David Laceys IT Security Blog

Recent Posts

  • The slow, painful death of real information security

    David Lacey 02 Jul 2011
  • I've blogged before about the perils of best practices and standards, and the crippling effect of compliance on security programmes. The consequences, however, are getting more serious as these ...

  • Countering Advanced Persistent Threats

    David Lacey 11 Jun 2011
  • This week's ISSA-UK Chapter meeting addressed the subject of the Advanced Persistent Threat (APT). It was illuminating to hear four very different perspectives from a government expert, an ...

  • Self-encrypting drives

    David Lacey 07 Jun 2011
  • I've long been an enthusiastic supporter of self-encrypting drives (SEDs), a technology that offers substantially better performance and security than software-based encryption solutions. SEDs can ...

  • Lessons from the attack on Lockheed Martin

    David Lacey 03 Jun 2011
  • Regardless of who got access to what (if anything) in the recent reported cyber attack against Lockheed Martin, this incident contains valuable lessons for everyone. Here are some key principles to ...

  • Why you need an elevator pitch

    David Lacey 20 May 2011
  • Ian Cook's excellent Dragon News Bytes drew my attention to an article in the Wall Street Journal on the importance of having a prepared elevator speech. It's an essential requirement for any CISO, ...

  • Keep it Simple Stupid

    David Lacey 19 May 2011
  • One of the most important principles to observe in information security management is the KISS principle. Users will only accept solutions that are fast, cheap and simple. Security is a "grudge ...

  • The Three Faces of Information Security

    David Lacey 25 Apr 2011
  • Last week's sessions at Infosecurity Europe reminded me of the difference between compliance and real security. They are quite distinct objectives.They are in fact two of the three faces of ...

  • Reflections on Infosecurity Europe 2011

    David Lacey 24 Apr 2011
  • This week's Infosecurity Europe seemed quieter than usual. It was no surprise of course as it bordered on the Easter holiday. But it was a good event, made enjoyable and interesting by a ...

  • What keeps you awake at night?

    David Lacey 14 Apr 2011
  • I had an email from Charles Pask yesterday, asking me for my opinion on "What keeps CISOs awake at night?" It's a good question. I thought for a bit and decided that "advanced persistent threat" ...

  • Is this as good as it gets?

    David Lacey 30 Mar 2011
  • Every single day we hear new reports about large organizations being thoroughly penetrated by sophisticated attacks. Just when we thought it could not get any worse, it does. This is not just bad ...

  • RSA hack is a timely reminder of the need for richer authentication

    David Lacey 20 Mar 2011
  • Last week's admission by RSA that they had been the victim of a sophisticated espionage hack that could reduce the effectiveness of its authentication SecurID product, reminds us of the danger of ...

  • A security standard for small and medium sized enterprises

    David Lacey 11 Mar 2011
  • I'm delighted to announce the launch of the first information security standard for small and medium sized enterprises (SMEs, or SMBs as they're known in the USA). SMEs represent 99.9% of the ...

  • Countering APT attacks

    David Lacey 10 Mar 2011
  • Leaked emails from the hacking of HBGary, a top US security investigator, provide further insight into the techniques and targets associated with advanced persistent threat (APT) attacks (a ...

  • Space Weather: The Next Y2K

    David Lacey 03 Mar 2011
  • A few weeks ago the press carried stories of a future "Global Katrina" costing the world economy $2,000 billion, caused by intense solar storms that are due in a year or two. Hardly anyone batted ...

  • Cloud computing is not outsourcing

    David Lacey 22 Feb 2011
  • An article in Computerworld UK reports that the latest advice from the Information Security Forum (ISF) is that information security professionals should treat cloud computing as they would any ...