Seven Steps to a Comprehensive Security Strategy
(
Page 1 of 2 )
It can’t be stressed enough—ensuring data integrity, physical security and
business continuity/disaster recovery is the most important action you can take
for your business. Of course, developing a comprehensive strategy to address
security threats, whether from hackers, viruses, malicious insider attacks,
hurricanes, floods, earthquakes or hardware failure is not a simple process and
takes time, personnel and a significant monetary investment.
But compared with the potential loss of customers, reputation and revenue,
these expenditures are paltry. The key is to develop and implement a security
strategy that’s ongoing, embraces end-user and corporate executive education
and, above all, recognizes that there’s only one constant in business as in
life: change.
Accenture has been working with companies that are pioneering new approaches
to smart IT disaster recovery, and through this work the global systems
integrator identified seven critical points common to the new security
strategies.
No. 1: Initiate and maintain
conversations about business value and business risk
Determine what your customers can and can’t live without, and even what they
can live with part of, says Edward Minyard, a certified continuity manager with
consulting firm Accenture.
“Some applications and infrastructure are must-haves, some are unimportant, and
some are might-have-to-haves,” Minyard says. “You have to find out what are key
functions they can't live without it at all or can live without some of them.”
Minyard says most business continuity and disaster recovery plans are driven
by compliance requirements, which is a good thing, but that many organizations
that do develop such a plan simply put it on a shelf to be forgotten.
“They'll write a DR plan, but then it becomes shelfware because the
compliance requirements ask only if they have a DR plan,” he says. “If
customers can say, ‘Well, yes, we do,’ they think they’ve complied, and
that’s not sufficient.”
One extreme case of this mind-set is the destruction caused by Hurricane
Katrina in New Orleans in August
2005. Minyard, who spent 18 months in the city after Katrina working to ensure
that the city’s technological infrastructure was secure, says that while New
Orleans had a disaster preparedness and recovery plan, the city had simply
shelved it.
“What you have to get across is that the plan isn't important; planning is.
Becoming complacent because you've complied is going to result in an even
greater disaster,” he says.
“You shouldn't only be thinking about major catastrophic things that could
destroy a building or wipe out a city; you have to think about the small things,
too” Minyard adds, like an end user inadvertently deleting an entire
mission-critical database. Both major and minor disasters use the same
processes for dealing with these scenarios.
No. 2: Play more war games
In short, continuously exercise your plan, testing it for flaws and weak
points. A disaster or imminent crisis is not the time to be hoping and praying
that your plan is effective.
Bruce Tucker, president and founder of network security solution provider
Patriot Technologies, says education and this type of training and testing is
the most important and the most difficult aspect of security strategies.
“All the best technology in the world can be defeated by one end user that
isn't up to speed on policies or threats, isn't paying attention or is duped by
social engineering,” Tucker says. “Education is the single-most important thing
you can do, and it can’t just be done once. It has to be a continuing
conversation with your employees about what the threats are and what their
responsibilities are as far as securing the company.”
No. 3: Debrief and evaluate
constantly
In the military, the term is "hotwash," which is a debriefing that
takes place immediately after an incident, says Minyard. Once the hotwash is
finished, after-incident reports are integrated into plans to address similar
incidents were they to occur in the future, he says.
“There needs to be a constant cycle of plan, test, evaluate, modify that is
continuously running in the background as situations arise,” he says. Since
it’s improbable that the DR exercises you wrote and test will be the ones that happen,
it’s important to stay on alert and be ready for anything that can happen.
“We do our best to make sure we're constantly playing out what-if
scenarios,” says Tucker. “Implementing what we learn into new scenarios and
doing it all over again so we know if something happens, this is how we would deal
with it.”
