Have a 'Sensibility BrokerBy Sharon Linsenbach | Posted 2009-06-25 Email Print
Accenture has been working with companies that are pioneering new approaches to smart IT disaster recovery and through this work has identified seven critical points common to the new security strategies.
No. 4: Have a "sensibility broker" on staff or on retainer
While it’s unthinkable that a person or organization hired to assess and identify security risks and vulnerabilities would be chastised for doing so, it does happen. Having a neutral go-between that can deliver the results of vulnerability assessments to potentially sensitive administrators and executives objectively is incredibly valuable, says Minyard.
"For us, as consultants, we are asked to show these guys where their vulnerabilities are; they embrace these results and are thankful that we’ve pointed them out," Tucker says. In some cases—though Tucker says Patriot hasn’t ever experienced such a situation—it’s possible that individuals who aren’t complying with certain corporate security policies could face repercussions.
No. 5: Build toward resiliency and robustness
This includes doing anything and everything possible to ensure continuity in the event of disasters or, Minyard says, new and emerging threats like pandemics.
"If a pandemic were to hit, you could expect something like a 40 percent absentee rate of employees. You are not going to be able to get your business done and keep running without personnel," he says.
Robustness and resiliency preparedness means assessing situations like this and making adjustments in the event of such disasters. For instance, a call center with hundreds of employees seated two feet from each other is rife for the spread of disease, and measures should be put in place to protect employees in the event of infection.
"People think that security just means putting up e-mail security and firewalls and then you’re OK," says Tucker. "But it’s important to be able to discuss, plan for and combat emerging and evolving threats."
No. 6: De-averaging the data
Many organizations assess the risk of various threats—hackers, viruses, earthquakes, system failure, etc.—add them together and base their security strategy and risk assessment on the average probability of these events occurring, says Minyard.
"This is unacceptable. You can't take the mean of all threats and say, 'Well, the probability across all of these is only 40 percent, so we’re OK,’" he says. Instead, plans and responses must be developed to address each individual threat.
"One threat, say, viruses or worms, may have a 70 percent chance of occurring, while another, say, an earthquake, may only have a 10 percent chance. Sure, the average of that is 40 percent, but there’s a huge discrepancy there," he says.
No. 7: Fix the whole thing, not just the elements
It’s a pretty common refrain in the security industry, but it bears repeating—take a holistic approach to securing people, technology and processes to ensure comprehensive security.
"Without looking at all of the components, a security strategy is about as useful as patching one side of a levy," Minyard says. "You have to see the big picture, see how every application, every process, every employee and every policy is connected together because an impact on any of those causes chain reactions that impact them all."