How would you design a security strategy for a consulting firm that handles highly sensitive client data?