Seven Steps to a Comprehensive Security Strategy

Accenture has been working with companies that are pioneering new approaches to smart IT disaster recovery and through this work has identified seven critical points common to the new security strategies.

It can’t be stressed enough—ensuring data integrity, physical security and business continuity/disaster recovery is the most important action you can take for your business. Of course, developing a comprehensive strategy to address security threats, whether from hackers, viruses, malicious insider attacks, hurricanes, floods, earthquakes or hardware failure is not a simple process and takes time, personnel and a significant monetary investment.

But compared with the potential loss of customers, reputation and revenue, these expenditures are paltry. The key is to develop and implement a security strategy that’s ongoing, embraces end-user and corporate executive education and, above all, recognizes that there’s only one constant in business as in life: change.

Accenture has been working with companies that are pioneering new approaches to smart IT disaster recovery, and through this work the global systems integrator identified seven critical points common to the new security strategies.

No. 1: Initiate and maintain conversations about business value and business risk

Determine what your customers can and can’t live without, and even what they can live with part of, says Edward Minyard, a certified continuity manager with consulting firm Accenture.

"Some applications and infrastructure are must-haves, some are unimportant, and some are might-have-to-haves," Minyard says. "You have to find out what are key functions they can't live without it at all or can live without some of them."

Minyard says most business continuity and disaster recovery plans are driven by compliance requirements, which is a good thing, but that many organizations that do develop such a plan simply put it on a shelf to be forgotten.

"They'll write a DR plan, but then it becomes shelfware because the compliance requirements ask only if they have a DR plan," he says. "If customers can say, 'Well, yes, we do,’ they think they’ve complied, and that’s not sufficient."

One extreme case of this mind-set is the destruction caused by Hurricane Katrina in New Orleans in August 2005. Minyard, who spent 18 months in the city after Katrina working to ensure that the city’s technological infrastructure was secure, says that while New Orleans had a disaster preparedness and recovery plan, the city had simply shelved it.

"What you have to get across is that the plan isn't important; planning is. Becoming complacent because you've complied is going to result in an even greater disaster," he says.

"You shouldn't only be thinking about major catastrophic things that could destroy a building or wipe out a city; you have to think about the small things, too" Minyard adds, like an end user inadvertently deleting an entire mission-critical database. Both major and minor disasters use the same processes for dealing with these scenarios.

No. 2: Play more war games

In short, continuously exercise your plan, testing it for flaws and weak points. A disaster or imminent crisis is not the time to be hoping and praying that your plan is effective.

Bruce Tucker, president and founder of network security solution provider Patriot Technologies, says education and this type of training and testing is the most important and the most difficult aspect of security strategies.

"All the best technology in the world can be defeated by one end user that isn't up to speed on policies or threats, isn't paying attention or is duped by social engineering," Tucker says. "Education is the single-most important thing you can do, and it can’t just be done once. It has to be a continuing conversation with your employees about what the threats are and what their responsibilities are as far as securing the company."

No. 3: Debrief and evaluate constantly

In the military, the term is "hotwash," which is a debriefing that takes place immediately after an incident, says Minyard. Once the hotwash is finished, after-incident reports are integrated into plans to address similar incidents were they to occur in the future, he says.

"There needs to be a constant cycle of plan, test, evaluate, modify that is continuously running in the background as situations arise," he says. Since it’s improbable that the DR exercises you wrote and test will be the ones that happen, it’s important to stay on alert and be ready for anything that can happen.

"We do our best to make sure we're constantly playing out what-if scenarios," says Tucker. "Implementing what we learn into new scenarios and doing it all over again so we know if something happens, this is how we would deal with it."