69 Information Security Blogs You Should Be ReadingPublished April 25, 2017 by Karen Walsh • 18 min read
Information security blogs give industry members up to date information to help them stay knowledgeable. In an industry that continually evolves, waiting for monthly publications or even quarterly journals can leave a professional uninformed. Anyone living in the modern day recognizes that separating good information from bad information requires effort. With this in mind, Reciprocity has scoured the internet looking for the most informative, interesting, and in some cases, unique information security blogs to help keep professionals “in the know.”
News and News Aggregator Information Security Blogs
In a world of constant movement, cloud sharing has become the norm. However, it also comes with privacy and information security concerns. Cloudwards provides information and reviews helping people find the best cloud storage, web hosting, and VPN services for their needs. Cloudwards segregates its information into reviews, comparisons, articles, and “Top 5.”
As an information aggregator, ISBuzz does an excellent job bringing together different areas of the information security community under one roof. In addition, they have a staff of contributors who create original content. The articles range from vendor announcements to industry research/forecasts to technical advice.
Inside Cybersecurity offers in depth articles about the latest news and trends occurring in the cybersecurity space. Unlike some of the other resources, this one has a paywall which may initially deter people. However, there’s a free 30 day trial period that gives some good insight as to whether this is information that can continue to be helpful.
The brain child of Byron Acohido, Last Watch Dog is a webzine that delivers analysis, news videos, and guest essays involving the global cybersecurity community. Mr. Acohido is a Pulitzer-winning journalist who has been researched cybersecurity and privacy since 2004.
Although most people think of Huffington Post as aggregating stories about social issues or politics, Michael Kaiser writes regularly for them bringing in news items about cybersecurity and information security. Currently the Executive Director of the National Cyber Security Alliance, Mr. Kaiser approaches security from a societal perspective rather than simply a business one.
According to the website, “SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.” With that in mind, the other benefit to SC Magazine is that it provides two options, a US and a UK focus. For people who are interested in the international perspective, this is a one stop shop.
Just like the name implies, SBN brings together a whole lot of security bloggers into a single feed. It boasts having connected over 300 different blogs. Currently, subscribing to the feed means subscribing to all 300. However, they are working towards sub-categories to allow more focused information sharing.
More online newspaper than blog, The Security Ledger offers up to the minute news on all things security related. Their articles can be found on the front pages of Reddit as well as Slashdot and Techmeme. Categories of article available are internet of things, threats, thought leadership, podcasts, videos, and white papers.
Less a blog and more an aggregator, Tech Wreck updates posts from some of the lesser known areas of the web. While not original content, this site is a great one to follow to see newly released security updates as well as interesting information that might otherwise get missed.
Wired, the well known tech magazine, has an entire page devoted to recent security news. Updated by Wired senior writer Andy Greenberg, this blog updates daily and includes everything from the political role of information security to discussions of apps that have security issues.
Industry Must-Read Information Security Blogs
WISP is the offical Women in Security and Privacy organization. As a professional organization for women in a traditionally male industry, their blog presents the much needed and often difficult to find female perspective on working in the security industry.
Dark Reading has become an industry must-read.The “About Us” page best summarizes the website’s mission. Dark Reading seeks to “challenge community members to think about security by providing strong, even unconventional points of view, backed by hard-nosed reporting, hands-on experience and the professional knowledge that comes only with years of work in the information security industry.”
One of the original information security professionals, Mr. Cluley started as a programmer for Dr Solomon’s Anti-Virus Toolkit for Windows. He continued in information security and today the industry views him as one of the heavy hitters. He currently works independently and does speaking engagements for companies.
IT Security Guru is another information security community intended to bring together the best minds on the internet. As a community, the posts include everything from daily news items to product reviews to white papers. Every week, IT Security Guru brings on a series of weekly gurus to do guest posts.
IT Security brings the UK perspective to the blogroll. The pieces trend towards think pieces as opposed to straight news. The small group of independent writers focuses on analysis and opinions backed up with facts giving a more varied perspective.
Brian Krebs’s website has long been an industry standard. Despite getting a bachelor’s degree in International Studies and spending his early career writing for the Washington Post, Mr. Krebs turned to information security when his home network was hacked. A self-made security guy, his blog discusses issues in an easy to understand but still technical manner. He has also published Spam Nation back in 2014.
Another long-standing pillar of the information security blog community, Schneier on Security has been around since 2004. Mr. Schneier is the Chief Technology Officer of IBM Resilient, a fellow at Harvard’s Berkman Center, and a board member of the Electronic Frontier Foundation. The blog posts cover everything about security as well as the occasional post about squid. The site also includes information about algorithms and Mr. Schneier’s white papers.
Security Through Education focuses less on the business side or the information security technicalities and more on the human side of information security. Instead of focusing on the computers alone, this blog focuses on the importance of education to understand the social engineering concerns underlying most attacks. This presents readers with a different, humanities based approach to understanding information security.
Having blogged since 2003, Mr. Bejtlich is one of the most well-respected information security professionals who write. Tao Security “promotes Network Security Monitoring solutions to help global organizations stay in business by detecting and responding to digital threats.” The blog is a great way to see into the thought process of one of information security’s best.
For the last eleven years, Security Weekly has been a staple of the security news community. A multimedia approach, the website provides videos and podcasts for the security community as well as written articles. In addition, they won the RSA Social Security Awards Best Security Podcast five times.
A spinoff of the Kaspersky Labs Security News Network, ThreatPost focuses on consumer hacking concerns and the security news, authors Michael Mimoso, Tom Spring, and Christopher Brook discuss everything from black hat hacking to internet of things to cryptography news keeping industry professionals up to date.
Corporate Information Security Blogs
Avast’s blog not only organizes information but indicates how long a read the posts will be. For the busy professional, this can make all the difference in the world. The average reads are between 3 and 5 minutes making them the perfect lunch time or quick break readings.
As an offshoot of the award winning BH Consulting firm, this corporate blog focuses on the different issues that face CISOs and CIOs. The information focuses on European markets since BH Consulting’s home base is Ireland. However, it does a great job providing information that matches the company’s strengths in information security consulting, cybersecurity, risk assessment, cloud forensics, and training.
Cisco’s range of blogs covers everything from enterprise networks to service providers. Following the information on this blog helps professionals looking to see what industry leaders are doing and thinking. In addition, this is another one of the few blogs that also incorporates a healthcare category to help companies navigate those privacy issues.
Acting as a full service website security firm, Cloudbric’s blog does an excellent job of providing consumer focused updates on security issues. Since the average computer user is the targeted audience, this blog is a great place to go to find information to share with employees.
eLearn Security is an international training company whose blog keeps readers updated about their different webinars. They also host some fun games, share trivia, and have a lot of interesting information available.
When looking for the best information, it helps to turn to those who are involved in the day to day activities of keeping the internet safe. The Google Security Blog provides updated information on trends but also responds to consumer concerns regarding Google products and Google compatible devices.
Another blog from a consulting firm, these two sites are separate pages within the same entity. Horne does a great job breaking out the information for the different audiences so that the information is easy to find and use. Executive Insights focuses on the audit and c-suite focused posts. Attack Surface does a great job of looking into the technical sides of the issues such as the future of ransomware.
Taking a look at cybersecurity from the regulatory perspective, Lohrmann on Cybersecurity & Infrastructure is the blog end of the Government Technology magazine. Topics are not limited to cybersecurity and include cloud computing and mobile devices as well.
Owned by Sophos, a leading IT security products company, and originally founded by Graham Cluley, this is another one of the industry must-reads. Naked Security has won awards for its comprehensiveness since 2010. It brings news items as well as well researched opinion pieces to readers making it a lynchpin of the information security blog world.
Although a corporate blog, Tripwire’s The State of Security features the latest news, trends, and insights in the information security environment winning it several awards over the last few years. The State of Security is a well-rounded source of information for all things information security with no single focus meaning it has a broad audience reach.
Known for its ability to integrate security across multiple platforms, Veracode mostly offers blog posts about its products. However, it also incorporates a lot of information about application security to give potential customers more background. This makes it a great resource for not just their product but the types of issues surrounding their product.
Wombat’s blog comes from their corporate website. However, Wombat isn’t just any consulting firm. Arising out of research at Carnegie Mellon University, Wombat Security Technologies provides a unique approach to combating phishing by mixing education and filtering systems. The blog showcases articles and information that support its multi-tiered approach.
Consultant and Consultant Firm Information Security Blogs
Started by Dr. Jessica Barker, Cyber.uk provides information on everything from cybercrime to encryption to regulatory impact. Dr. Barker focuses less on the technical issues and more on the sociological issues behind cybersafety and phishing.
Trail of Bits is a consulting firm that provides a range of services from review of tools to security automation. The blog keeps industry professionals updated not just on the newest developments from the company but also other insights into the security environment.
Corero is a DDoS services company and so the blog is one of the few places where DDoS issues get the main focus. If it has to do with DDoS, Corero’s blog will cover it, whether it’s gaming, finance, or enterprise related.
CyberArk provides audit, compliance, security, and risk management solutions. Their blog tends to cater to these areas as well. The information is presented clearly and professionally, addressing issues from new perspectives.
Part of Security Haven, this blog is the repository of Eric Cole’s writing. Mr. Cole’s biography on his website notes that he is a member of the “Commission on Cyber Security for the 44th President and the Purdue University Executive Advisory Board, and is a senior fellow with SANS. He is the author of several books and patents. He was inducted into the information security European Hall of Fame in 2014.” His experience gives him unique insights into the infosecurity trends and are a valuable resource for CISOs, CIOs, and CSOs.
Flyingpenguin is a consulting firm consisting of Davi Ottenheimer, David Willson, Matthew Wallace, and Bryan Zimmer. Their combined experience spans military, higher education, finance, law, and global security. The website’s tone can best be summed up by the reason for its name, “Scientists say flapping wings means penguins are actually “flying” regardless of the fact that it is via a medium of water instead of air. Davi decided this “paradigm shift” is a nice fit for a website on information security.”
A computer science major who later earned an MBA, Mr. Zeltser’s blog offers insights into the crossovers between business interests and security. The front page describes it best saying that the blog discusses “information security, with topics ranging from broad IT trends to detailed technical advice on malware.”
Written by Gary Hinson, the posts on this blog do a great job making information security fun. The images pop with fun, and the tone often includes a great sense of humor. There’s a sense of informality mixed in with the information that makes this blog seem more like talking to a buddy than listening to a professional making it a fun read that gives a lot of insights.
Tony Perez spent the last five years co-founding and working at Sucuri creating a business that keeps websites safe. His blog focuses on security for websites but also on running a business and thoughts on life. These are easily searchable by topic so you can focus on that which is most important to you.
Privacy Ref is a different kind of consulting firm because it works on advising how to create a culture of privacy. Instead of looking to software, Privacy Ref looks to people. The posts on Privacy Ref discuss social engineering and people skills that lead to safety.
Private WiFi’s blog offers insights for consumers on protecting their information. The blogs are categorized by how-to, news & features, press releases, resources, and thought leadership. When searching for something, this makes it easier to determine where the right information might be.
Intended for the CISO or CIO, this blog discusses ways to secure a company’s information. The majority of the posts discuss mobile technology and the ongoing problems of securing those devices in the workplace. With the rise of employee mobile devices, this is a perfect resource for managers trying to understand the new risks.
This consulting firm focuses on the internet of things and protecting wireless devices in the workplace. With the rise of IoT concerns, the blog offers an excellent entrance into the types of threats and issues facing companies.
The Qualys community offers a space for professionals to meet and talk about the different information security trends. It also offers self-paced trainings on various aspects of security compliance. The blog focuses on sharing insights from organizations like SANS and updating readers on current events.
Every week, Trend Micro’s blog does a roundup of security news which helps keep readers updated on recent happenings. In addition, they have a “Tipping Point” series that discusses Zero Day Initiatives. They are also one of the few blogs that contains a category for health care and tech.
Troy Hunt’s blog showcases a lot of the different issues with which he is familiar. He is a Microsoft MVP and Pluralsight author whose credentials also include working with Pfizer. His blog posts focus on customer and individual user interfaces and security. Written with an approachable tone, this blog is a great one for the non-technical c-suite reader.
The Technical Information Security Blogs
Written by Russ McRee, who runs the Blue Team for Microsoft’s Windows and Devices Group (WDG), the blog presents focused and technical information about the ongoing state of information security. The programmers in the crowd will appreciate this one.
Written by Raj Chandel, Mokul Mohan, and Arti Singh, this blog talks about ethical hacking and provides excellent resources for those interested in penetration testing. Hacking Articles walks readers through different testing initiatives so that people can protect themselves.
Another hidden technical gem, Mr. Ramilli’s blog provides depth of information. The blog walks readers through “just for fun” malicious link analyses. For the hackers out there, this is another technical site that provides excellent insight from a seasoned professional.
A personal blog that offers tutorials and other interesting information, Skull Security is written by Ron Bowes. Mr. Bowes participates in and runs local BSides meetups that also incorporate coding and CTF. His walkthroughs help readers with basic solutions to the challenges.
Personal Project Information Security Blogs
Mr. Hay has been featured in Wired, PBS, Fortune, Venture Beat, Forbes, Bloomberg, and many others. A current security professional, his insights come from the day to day operations as a CISO. He focuses on the business importance of security which is a nice shift from some of the more technical pieces.
Elie is currently on Google’s anti-abuse research team, which wrote papers that won Secret Questions at WWW 2015 and the other at S&P 2015 for our work on malicious ads injectors. The blog includes interesting discussions of poker cheating devices and how machine learning can predict video game outcomes. It also includes links to Elie’s white papers.
Another award winning blog, the tone of this one is also informal with a sense of everything the internet loves about blogs. Adam Shostack, Chris Walsh, Arthur, and Mordaxus write about everything from current politics to Star Wars to information security. Their take has that sense of the irreverence that comes with the computer programming mentality. It’s just a fun, informative site.
Run by Dave Lewis, who works for Akamai, this site is a personal project that covers a lot of territory. As stated in the “About” section, Liquid Matrix “aggregates security news and information that we feel like sharing. Albeit, in bite sized chunks. The content style of this site is similar to the likes of Boing Boing, Gizmodo and slashdot.” Following Liquid Matrix gives a great overview of all the news that’s fit to share coming from a professional in the field.
As the name suggests, this blog focuses predominantly on cloud, data, identity, and security issues. Mr. Flynn currently works for Oracle and works on the blog in his free time. Although not updated as regularly as some other blogs, this one provides in depth discussion of the issues chosen and is worth a read.
After working at Compliance Week, Matt Kelly started working on his own blog. With a focus on audit, risk, and grc, Radical Compliance focuses less on information security and more on audit management and compliance. This focus is perfect for the c-suite.
Another hobby blog, this one gives some great advice and focuses on Linux as well as IT security. The blog is updated once a month or once every other month. However, it’s worth an add to the blogroll since the information tends to be original and well compiled.
Roger from this blog holds a Master’s in computer science as well as a whole alphabet of certifications and over fifteen years of experience in the information security world. This blog does a great job of providing information in an easy to understand way while also being amusing. For example, one of the posts uses a Southwest Airlines ad as a teachable moment on password creation.
Written by Jack Daniel, Uncommon Sense Security mixes informal tone with solid information. Mr. Daniel is a Security BSides Co-Founder, CISSP, MS MVP for Enterprise Security,who works at Tenable Network Security and Co-hosts the Security Weekly podcast. The examples used and explanations of issues provided help negotiate the information across technological background levels.
Xavier Mertens holds seven different certifications which means that he is a security expert with all the letters to prove it. The information on here is perfect for those who are looking to follow events at conferences as well as some updated information from within the industry. The casual tone makes reading easy, and in several places Mr. Mertens notes that he won’t go into the details but gives a strong overview of the issues.
Compliance Industry Information Security Blogs
The best place to get government information would be the original source. The FTC’s blog updates people about ongoing phishing scams and news regarding their agency activities. The posts are easy to read and provide insight into the current regulatory landscape.
OCEG is the mother of all GRC. As the organization that defined Principled Performance, their website offers webinars, standards manuals, ebooks, information about certifications, and in-person training opportunities. The OCEG Blog offers information about information security compliance as well as general business tidbits.
When discussing compliance, PCI DSS standards sit at the top of the list. Despite their prescriptive depth, PCI DSS compliance standards intend to protect payment data. Going straight to the source to get information helps see where the organization is focused.
One of the leaders in security capabilities, RSA also hosts annual conferences. The regularly updated blog incorporates information specific to their RSA Labs, as well as categories on threat detection and response, identity, GRC, and antifraud. These posts are geared toward the information professional instead of the consumer.
Well known as the industry leader in training, the SANS Tip of the Day provides the right information for everyone in the organization. Every day a new tip explains a specific topic and actionable steps for people to protect themselves and their families. Although consumer oriented, these reminders are good for anyone regardless of technological background.