NIST has published an excellent draft guide on the basics of information security without throwing the users over the deep end. It seems to address the "certainties" of security risks, and provide very basic methods of addressing them, without being too product focused.
It is likely, although it will depend on the organization, that SMB's will need to work through this to understand how their current practices compare to this guidance, and figure out the most effective ways to address any short falls.
I would encourage all security professionals to give the guide a read and provide Richard with comments on improvements to make this guide as helpful as possible. Just don't be like Gartner's Adam Hills and post a critique before the standard is published.
Comments