Practical Information Security

One of the concerns I've had as an InfoSec professional is what about those businesses that maybe aren't covered by PCI requirements (or outsource that risk by partnering with companies who do the transactions for them) but also have a certain amount of computers, intellectual property, or confidential/private/trade secret data that they should protect.  Most small to midsized businesses haven't classically pursued things like risk management, security, and governance as aggressively as the larger or public companies (for various reasons including cost, less compliance drivers, etc.)  Today I saw an article that pointed out that small to mid sized businesses are under prepared for a security incident, and many have never had a simple security assessment performed, or know what they should do to reduce the likelihood of a security incident. Article Starting today Practical Information Security will be offering consultations for  small businesses that want to get a hand

Here is the link to the report: http://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdf (In the interest for full disclosure I worked for Verizon Business from 2008-2009). For people who have to deal with Information Security on a daily basis, the results of the report shouldn't be a surprise. PCI is a great idea but really hard to do, any by being compliant with PCI (or any standard) you are not then "secure". It should provide a baseline and a starting point for your security program, you can't just download a copy of the PCI DSS and say "this is my company's security standard". The value that we as Information Security professionals provide is the ability to interpret business needs and security/compliance requirements into achievable configurations, standards, policies, etc. If we just try and implement something off the shelf (no matter how good it is) it won't fit, be complete, or me