How to be security proactive according to Computer Associates Executive Security Advisor Diana Kelley during an Infosecurity New York conference presentation last week.:

Step 1: Understand business and technology requirements

What is your business trying to do? What technology do you need? Are you geographically distributed?

Step 2: Understand the constraints

Think legacy systems, processes and policies. Mainframes, client/server applications, DOS-based applications. What is of value to your business? What's the cost of loss?

Step 3: Select the right technology

Technology is about getting business done. Build detailed requests for proposal based on the above requirements. Know what you need before you talk to a vendor.

Step 4: Build a plan

Based on the above information, create an action plan. Inventory and assign value to the assets and protect them around business needs. Buy-in from all interested parties is important.

Step 5: Test and train

Systems, applications and people have a tricky way of behaving in production environments. Before roll out ensure that the solution works within a relational context. Untrained users are one of the biggest vulnerability vectors. Get sign off. Consider 'human' ways to engage the entire organization in the security process.

Step 6: Implement

Roll out new solutions and processes into production. Communicate changes clearly to affected parties. Manage and monitor effectiveness of the solutions. Use reporting and metrics as proof points.

[And what were the dangers?]

"Reactive security is like the little Dutch boy plugging holes in a leaking dike," said [...] Kelley. "Eventually you're going to run out of fingers."

Essentially, reactive security fails to protect, fails to respond in time, doesn't meet compliance regulations and is an example of overspending while under-protecting assets, Kelley said.