CISOs have long been tasked with building response and recovery capabilities, the objective being to have teams that can react to a security incident as quickly as possible and can restore business functions with as little damage as possible.The need for those activities is certainly not going to go away, but many security chiefs are seeking to take more proactive steps to balance out reactive ones.\u201cOn the proactive side, you\u2019re trying to predict what kind of attack can occur in your environment and find your vulnerabilities before others do, so you reduce risk before it materializes,\u201d says Pierre-Martin Tardif, cybersecurity professor at Universit\u00e9 de Sherbrooke and member of the Emerging Trends Working Group with the professional IT governance association ISACA.According to Tardif and other experts, a proactive strategy can do much more to ensure organizational resiliency than having only or mostly the ability to rapidly respond once an attack or breach has been detected.\u201cOur ultimate goal as a cybersecurity professional is to prevent cyber risks from\u00a0being exploited by protecting our assets.\u00a0Proactive programs are very successful in doing just that,\u201d says Sandra Ajimotokin, a senior security program manager at a large global company and another member of ISACA\u2019s Emerging Trends Working Group.So, what sets CISOs who have embraced a proactive strategy apart? Here\u2019s a look at what they commonly do:1. They understand what they have, what they must protect, and what they\u2019re protecting againstTo build a proactive cybersecurity stance, multiple sources point to the need for CISOs to first understand what they have, know what requires the highest levels of protection, and recognize the risks an organization is willing to accept. This helps CISOs identify which threats pose the biggest risks to their organizations and therefore require the most attention.\u201cA proactive cyber team understands their organizations risk profile and can identify risks that the organization hasn't faced yet,\u201d Ajimotokin explains. \u201cThis is a key component of being able to prevent attacks from occurring, because they understand what needs to be protected and can think through all the ways it's vulnerable.\u201dJohn Deskurakis, chief product security officer for Carrier Global Corp. concurs, adding that CISOs need to do this on an ongoing basis, calling for the need for \u201ccontinuous identification.\u201d\u00a0\u201cKnow what you are defending and why. Understand all the associated risks and continuously do so. Be the expert in terms of your attack surface and know it well, as it will grow and change.\u201d2. They have strong user authentication policies and a zero-trust approach.Proactive security teams have a good understanding of not only their IT environments and their organization\u2019s risk profile, but they also have a rock-solid understanding of who and what is accessing their network and each of their systems through strong user authentication policies, says Bryce Austin, CEO of TCE Strategy, a virtual CISO and cybersecurity consulting firm. Policies such as multifactor authentication help ensure that only authorized users get into the enterprise IT environment and work to keep all others out.Tardif notes that many CISOs are implementing strong authentication requirements as part of their move to zero-trust architecture, in which all users \u2013 whether humans or devices \u2013 must verify they\u2019re who they say they are before gaining access. But he notes that zero trust goes even further: it also restricts authenticated users access to only those systems and data they need to do their jobs. Tardif says following this principle of least privilege is one more way for security to move its focus away from responding to incidents to proactively preventing them.3. They\u2019re agile and adaptive.Another key for getting ahead of hackers is the ability for CISOs and their teams to pivot as quickly \u2013 if not more so \u2013 than the bad actors.To that end, Deskurakis says proactive CISOs have adopted \u201cattack-centric thinking, [where you] avoid static and prescriptive check-box approaches, continuously evolve your tactics, and think like an attacker. A solid proactive defense capability is flexible and often shifting to meet ever evolving threats.\u201dAndrew Retrum, a managing director in the security and privacy practice at management consulting firm Protiviti, agrees. He draws on an ice hockey-based axiom about skating to where the puck is going to be \u2013 not to where it is, adding: \u201cYou want to get out in front of what\u2019s coming your way.\u201d4. They\u2019re plotting for the future.Similarly, proactive CISOs have their eye on emerging tools, techniques, and regulations; moreover, they incorporate them into their strategies and their security programs before they become mainstream or mandatory.For example, Retrum points to a CISO who had engaged his firm several years ago when it became clear that the New York Department of Financial Services would issue new cybersecurity requirements. \u201cHe wanted to get in front of that so he could advise other senior leaders about it. He wanted to make sure they were aware of what was to come,\u201d Retrum remembers.Retrum says he sees other CISOs take that approach as they look to what\u2019s changing in their own enterprise environments or in the broader market, an approach that lets them ready their security departments in advance of those changes. For example, he knows some CISOs who are already considering how the anticipated rise of quantum computing will impact their security program, identifying which current security measures will become ineffective and determining what protections they\u2019ll use instead.\u201cProactive security functions are thinking about all that now, and they\u2019re putting together a roadmap for three to five years out,\u201d he says, adding that there\u2019s value in \u201clooking ahead and knowing the future.\u201d5. They\u2019re watching for impersonators.Proactive security teams are looking for any misuse of their domain names, company logos, and other identifiers, says Carlos Rivera, principal research advisor with Info-Tech Research Group.\u201cThey\u2019re proactively searching for illicit use of their brand,\u201d he says.Security teams typically use SaaS-based tools or work with a managed security service provider for domain name monitoring that searches for spoofing and other forms of brand impersonation. This monitoring, Rivera says, can alert security teams early to hackers trying to use spoofed websites, hijacked corporate logos, and other forms of impersonation for phishing and other types of socially engineered attacks \u2013 thereby enabling security teams time to counteract or even completely shut down those attack attempts before they become full-scale assaults or have any level of success.6. They hunt for threats.Bad actors frequently try to obfuscate their activities as they try to make their way through corporate networks and systems in search of a big payoff. (IBM\u2019s 2022 Cost of a Data Breach Report, for example, found that organizations took an average of 207 days to identify a breach.)That delayed identification has been a longstanding issue, one that puts security teams into reactive mode. To counter that, security teams are increasingly turning to threat hunting to find any bad actors lurking in their environment before a breach or other attack occurs.\u201cAnother element of a proactive security approach is participating in active threat hunting by looking for threats before they are able to be actively exploited. This can be from the technical angle (the vectors) as well as those that may wish to exploit (the actors),\u201d explains Jon France, CISO at (ISC)\u00b2, a nonprofit training and certification organization.Threat hunting pays off. According to the SANS 2022 Threat Hunting Survey, 85% of respondents said threat hunting has improved the security posture of their organization. Meanwhile, experts say the use of machine learning and artificial intelligence should boost such figures even higher by helping enterprise security teams find threats even more quickly.\u201cSecurity professionals can benefit from ML\u2019s ability to recognize patterns and predict outcomes, providing a level of visibility never seen before,\u201d Ajimotokin says. \u201cThis could allow cyber teams to quickly scale, identify threats as early as possible, and mitigate an attack faster than ever.\u201d7. They hunt for vulnerabilities.A strong vulnerability management program that identifies which known vulnerabilities exist within an organization and prioritizes patching those that present the highest risk is an important mark of a good security strategy.But France says security teams that want to be proactive should go one step further and add vulnerability hunting to their programs. He points out that vulnerability management programs have traditionally focused on addressing known problems, whereas vulnerability hunting challenges security teams to uncover unknown ones \u2013 such as insecure software code or misconfigurations that are unique to their own IT environments.France and others recommend CISOs undergo regular penetration testing to seek out weak spots and create vulnerability disclosure programs and bug bounties to encourage and reward workers to search, find and fix such issues.8. They practice their responseFrance says it may seem counterintuitive, but proactive security teams also regularly practice how they\u2019ll respond and react in the event of a successful attack. This practice (typically in the form of running table-top drills) lets organizations get ahead in a few ways, France explains.Because drills imagine and articulate how attacks could happen, they help security teams identify the vulnerabilities in their existing security programs. They can then work to close those gaps and \u2013 hopefully \u2013 prevent their imagined scenarios from happening, France says.The drills also help identify deficiencies in response plans, which allows CISOs to close those gaps as well. These drills also build muscle memory, France adds, meaning the organization can move more quickly, efficiently and effectively when an event occurs so they can minimize the damage and get back to normal sooner.