Seven Steps to a Comprehensive Security Strategy - Have a 'Sensibility Broker'
(
Page 2 of 2 )
No. 4: Have a "sensibility
broker" on staff or on retainer
While it’s unthinkable that a person or organization hired to assess and
identify security risks and vulnerabilities would be chastised for doing so, it
does happen. Having a neutral go-between that can deliver the results of
vulnerability assessments to potentially sensitive administrators and
executives objectively is incredibly valuable, says Minyard.
“It doesn’t happen often, but sometimes folks in charge can be very
political and can get extremely defensive about their decisions, and they can
be afraid of losing their jobs if certain weaknesses are exposed," he
says.
Tucker says being the neutral, objective party is part of the role companies
like his play. He says it’s important to have a third party perform assessments
in addition to internal security scans and process reviews to ensure security
is matched up with corporate views and policies.
“For us, as consultants, we are asked to show these guys where their
vulnerabilities are; they embrace these results and are thankful that we’ve
pointed them out,” Tucker says. In some cases—though Tucker says Patriot hasn’t
ever experienced such a situation—it’s possible that individuals who aren’t
complying with certain corporate security policies could face repercussions.
No. 5: Build toward resiliency and
robustness
This includes doing anything and everything possible to ensure continuity in
the event of disasters or, Minyard says, new and emerging threats like
pandemics.
“If a pandemic were to hit, you could expect something like a 40 percent
absentee rate of employees. You are not going to be able to get your business
done and keep running without personnel,” he says.
Robustness and resiliency preparedness means assessing situations like this
and making adjustments in the event of such disasters. For instance, a call
center with hundreds of employees seated two feet from each other is rife for
the spread of disease, and measures should be put in place to protect employees
in the event of infection.
“People think that security just means putting up e-mail security and
firewalls and then you’re OK,” says Tucker. “But it’s important to be able to
discuss, plan for and combat emerging and evolving threats.”
No. 6: De-averaging the data
Many organizations assess the risk of various threats—hackers, viruses,
earthquakes, system failure, etc.—add them together and base their security
strategy and risk assessment on the average probability of these events
occurring, says Minyard.
“This is unacceptable. You can't take the mean of all threats and say,
‘Well, the probability across all of these is only 40 percent, so we’re OK,’”
he says. Instead, plans and responses must be developed to address each
individual threat.
“One threat, say, viruses or worms, may have a 70 percent chance of
occurring, while another, say, an earthquake, may only have a 10 percent
chance. Sure, the average of that is 40 percent, but there’s a huge discrepancy
there,” he says.
No. 7: Fix the whole thing, not just
the elements
It’s a pretty common refrain in the security industry, but it bears
repeating—take a holistic approach to securing people, technology and processes
to ensure comprehensive security.
“Without looking at all of the components, a security strategy is about as
useful as patching one side of a levy,” Minyard says. “You have to see the
big picture, see how every application, every process, every employee and every
policy is connected together because an impact on any of those causes chain
reactions that impact them all.”
