experience a security-related nightmare, you can minimize the possibility and impact by adopting a proactive security stance. Far from a new issue, human error (e.g., an unlocked laptop left open) and slick break-ins to steal data or harm systems are rising in terms of frequency and complexity. The concept of keeping data and technology systems safe is no longer solely an IT risk issue but a corporate security one, as bad actors enter facilities with something as small as a USB key to capture information from—or release malware into—servers and hard drives.
A relatively new term in the corporate security world, proactive security’s goal is to prevent major incidents before they happen instead of using significantly more resources to react and respond to them after the fact. Pieter Danhieux, co-founder and CEO/chairman of Secure Code Warrior, says that reactive security is “a little bit like calling an ambulance for a suspected heart attack. The outcome is often a lot less positive—not to mention more damaging—than if preventative health measures had been in force before it was too late.”
How can you be sure you don’t need to call a corporate security “ambulance” in the event of an incident? Implement these three security practices to take a proactive stance, and better prepare your company to mitigate and address potential corporate security breaches and incidents.
1. Get Support for the New Security Stance
You can’t move toward a proactive security stance without buy-in from your leadership and employees. People won’t be inspired to make security changes if they don’t understand the advantages of a proactive approach. The easiest way to show the benefits of proactive security and earn this support is to prove that a proactive approach to security is better than a reactive one.
Think critically about the security wins that would earn easy executive buy-in and motivate employees to contribute to the shift. Your examples should include how proactive security measures (like position-specific security training) will save time and costs that an incident response would likely require. (And if you need help with your presentation, download our free Corporate Security Presentation Template here.)
Additionally, finding and fixing security vulnerabilities now—instead of after revealing exposure—effectively mitigates an avoidable risk event. Support your position with numbers and specifics that clearly show how not adopting a proactive stance could hurt your business down the road.
Here are a few to get you started:
- There was a 47% increase in insider threats between 2018-2020.
- Eighty-two percent of 2021 security breaches were human-related (misuse, errors, social attacks).
- In 2019, 100% of tested website applications had at least one significant vulnerability.
2. Identify and Make Necessary Security Changes
You can’t fix what you don’t know is broken. In this case, you can’t instantly adopt a proactive security stance without first understanding and addressing the current security gaps that are keeping you from getting there. Past incidents have likely already made your team aware of some weak points in its current security system. However, it’s essential to understand the full scope of the risk management improvements you need to make, so you can proactively mitigate them.
Run an internal audit to analyze your security measures for potential weak points you might not be aware of. The audit process evaluates all of your security measures to ensure your people, places, and information are adequately protected while also providing a clear benchmark for security improvements. (If you need more information on the internal audit process, check out our blog post, What is a Corporate Security Audit? 5 Reasons to Regularly Run One.)
Knowing the scope of the changes you must make is pointless without implementing improvements to address them. After getting the audit results, create a clear plan to improve your security posture one function or department at a time. This way, you don’t overwhelm your team or leave yourself more open to risk events by working on multiple fronts. For example, penetration testing and program updates keep your systems and operations running smoothly. However, updating all programs at once would cause downtime and leave your systems open to data loss or tampering before the update is complete. This gradual shift toward a proactive security stance will take more time, but it will also keep your people and information safer.
3. Make Every Employee a Security Advocate
Your team can be your greatest asset in the shift toward proactive security, but only if you train and empower them. Every employee, vendor, and partner with access to your company’s data is a potential threat if they don’t have the awareness and skills to do their job securely. Mitigate the threat by teaching basic security skills to anyone with access to protected data or information.
Simple lessons help your employees do their daily jobs more safely. Some basics include:
- When and how to use a secure login
- Good password and social media hygiene
- Bring your own device (BYOD) and mobile device guidelines
- What devices should be encrypted and how to use them securely
A one-off training will teach some basic security skills, but you should also offer regular continued education—like an annual security test that earns employees a certificate—to keep security skills up to date. This way, your organization can practice safe security even as parameters change or your team grows.
In addition to teaching safe security practices, empower employees to enforce them as your security advocates. Every company would likely say they promote a “see something, say something” mindset, but few take the extra step to protect employees during that reporting process. Resources like anonymous reporting and whistleblower hotlines for tips make it easy for employees to share their security-related concerns and proactively advocate for better security without fear of repercussions.
Support Your Proactive Security Efforts with Resolver
These three practices will undoubtedly help your organization adopt a more proactive security stance and save you time and resources in the event of an incident. However, they are all more powerful when supported by the right tech stack and experienced industry partners.
Resolver’s easy-to-use corporate security, GRC, and information security solutions empower companies to make quick and effective security decisions, even during seasons of hypergrowth. Our team also has 20-plus years of experience in corporate security, positioning Resolver as the ideal partner for companies ready to adopt a proactive security stance quickly and with minimal friction. With a centralized dashboard and easy-to-use incident submission reporting, your team can easily and effectively move through the Corporate Security Value Cycle—Collect, Analyze, Act, and Report—to unlock risk intelligence and deliver true business value.
Learn more about how we work with our partners, or request a demo today.