The Rule of Preventative Action is: Security can only be successful if it is accomplished through a proactive approach. This is another vital separator between those organizations that have had no major security issues and those that are continually plagued with hackers and "mysteriously" malfunctioning systems. We, as humans, have a strong tendency to lean toward a reactive response in most situations. Often, we consider proactive measures to be quite time-consuming and distracting from our real work. Somehow, patching the roof seems like so much more work when it is not raining outside. Likewise, checking for new security patches seems quite wasteful until our critical email server is compromised from a well-known exploit. It is important to recognize that resistance to proactive measures comes from several sources, including users and management. In many organizations, adopting a proactive response to security is met with the following responses:
The main social dilemma here is that placing added security controls where there appears to be no security issues is scrutinized, while the reactive response of kicking a hacker out of a network is considered a glorious triumph. To be a good security professional, and to overcome many obstacles of security, we must always be proactive, despite our human programming. Without taking proactive measures, an organization has little hope of remaining secure. Practicing This RuleTo apply this rule and maintain the security of an infrastructure, proactive security measures must become the focus. In accordance with the virtues, security must be considered in every decision. Before an action is taken, security implications must be accounted for. It should be a daily routine for an organization to check for new vulnerabilities and exploits, apply patches, and otherwise participate in the security community. Here are some good practices to start with:
|