Security Risk Management: Proactive vs. Reactive

reactive vs proactiveRecently I was asked what is the difference between proactive or reactive security management? It’s a good question and one that I have heard several times recently. For me reactive is dealing with or responding to an incident or situation or question…..with this approach you tend to play catch up all of the time.  On the other hand I consider proactive as not only to prevent but also to detect.

I actually think a large proportion of our jobs are focused on being reactive. There will always be an element of shutting the door after the horse has bolted…but isn’t that how we learn, and make recommendations to reduce the likelihood & impact in the future?

Proactive Man

Is it a bird? Is it a plan? No it’s ‘Proactive Man’

We would all like to be this proactive super hero and be one step ahead of the ‘bad guys’, or the ‘stupid guys’ or the ‘sneaky guys’ (all three ideally), but in reality this doesn’t always happen.

Most businesses see security as attributing to its overall resilience in order to keep things running smoothly and to stop incidents or breaches occurring. I often consider myself as solving problems that the business doesn’t know exits. Does that mean I am being proactive?

We certainly have elements of our work that is proactive by writing effective policies & procedures, doing security reviews/audits, carrying out threat/risk assessments, actively engaging across the business and contributing towards a culture where staff and line managers feel empowered to challenge. But is this enough to say you are PROACTIVE, should you be doing more?

How about…..monitoring the internet, social media, chat rooms for potential threats (aka OSINT)? Should you have security officers checking for breaches of your clear desk policy and ensuring sensitive information is safe? Should you invest more time in improving the overall security culture and awareness of your employees? Should you monitor for insider threats? Should you carry out of trend analysis of incident reports?

In my opinion to consider your security management program as being proactive you need to be doing as many of these as possible but in order to do them you will need the resources, the tools, £’s and of course the time! As I have mentioned before in a previous post the Corporate Security world is still evolving, but lets pick the right areas to focus on as in my opinion reactive vs. proactive is just another way of asking ‘how do you manage risk’? PD


security risk personnel security security management protective security cyber security what is physical security jobs


For more information about me please checkout my Linkedin profile at

Tagged with: ,