Up close and personal with leading infosec blogger – David Lacey (@computerweekly) – Infosec’s answer to Jeremy Clarkson?February 6, 2012
By Rose Ross, @Rose_at_O
It isn’t often I get the chance to grab lunch with one of our blogger interviewees. This interview is a bit of an exception.In more ways that one. Looking forward to catching up with David
Q. Tell us a bit about yourself and about the blogs you write for and their interest in data security.
I’ve been blogging for over five years for Computer Weekly. I was their first blogger. It started over a lunch with Hooman Bassirian, the CW editor at that time. I told him he should move with the times and get some blogs going. He volunteered me.
My blog is a personal opinion on current issues. I treat it like a newspaper column. I’m a keen futurist and like to think ahead of the marketplace. I’m often controversial, as I think that everything in security is outdated, wrong or broken. Some people view me as the Jeremy Clarkson of security journalism. It’s probably not a flattering comparison.
Q. What’s hot in IT security this year?
New things will be big data, space weather and securing social networks. Hot topics will be tackling the fashion for “bring your own laptop”, and how to stop advanced persistent threats.
Government spying and dirty tricks will enter a new dimension. The growth in state controlled corporations combined with easy-to-steal secrets is a compelling motivation for espionage. At the same time, there’s scope for plenty of conflict and unrest across many regions.
Many old things have yet to peak, especially in less developed regions. ISO certification is currently hot in the Middle East, and PCI compliance has yet to take off in many countries. Interest in the human factor is growing in all regions, especially continental Europe.
Q. How many security events do you attend each year?
Too many to mention. Last year I spoke at conferences in California, Geneva, Oslo, Muscat and Nicosia, as well as numerous events in London. I’m planning to do more university lectures this year, especially at the University of Portsmouth in my new role as an Associate Fellow.
Q. Which one are you most looking forward to?
Infosecurity Europe is the best socially, and it attracts the broadest audience. You meet everyone from top CISOs to university students. The keynotes can be lacklustre but at least they change the line up each year, unlike RSA which tends to stick with the same sponsors. Both of these have excellent supporting programmes. I encounter more stimulating and innovative discussion at overseas events. They don’t suffer from the stifling groupthink that pervades the more mature CISO communities.
Q. What types of stories or companies are likely to attract your attention this year?
I’m interested in new ideas, technologies and learning points. Unfortunately, they’re thin on the ground in a marketplace that’s 99% driven by compliance, which only recognises old, established practices. The number of breakthrough security technologies that have emerged over the last 20 years decades can be counted on one hand. But that means there’s plenty of space for revolutionary solutions.
I’m particularly impressed with companies that are passionate about their products and those that demonstrate technical excellence. That’s what makes a story.
Q. How many interviews do you do per week?
I’m more of a Gonzo journalist than an interviewer. I speak to dozens of vendors and CISOs each week and only write up what strikes me as new, groundbreaking, amusing or interesting. Like all journalists, there’s a lot that ends up on the cutting room floor.
Q. What’s the best way to pitch a story to you? Email? Phone? Twitter? By mail?
In common with other journalists I delete most of the daily email press releases that flood in. They are uninteresting, verbose and full of bad prose. Phone calls are intrusive unless it’s an invitation to a champagne reception. It’s best to catch me at a conference where I have the time to talk and I’m focused on the subject area.
Q. Who is worth listening to (about IT security)?
There’s a widespread lack of new ideas. I like people who speak up and challenge the established concepts. I used to think that Bruce Schneier was out of touch with industry thinking, but now I think that industry is out of touch with him. He’s really come on in recent years. I saw him present to the United Nations last year and he was awesome. I’d put him in charge of international public policy. Steven Sprague of Wave Systems also has some unique views, and Philippe Courtot is more passionate about the subject than anyone I know. I also like Ira Winkler because he’s honest, original and entertaining.
Q. What’s your favourite blog?
It has to be Bruce Schneier, though he seems to have been slightly distracted by writing his new book.
Q. What is your favourite piece of technology?
The Segway and the 3-D printer. I’ve met both of their inventors and they’re amazing people.
The technology inside the Segway is incredible. Even the tyres are revolutionary. Dean Kamen aims to make the world a better place with his inventions, and he has the resources to do it. I’m a little disappointed that it’s not yet powered by his Stirling engine, which is the holy grail of engineers. I told him that I liked the 50’s style drawings in his patents, and he told me they were done by his father who used to draw for Mad magazine.
The 3-D printer was the brainchild of Neil Gerschenfeld of MIT. He was the technologist who got MIT Media Lab researchers playing with soldering irons, rather than sitting at PCs. He combines a deep and broad knowledge of theoretical physics with practical workshop skills. He’s currently Director of MIT’s Center for Bits and Atoms.
In the security field it’s hard to identify cool technology, but I like the work of Stephanie Forrest at University of New Mexico. She takes ideas from nature and applies them to security. Her work on computational immunology inspired me to sponsor the development of a fraud detection system for the Post Office based on a model of the human immune system. It worked but it didn’t produce any particularly useful outputs.
Q. What do you think is the most important development in IT security to date?
Digital rights management. It’s certainly the technology we need for security in open networks but it’s not yet caught on. Data mining and fusion will also revolutionise security when we get them to work. The human factor is very important, but it will take decades to build, or even recognise the skills needed to influence large numbers of people over social networks.
Q. What is the best piece of advice for companies pitching stories?
Make your story interesting, and compare it with something people are already familiar with. You need to apply the contrast principle. People can’t get their head around new concepts. It’s better to say that this technology is like a firewall but much better and cheaper than to say it’s like nothing you’ve ever seen before.
Q. What was the best press trip you’ve ever been on? Worst? Why?
I find the best PR events are the ones held by Qualys, where the champagne flows and the conversation is interesting.
The worst one for me was sitting through an incredibly boring sales pitch in a dry, dull room at the IoD while England was playing in the World Cup. They wouldn’t even let me get a word in.
Q. What’s your favourite restaurant?
The Ivy downstairs, not the private dining room with the fixed menu. It’s great comfort food and the cheese on toast is terrific.
Q. Are you a social media lover? Which ones are you on? FB? LinkedIn? Twitter?
I like the concept of social media and I always try them out, but I’m not into one-line sound bites. I like considered opinions. I prefer Economist style weekly summaries to daily news articles. I set up a Second Life account for one of my Lakeland terriers, but she didn’t use it. We’re not gamers.
Q. Tell us something no one knows about you. Do you have any unusual or unexpected hobbies/interests? Do you have a claim to fame?
I play jazz guitar, fly-fish and collect antique Bedouin silver. I’m a member of the Infosecurity Europe hall of fame, but so is just about everyone else I know.
I’m not proud of the fact that I wrote the original text for BS7799 because I believe it’s held back security innovation for the past decade.
I’m actually more popular in Switzerland and the Middle East than in the UK. I don’t really fit into the London CISO scene. To me it’s all groupthink these days. I spend more time abroad where it’s sunny and security managers are more receptive to new ideas.
Q. ?? The question we should have asked you but didn’t – please feel free to fill in the gap
What’s my next book about? Answer: the Future of Information Security.
Copyright ©Launchpad Europe 2007 – 2012. All rights reserved. You may copy and distribute this material as long as the content remains complete and unaltered; you credit the author where possible; the copies are distributed only for non-commercial purposes and at no charge; and you include this copyright notice and link to Countdown2Infosecurity.com, the original source of the work.
If you have any questions, please contact Launchpad Europe, firstname.lastname@example.org.