Determine what customers can and can’t live without. “Some applications and infrastructure are must-haves, some are unimportant and some are might-have-to-haves,” says Edward Minyard, a Certified Continuity Manager with consulting firm Accenture.
Continuously exercise your plan, testing it for flaws and weak points. A disaster or imminent crisis is not the time to be hoping and praying that your plan is effective. “All the best technology in the world can be defeated by one end-user that isn’t up to speed on policies or threats, isn’t paying attention or is duped by social engineering,” says Bruce Tucker, President and Founder of Network security solution provider Patriot Technologies.
In the military, the term is "hotwash," which is a debriefing that takes place immediately after an incident, says Minyard. After-incident reports are integrated into plans to address similar incidents were they to occur in the future. “There needs to be a constant cycle of plan, test, evaluate, modify that is continuously running in the background as situations arise.”
Having a neutral go-between that can deliver the results of vulnerability assessments to potentially sensitive administrators and executives objectively is incredibly valuable. “It doesn’t happen often, but sometimes folks in charge can be very political and can get extremely defensive about their decisions” and they can be afraid of losing their jobs if certain weaknesses are exposed, Minyard says.
Preparedness means assessing potential situations and making adjustments to mitigate disasters. For instance, in a call center with hundreds of employees seated two feet from each other is rife for the spread of disease, and measures should be put in place to protect employees in the event of infection. “You are not going to be able to get your business done and keep running without personnel,” Minyard says.
Many organizations assess the risk of various individual threats and base security strategy and risk assessment on the average probability of these events occurring. “This is unacceptable,” Minyard says. Instead, plans and responses must be developed to address each individual threat.
It’s a pretty common refrain in the security industry, but it bears repeating – take a holistic approach to securing people, technology and processes. “Without looking at all of the components, a security strategy is about as useful as patching one side of a levy,” Minyard says.