This is a curated collection of information security / cybersecurity resources for people in tech who are not information security practitioners. Please send me suggestions for updates!

Newsletters

“This Week In Security” by Zack Whittaker is an excellent weekly round-up of big stories, with well-written blurbs.

Violet Blue also publishes an engaging weekly roundup of cybersecurity news whose angle is slightly different from Zack’s so there isn’t a lot of overlap. She also does a good weekly roundup of news about the COVID pandemic which, contrary to what you may have heard, isn’t actually over.

The “Cyber Daily” newsletter from Recorded Future News is worth checking out. Obviously a daily newsletter is going to be higher volume than a weekly like TWIS, so it might be a bit overwhelming, but you don’t have to read every article. 😉 Recorded Future News also has a news feed and a podcast, described below.

The folks over at Risky Business publish both newsletters and podcasts. Their content is a mix of stuff that’s too obscure for non-practitioners and stuff that isn’t. Their newsletters and podcast episodes usually focus on a single topic, so you can subscribe and then skip the ones that don’t interest you. They cover governments (both U.S. and others) and politics a bit more than some other sources, so if that’s your thing you might find them worth your time. Their “Seriously Risky Business” newsletter and corresponding podcast focus specifically on public policy and intelligence, a.k.a., “government stuff.”

Krebs on Security (see below) has a mailing list you can subscribe to.

News feeds

Wired does a lot of good security reporting (RSS feed).

“The Record” by Recorded Future News (RSS feed) covers a lot of good stuff, including a substantial amount of government and policy content. They also have a newsletter and podcast, described above and below.

404 Media (RSS feed) is an independent investigative journalism outlet focusing on technology, cybersecurity, and privacy. They break significant stories and their writing is targeted at non-practitioners. They also have a podcast.

Brian Krebs’s Krebs on Security (RSS feed) is a well-regarded source of infosec industry news. While some of his stories have mass-market interest (i.e., they’re interesting to people who aren’t infosec practitioners), many of them aren’t, so read the ones that you think are useful and skip the others.

Zack Whittaker, mentioned above as the author of “This Week In Security”, is the security editor at TechCrunch, which is also a good infosec resource (though in my opinion a bit noisier and more “inside baseball” than Zack’s newsletter). You can visit their security page or subscribe to their RSS feed.

Metacurity claims to be a “One-stop destination to end infosec news overload, scanned from thousands of sources,” but the catch is that unless you pay them $8.99 per month or $89.99 per year you can only read the most recent article at any given time. However, you may be able to work around this if you use their RSS feed cleverly; if you use a feed reader that refreshes several times per day and sends the contents of new entries to you, then you’ll have access to their full articles since the most recent entry in the RSS feed is published there in its entirety.

Podcasts

“Click Here” from Recorded Future News (RSS feed) is quite accessible and engaging. They also have a newsletter and news feed, described above.

Heidi Trost does a podcast called Human-Centered Security where she interviews security experts and people who design for the security user experience. There’s a book, too (see below).

404 Media does a weekly podcast where they talk about some of their recent stories. If you have more podcast time than reading time then you might find this more useful than their news feed.

Jerry Bell does a Podcast called “Defensive Security“. It’s a bit on the insider side, so if you’re not interested in going into the weeds and familiar with infosec terminology acronyms, you might find it a bit challenging, but only a little. If you feel like you’re moving past the introductory level and want to move into slightly deeper water, this is a good place to start.

See Risky Business above.

Books

Human-Centered Security by Heidi Trost

This is a good introduction to the basic concepts underlying human-centered design of the security user experience. It covers many important concepts, and it’s chock-full of pointers to other material you can dig into when you want to go deeper into specific concepts. It is both a primer and a survey of the field.

I do have some quibbles:

• It is quite short for a $40 book. I feel for that much money it should have gone into significantly greater depth on at least some of the covered topics. Or perhaps I am an old fogey who doesn’t understand how much tech industry books cost nowadays. 🤷
• The book, or at least the first edition which I read, was not well-edited. There are incorrect word choices, double-pasted text, editing comments left in the final text, etc. I hope these will be fixed in a later edition, but this is a yellow flag: if there are numerous structural editing issues, then there are likely editing issues with the content as well.
• Speaking of which, I feel the author’s thinking, or at least their attempts to communicate it, is a bit muddled at times. For example, the author describes the persona “Charlie” as “where security impacts the user experience” but then in the very next paragraph says that “many of Charlie’s activities happen below the line” which separates things which impact the user experience from those that do not. This is contradictory.
• There are far too many back-references to things discussed in earlier chapters and forward references to things in later chapters; they are distracting and interrupt the flow of the text. The book is so short that the back-references are almost entirely unnecessary, and I’d argue that many of the forward references are as well.
• While I understand the importance of giving proper credit, I found the frequent name-dropping distracting. A lot more of the crediting could have been done in footnotes without interrupting the flow of the text so frequently.

There’s a Human-Centered Security podcast, too (see above).

Unvetted book recommendations

• Information Security Essentials: A Guide for Reporters, Editors, and Newsroom Leaders by Susan E. McGregor
• Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem by Chris Hughes and Nikki Robinson

Esoterica

Ed Zitron’s Where’s Your Ed At isn’t exactly about cybersecurity, but it is about how everything is wrong in tech right now, and that includes security and privacy. He’s a Cassandra telling the truth very loudly and honestly when few people in tech are. If your goal of working in tech is to make the world a better place then you should be reading what he has to say, because we can’t fix the problems until we acknowledge them.