Security is more than just IT

Security Assurance Questionnaires are becoming more and more relevant.  Liability is being shuffled around like a hot potato from corporation to corporation.  Your business partners are trusting your business with sensitive data like client names, sales numbers, ssn #’s, medical records, whatever the data you must not only protect it but prove you can protect it.  Having policies, vulnerability scans, awareness training, and other controls in place are essential.  Most small to Mid-Sized companies lack the expertise to build an effective security program.  If you believe the IT department is in charge of protecting your data you will fail an audit.  Business decisions need to be made by business owners not by IT.  Data Classification, Personnel policies, BCP and DR, Regulation Compliance, these among many others fall well outside of IT.  Make sure you are protecting your data and not falling victim to the assumption security is happening when there is no evidence of it.  A firewall alone will not protect your business.