proactive-reactive-security-priavo-security

Proactive or Reactive Security?

Posted on July 28, 2016

Risk is everywhere. It affects everyone, every business and every sector – however big or small the organisation. But how do you effectively manage your risk? Is it best to be proactive and prepared before something happens, or to be geared up to react to the situation as soon as the event occurs? To answer that question, we need to take a closer look at both approaches. 

Proactive Risk Management



Every modern organization proactively dedicates some resource to preventing risk happening in the first place. So banks use thick steel and concrete vaults with advanced electronic systems to prevent break-ins. Companies from convenience stores to casinos use cameras to both deter theft, warn of imminent danger and to help identify perpetrators after the event. Some organisations employ Intrusion Detection and Response Systems (IDRSes) to detect computer intrusions and then activate defensive measures when an attack is detected.

Reactive Risk Management



Just as every company takes some measures to prevent future business losses, many have reactive plans in place to respond effectively after they occur. Disaster Recovery Plans, using private investigation services and loss recovery specialists, reinstallation of operating systems and applications on compromised systems, or switching to alternate systems in other locations are all good examples of reactive planning.

Both make perfect business sense. But how do know which route to adopt or how much to spend? Which approach will work best for your business?

The next step is to plan properly and to be informed fully. And that means undertaking a thorough Risk Assessment of your business before you allocate any resources.

  1. A vulnerability assessment

This is completed by a security professional to identify the deficiencies and excesses in your security process. In essence, the security professional will consider the probability that an incident will occur and make recommendations to address vulnerabilities and ‘harden the target’.

  1. A cost/benefit analysis

This determines if the recommendations are affordable, feasible, and practical. At this point, control and countermeasures are put into place to reduce or eliminate the deficiencies identified in the vulnerability assessment. These countermeasures may consist of hardware (fencing and locks), software (electronic access control), and people (security officers or employees) who will take on the role of guardian of the company’s assets.

  1. A test of the system

This ensures that everything is working properly, to determine if changes need to be made to achieve the desired level of security. The key to an effective security process is having the appropriate mix of physical security, electronic security, and personnel to meet security goals.

Whichever approach – or mix of approaches – you adopt, effective security policy and procedure must be a part of your business operation and be accepted by everyone for it to work effectively.

Security policies are the objectives, and they list the responsibilities and expectations for personnel.

Security procedures are detailed instructions outlining how personnel will physically carry out the objectives.  

Security procedures change more often than security policies. For example, the security guard may be there to keep people away from a restricted area. Over time, this guard may be replaced by technology as people wait to be scanned before entry, but the policy remains the same.

We live in a complex, connected, shape-shifting world that seems to be more unpredictable by the day. Climate change is creating an annual increase in hurricanes, earthquakes, tsunamis, forest fires and so on which wreak such power that the destruction they bring takes weeks, months or years to put right.

New Orleans is a good example of this. Eleven years on and the area has yet to be restored to pre-Katrina levels of wealth, infrastructure and economy.

Closer to home, our recent political upheaval within and without the EU issue, plus the ever-present threat of terrorism and cyber attacks, has created an atmosphere where ‘…we expect the impossible and unheard of to happen every day now’, as one political commentator put it.

And all this is in addition to the current levels of risk you’re already familiar with.

So to answer our opening question, both proactive and reactive security measures need to be in place, but not as separate entities. They need to work together seamlessly for your specific business needs to offer the most complete cover.

Which leads us to our final point. When it comes to dealing with risk it becomes clear that being informed 24/7, budgeting appropriately, and understanding places where mitigation can happen is still our wisest investment.

Sign up to our security newsletter

* indicates required
   
By entering your details into our website, you consent to our processing of your personal data in accordance with our Privacy Notice, including for HR & marketing purposes.