With BlackHat going on this week, I can't help but think a little about security topics. We've talked a little about this topic in the past, but I keep going back to how hard it is for small companies to have dedicated security teams. Not when your IT group is literally 1-3 people. You most likely don't have a red, blue, or purple team.
There are companies out there, though, who do security as a service. They will do your pen testing for you so you can get your ISO certifications. Or to do an audit. More "aaS" companies keep cropping up, so it's not a surprise. BUT...(you knew there was one)... security services in particular seem expensive in my (limited and rudimentary) research.
I've seen some amazing consulting companies and I have learned a LOT from them, but they're going for the big bucks from Fortune companies. That potentially makes them out of reach for small-medium enterprises as well, doesn't it? So then what do you do? Exactly what are YOU doing in this case?
For some more security resources, I found a few blog posts that may be of interest: