Recent Blog Posts
IT risk management
Write side up - by Freeform Dynamics
How have attitudes to risk and resilience changed?
Freeform Dynamics 07 Jan 2021The New Year is traditionally a time for reflections as well as resolutions. With Throwback Thursday we are happy to offer you both, as we look back to June 2008, when Freeform Dynamics published a ...
Computer Weekly Editors Blog
Technology is losing its battle to be a unifying force
Editor in chief 30 Jan 2020The pioneers of the internet and the web saw themselves as liberators. They believed, passionately, they were creating a better world – one that was open, collaborative, broke down barriers, and ...
So here we are in 2020, and almost everything is still working as normal. The apocalyptic Y2K bug that caused such a thrill 20 years ago found its sequel in Y2.02K, but rather than nuclear reactor ...
Write side up - by Freeform Dynamics
Millennial versus Mature – who's the real IT security risk?
Freeform Dynamics 29 Jun 2018Passwords have been the mainstay for securing applications, devices and the data they hold, pretty much ever since IT was invented. It’s an approach that has always had weaknesses though, mostly ...
As cybercrime becomes ever more widespread and the actors involved diversify, targeted organisations must become more sophisticated and timely in their ability to detect and respond.
I’ve had some interesting conversations recently with Professor Fred Piper regarding risk probability. The discussion started because I was concerned about assessments of risk probability, as one ...
I've been pressing for greater speed in security management for many years. "Replace the Deming Loop with the Boyd (OODA) loop" has been my mantra. Yet when I first encountered DEVOPS, I ...
Information security expert David Lacey discussed the latest ideas, best practices, and business issues associated with managing security.
Dealing with the operational challenges of information security and risk management.
A look at the latest trends in IT security from the experts at Bloor Security.
Heavy demands for research and consultancy have restricted my blog postings this year. It's a reflection of the unrelenting growth in anything connected with cyber security. My New Year's ...
I admit to being a long-standing critic of past UK government research initiatives. Having sponsored and managed several partly-funded research projects I've been disappointed with the decreasing ...
I missed the opening of this year's Infosecurity Europe as I was speaking in Zurich. I did however catch the end, though there was little to fire my attention. The theme was dated, the slogans on ...
It was interesting to see Tim Cook, CEO of Apple, voicing his opinions that government and companies should not have access to private consumer information. It's rich coming from a vendor with ...
I almost forgot to mention that last week's New Statesman carried a major feature on Cyber security in Britain, including articles from Francis Maude, Peter Sommer and myself. (Mine's the doom and ...
Last week GCHQ was censored over its sharing of internet surveillance data with the United States. There's no real surprise here. But what is interesting is to read it in the context of the New ...
I keep reading defeatist talk. The latest is from a chap called James Lewis, a cybersecurity expert at the Washington DC based Center for Strategic and International Studies, who has been claiming ...
The last two years have been an eye-opener for business, governments and citizens. They should now be aware of the vulnerability of information systems to penetration by spies, hackers and ...
Behind the escalating war of words between North Korea and the United States in the wake of the cyber attacks on Sony lies a dangerous, but inevitable trend: the beginnings of real cyber terrorism. ...
It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last year I made half a dozen predictions for 2014. How well ...
Last week Dr Hugh Thompson of Blue Coat and RSA fame was in London. I was fortunate to find a slot with him to meet up and exchange ideas. I like Hugh because he's not like the regular, dull ...
Whether you like the term or not the so-called Internet of Things is generating a huge amount of interest, and a growing amount of security research, including great opportunities for ...
I was pleased to read in the Sunday Telegraph that GCHQ values the security skills of dyslexic young people, employing over 100 dyslexic and dyspraxic neuro-diverse analysts. I fully support this ...
I'm finally back blogging after a delightful summer break. Surprisingly, not a lot has changed in the cyber security world. Big security breaches have been surprisingly thin on the ground. And most ...
This week Doc Hugh Thompson of RSA fame was in London. We had an interesting and entertaining debate on current and future trends. Hugh is a consummate, multi-tasking professional: lecturer in ...
My last posting was perhaps a bit too negative. I should correct that by setting out my own solutions to cyber security. Here are my ten answers. Invest more public money into imaginative new ...
I was fascinated to see that the latest issue of Forbes magazine has a feature on cyber security. It sets out what must be fixed according to ten top experts. Have they got it right? The answer ...
Last night a friend sent me an email drawing attention to the UK Government's new cyber security scheme. This one is called "Cyber Essentials". So what's new? And what does it offer? The answer is ...
Tuesday evening saw the London launch of IDATE's 2014 version of their DigiWorld Yearbook, an excellent guide to telecoms, Internet and media markets. It was a useful opportunity to catch up with ...
It's remarkable that in the face of the most sophisticated espionage threats, the most capable cyber-criminals, and the most severe compliance requirements ever experienced, the cyber security ...
It's interesting how many people are attracted to penetration testing, thinking it's more interesting and fun than conventional product testing, They're wrong. Scanning platforms for ...
As I expected we keep finding more and more security vulnerabilities in devices that shouldn't have them: essential control systems that govern the safety of critical infrastructure. The latest ...
David Laceys IT Security Blog
Security: From Theoretical Business Enabler to Essential Overhead
20 Apr 2014Dropped through my door last week was the flyer advertising Infosecurity Europe 2014. The theme is "Security as a business enabler - are you fit for 2014?" It is an unfortunate choice of words, ...
Several weeks ago an Australian friend of mine sent me a delightful note pointing out how recent events and media reporting had confirmed some controversial points I had made last year in the ...
Earlier this week I attended the excellent Stevenson Science lecture at Royal Holloway University on "The Birth of Machine Cryptanalysis at Bletchley Park" given by Dr Joel Greenberg of the ...
For the past decade the real enemy of security practitioners has not been the hackers and malware that threaten our systems but the numerous best practices, compliance demands and audit actions ...
This week I was speaking at FIC 2014, a leading French International Conference attended by 3,000 people, including Ministers, privacy experts and leading CSOs. It was refreshing, prompted by a ...
Sir Christopher Chataway who died today was a great athlete and a famous sports commentator. Not many security professionals will recognise the valuable contribution he made to cyber security as ...
Now I'm not saying that I get everything right about the future. But I can certainly spot the excesses of other futurists. The latest example is IBM's predictions for the next five years. The most ...
So what will 2014 hold for cyber security professionals? Will it be something new or more of the old? The answer is bit of both. We have all reached a crossroads in the way we manage security. Some ...
It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last December I made five predications for 2013. How well ...
Last week I attended a sneak preview of the latest Qualys product road map. I was impressed, not so much by the functionality of the products - which is not especially original - as by the ambition ...
For most of this month I've been touring Australia with the excellent CSO Perspectives Roadshow, presenting on the subject of the future of cyber security. It's been a great opportunity to meet ...
It's not often that an institute decides that its mission has been accomplished, declares success and steps down. But that's what the Jericho Forum has done after a decade of evangelising the ...
I've just read an interesting report of future 2020 scenarios on cyber security put together by an esoteric institute called the International Cyber Security Protection Alliance (ICSPA). I don't ...
Donn Parker just copied me in on his critique of Harry de Maio's new book. For those of you who might be more Gen Y than Baby boomer I should explain that Donn and Harry were old-school, cyber ...
I'll be contributing to a Webinar on APT Protection via Data-Centric Security next Thursday. Given the progressive erosion of corporate perimeter security it's about time we switched our attention ...
nthony Freed has now published the final article in his series on the true background of BS7799 on his Tripwire blog. There are real lessons to be learned from these postings. I hope that students ...
David Laceys IT Security Blog
Business understanding of cyber attacks a decade out of date
16 Oct 2013This is the title of an article from yesterday's Australian Financial Review, the leading Australian business newspaper. It was written by Chris Joye, a leading economist, fund manager and policy ...
David Laceys IT Security Blog
How to manage the risks of Advanced Persistent Threats (APTs)
13 Oct 2013My new ISACA book on Advanced Persistent Threats has now been published. It's an excellent guide for any Business, IT, Security or Audit Manager responsible for safeguarding critical, sensitive or ...
Anthony Freed has been publishing further historical information on the true background of BS7799 on his Tripwire blog. There are some important learning points from these postings. It's ...
My apologies for radio silence on this blog. It's been due to an exceptionally busy workload coupled with an extended holiday I'm now back with lots of views about what's going on and what's going ...
Well not quite today, but at the end of September it will be exactly 20 years since the original text of text of BS7799 (now ISO 27002) was published in the form of BSI document DISC PD0003. The ...
I was deeply shocked and saddened to hear about the death of Barnaby Jack, one of the most brilliant and effective security researchers I have ever encountered. He researched vulnerabilities in ...
Scientific American has an interesting article "How Would the U.S. Respond to a Nightmare Cyber Attack?" based on a recent crisis exercise. It's a good question as well as a well overdue exercise. ...
David Laceys IT Security Blog
Security versus privacy - a difficult and uncomfortable balance
18 Jul 2013I've not bothered to comment so far on the numerous news reports on the NSA's PRISM programme. It's not because I have no views, but simply because it's revealed nothing surprising to the security ...
It's surprisingly hard to find good quality guidance for business managers on information security, and even harder to find material that is free. Far too much essential reference material is ...
The sizzling summer in Surrey (UK) has slowed my writing, though the cyber security market is also equally hot with many fresh initiatives emerging. Your own perspective will no doubt vary of ...
David Laceys IT Security Blog
SCADA security requires a better understanding of how plants work
04 Jul 2013I do worry about the security of our industrial control and SCADA systems. I have been for the last 24 years in fact, ever since I first encountered them. In my view the real problem has always ...
I'm back blogging after a lengthy break due to extensive writing and consultancy commitments. Nothing much has changed in the cyber security sphere during that time apart from a very slight ...
The new mantra today is that it is not if your organisation will suffer a security breach, but when. In a recent survey released during Infosec Europe 2013, 93% of large organisations reported that ...
I've been very busy this year as you might gather from my rather thin postings. It's a positive sign in fact as it reflects the mushrooming demands of a growing industry which has a long way ...
User access control is a cornerstone of information security management. Everybody needs it and does it. Yet in practice it's poorly conceived, implemented and managed. It's one of those elephants ...
I've often pointed out that information security management has become far too slow, bureaucratic and process driven. It's because of the backward-looking culture created by governance, standards ...
You can't go through the day without reading something about Big Data. There are full page advertisements in newspapers, conferences devoted to the subject, and an array of new or rebadged products ...
Big Data might be the big thing this year, but it's just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. ...
Every year Alan Stockey, a well known London banking security professional, sends me a Christmas poem with a security theme. It's a little late for Christmas Day, but then so is the snow. Day Zero, ...
What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what ...
One of today's buzzwords is big data. Volumes of information generated are increasing rapidly, driven in part by increased take up of mobile technologies and the growing number and range of ...
It's the time of year when pundits express opinions on the year ahead. And naturally I have my own views. Before that, let's take a quick look at my forecasts for 2012. How well did I do? Last ...
The threats we face today are no longer smash-and-grab raids, looking for instant gain. Rather, perpetrators are looking to get a deep foothold into the network. They use subterfuge to trick their ...
I've commented many times that cyber security management today is far too slow. It's the result of many factors: the treacle of standards and compliance; the need to gain business case approval for ...
A few postings ago, I mentioned the growing number of high-profile digital catastrophes reported in the media. And I wasn't referring to natural disasters such as fire and flood or deliberate ...
The technology landscape is changing fast, bringing much disruptive change that provides organisations with new ways to streamline their businesses, reach out to customers more effectively and keep ...
Among the many challenges that telecommunications providers face are the need to transform and consolidate their businesses. They need to adopt new business models that allow them to move away from ...
For those of you who couldn't make RSA's latest thrash in London I can report that there were, as expected, no real surprises. It's a shame as cyber security is booming at a time when emerging ...
This Tuesday marks the start of RSA Europe 2012. It's a leading brand and a major event. US vendors will be there in force, as will the cream of the European security community. The formula has ...
Trust is essential for building a sustainable business. Security is essential for building trust. To build trust in electronic networks, security needs to be built into a suitable framework, rather ...
I'm now back blogging after an extended break of several weeks. Unsurprisingly, nothing much has changed in the world of cyber security, except for the media coverage, which has grown in quantity, ...
According to the US government, "the strength and vitality of our economy, infrastructure, public safety and national security have been built on the foundation of cyberspace." The McKinsey Global ...
I spend a lot of time working with big and small enterprises, helping with information security or risk management issues. What continues to amaze me is how much they differ in their security ...
We have computers to thank for teaching us the importance of business continuity planning. The real objective might be to keep the business running rather than prop up the technology, but the ...
My blog postings have been very thin lately. This was due to my annual Scottish fly-fishing holiday (the highest priority in my calendar) followed by the Queen's Diamond Jubilee and a mass of catch ...
You can't visit the Far East without contemplating the contrast between Eastern strategies of negotiation, and the less colourful philosophies of the Wild West. The Thirty-Six Chinese Strategies, ...
I'm just back from a week in the Far East where I was opening the 13th Info-Security Project Conference in Hong Kong. It's a couple of years since I last spoken at this conference so it was ...
I always look forward to Infosecurity Europe week, which guarantees a great congregation of security luminaries and practitioners in London. I say "week" because there is so much going on around ...
Death by a thousand facts is the title of a recently published academic paper by Geordie Stewart and me. It sets out to examine why mainstream information security awareness techniques have failed ...
Emails are essential business communications and collaboration tools and the vast majority of business information is, at some point of its lifecycle, communicated via emails and their attachments. ...
My blog posting on OODA loops prompted a response from Andrew Yeomans, pointing out that Deming loops and Boyd loops are not mutually exclusive, i.e. you can have a slow moving management system ...
A few weeks ago, along with some of the great and good, I attended the launch of the new Oxford University Cyber Security Centre. I wasn't expecting anything especially new but I have to say I was ...
It's been a long time since I last blogged. It's been due to excessive commitments. Freelance work has been thick and fast since the beginning of the year, reflecting an increasingly a robust ...
Buzz phrases of the day include consumerisation of IT and BYOD--bring your own device. The former phrase refers to the use of increasingly powerful and feature-rich devices, be they PCs, ...
We all know that information security management only works if we "close the loop", i.e. that telling people to do things does not work unless you check they are actually doing it. The problem is ...
Lately I've been spending more time lecturing to universities (Oxford and Surrey this week, Portsmouth the week after next). At each session I set out to present what's wrong with Information ...
My latest book "Business Continuity Management for Small and Medium Enterprises" has just hit the streets. Inspired by the Cabinet Office and published by BSI it aims to simplify the essential ...
I used to think that Bruce Schneier was out of touch with industry CISOs, but now I think that they are out of touch with him. He's come on tremendously in recent years. I saw him present to the ...
We all know there's no such thing as a free lunch. Rose Ross, a PR adviser, bought me one last week. The payback was a personal interview on her Countdown to Infosecurity site. I tried to be light ...
It's been a few weeks since my last blog posting. That's the bad news. The good news is that it's the result of being rushed off my feet with consultancy assignments. Interestingly it's not my ...
Cloud-based computing is growing faster than the IT sector as a whole. There are plenty of analysts throwing numbers about regarding cloud spending. Here are some from Forrester Research: in 2011, ...
There's talk that corporate security is now so ineffective that breaches are inevitable and the focus must therefore switch to detecting, containing and responding to intrusions, rather than aiming ...