No. 4: Have a "sensibility broker" on staff or on retainer

While it’s unthinkable that a person or organization hired to assess and identify security risks and vulnerabilities would be chastised for doing so, it does happen. Having a neutral go-between that can deliver the results of vulnerability assessments to potentially sensitive administrators and executives objectively is incredibly valuable, says Minyard.

“It doesn’t happen often, but sometimes folks in charge can be very political and can get extremely defensive about their decisions, and they can be afraid of losing their jobs if certain weaknesses are exposed," he says.

Tucker says being the neutral, objective party is part of the role companies like his play. He says it’s important to have a third party perform assessments in addition to internal security scans and process reviews to ensure security is matched up with corporate views and policies.

“For us, as consultants, we are asked to show these guys where their vulnerabilities are; they embrace these results and are thankful that we’ve pointed them out,” Tucker says. In some cases—though Tucker says Patriot hasn’t ever experienced such a situation—it’s possible that individuals who aren’t complying with certain corporate security policies could face repercussions.

No. 5: Build toward resiliency and robustness

This includes doing anything and everything possible to ensure continuity in the event of disasters or, Minyard says, new and emerging threats like pandemics.

“If a pandemic were to hit, you could expect something like a 40 percent absentee rate of employees. You are not going to be able to get your business done and keep running without personnel,” he says.

Robustness and resiliency preparedness means assessing situations like this and making adjustments in the event of such disasters. For instance, a call center with hundreds of employees seated two feet from each other is rife for the spread of disease, and measures should be put in place to protect employees in the event of infection.

“People think that security just means putting up e-mail security and firewalls and then you’re OK,” says Tucker. “But it’s important to be able to discuss, plan for and combat emerging and evolving threats.”

No. 6: De-averaging the data

Many organizations assess the risk of various threats—hackers, viruses, earthquakes, system failure, etc.—add them together and base their security strategy and risk assessment on the average probability of these events occurring, says Minyard.

“This is unacceptable. You can't take the mean of all threats and say, ‘Well, the probability across all of these is only 40 percent, so we’re OK,’” he says. Instead, plans and responses must be developed to address each individual threat.

“One threat, say, viruses or worms, may have a 70 percent chance of occurring, while another, say, an earthquake, may only have a 10 percent chance. Sure, the average of that is 40 percent, but there’s a huge discrepancy there,” he says.

No. 7: Fix the whole thing, not just the elements

It’s a pretty common refrain in the security industry, but it bears repeating—take a holistic approach to securing people, technology and processes to ensure comprehensive security.

“Without looking at all of the components, a security strategy is about as useful as patching one side of a levy,” Minyard says. “You have to see the big picture, see how every application, every process, every employee and every policy is connected together because an impact on any of those causes chain reactions that impact them all.”