I had the opportunity to meet with a relatively small business yesterday.  This company doesn’t have an in house IT person, they use an outside “Guy”.  A month or so back the accountant at the office had the foresight to contact an email and web security company and place an order for email and web blocking services.  The intent was so she could add another layer of protection to her assets.  She also wants a security assessment as a second pair of eyes to ensure they are doing everything they can to protect their clients. Now what is wrong with story?  For the company, absolutely nothing.  They have a fabulous forward thinking accountant paying attention to the details of network security.  If she is paying attention to that then I would bet a steak dinner that she is paying attention to all the other little details of the business and the clients they work with.

What about the IT guy in this story?  Where was he during all of this?  Why did it take the accountant to contact the SaaS company because of security concerns?  Most general IT people are not concerned with security and more importantly they are not worried about protecting your assets and reducing partner risk. 

One final thought.  If a small company of 15 employees takes the time to work on security, are you?