A good spying programme in the 21st century cannot exist without good covert spyware. So it's time to put a military discipline behind defending our state IT infrastructure says Ralf Benzmüller.
New data sovereignty regulations should not be seen as an obstruction, but as an opportunity to increase market share with innovative offerings says Cameron Burke.
Every sensor has the potential to be used for malicious logging - and anti-virus based systems aren't an effective defence says Janusz Siemienowicz who adovcates monitoring of behaviour.
CISOs and CSOs need to ensure that their staff are aware of and able to tackle all the threats they face, and know how to deploy the most appropriate technology at their disposal says Kalyan Kumar.
Encryption will be used by the bad guys, and so will any back-doors, regardless of legislative bans which would only hit UK business - except its so unworkable it won't happen says Raimund Genes.
The emergence of services such as cloud computing, data analysis, social business and mobility has brought corporate IT to what market research company IDC has dubbed the "third platform". But Wieland Alge asks, what will the third platform mean for the CIO role?
Learn from the misfortunes of your peers and prepare to defend against repeat use of the same cyber-attack techniques as part of your defence planning advises David Stubley.
With the attack surface, or perimeter, expanding exponentially, and attackers inside the network, the focus should now be on finding and stoping them - concentrating on how data leaves the system - says Chris Marrison.
Mobile Application Management, with secure access and separation of work and personal use can establish employee trust in a company's BYOD policy says Alan Hartwell.
Vast volumes of data are travelling to work and back each day stored on employee devices, but in many cases even the most basic protection policies are not in place explains Kelly Brown.
We don't have the levels of government protection from a cyber-attack that we would have if armed men attacked, so we need to make our own plans says Eddie Schwartz.
The personal cloud can be managed in three easy steps and secure the apps that employees are going to use regardless of policy, says Ojas Rege.
The problem with passwords, is users says Francois Amigorena, and overcoming user-error can make passwords fit for purpose once again.
David Reed explains the 'corporate owned, personally enabled' approach taken by PA to manage the mobile devices used by its employees.
2014 was a watershed year for the information security industry when it became a concern for everyone, and Elad Sharf says it is critical that in 2015 we learn the lessons of last year and ensure our data is securely protected.
The UK's National Computer Emergency Response Team (CERT-UK) has shown some promising signs in its first year, with the connected Cyber Security Information Sharing Partnership (CiSP) initiative looking to improve cross-sector information sharing on security threats.
Gareth Lindahl-Wise, CISO, ITC Secure and Quentyn Taylor, director of information security, Canon EMEA debate if CISOs must have a technical background
Time to take stock, audit your assets and their security - including both response plans and staff, and address any outstanding issues says Nick Pollard
For our special Reboot section, we took the opportunity to look back not just on the last 12 months, but the last 25 years SC has been entrenched in the information security space.
Dr Richard Piggin, in a blog published this week, notes how concerns about the vulnerability of control systems have been vindicated following the issuing of details about an attack on a German steelworks.
Christmas is the season for giving, but for IT security teams that can create numerous problems, says Terry Greer-King.
You need to delve deeper into the risks in your supply chain to really know what your exposure is says Nick Ford.
There's no such thing as a PCI DSS compliant solution, and companies, meaning merchants, remain responsible for lost data says Robert Crutchington.
Dense population and its role as a transportation hub has pushed the UK to ensure good security for APIs exposed in use, integrating borders and government agencies, says Jason Macy.
Questions need to be asked of Patch Tuesday and Microsoft's approach to it, says Robert Brown.
Take human memory out of the equation and passwords remain a viable access option says Emmanuel Schalit.
Many IT security professionals are chossing commercial open source solutions for security reasons rather than economy by says Olivier Thierry.
Kirill Slavin explains why focus can beat diversification in a fast-evolving market place.
Eduard Meelhuysen suggests we should consider taking cloud security tips from the world's biggest boy band, and asks: are we heading in the wrong direction on cloud apps?
Sophisticated malware feeds into script kiddie tools, enabling embittered individuals to take on corporations and governments. What are the consequences asks Sarb Sembhi?
When it comes to the Internet of Things (IoT), the presumption is that it just works, but the physical connection and the security behind it cannot be overlooked, says Phillip Keeley.
The sophisticated Regin malware raises new questions about the software we're using, says Tony Dyhouse.
Among the many elements that make up a successful information security programme, street cred is one with many ramifications and consequences says Josh Goldfarb.
Companies must understand how security works inside - and outside - their organisation, argues Seth Berman.
Better understanding of the potential gains offered by the cloud will make the move easier to contemplate says Aidan Simister who outlines what companies should be looking for in a provider.
A pessimistic approach to future threats is advised by Chris McIntosh as the necessary attitude to minimise the extent to which they happen, and bolster our preparedness to cope if and when they do.
Security needs to be a concern throughout the software development cycle, not just a developer issue, nor simply tagged on at the end says Stephen Morrow.
Paul Bonner advises companies merging to take the best security practice from each component company, and not impose the practices of the dominant player - or resistance is likely.
B2B websites could learn a lot about security from their consumer facing compatriots suggests Bob Tarzey.
Companies should reconsider cloud-security perceptions says Pathik Patel, noting that recent software vulnerabilities such as Shellshock had less affect on cloud-based services than premises-based apps.
Preparation and organisation can enable effective security for one man SOCs or small teams explains Joe Schreiber.
A holistic approach to information security is needed to overcome the shortcomings of a Risk Management approach says David Stubley.
James Solyom, head of cyber protect and cyber respond at Control Risks, examines how organisations can avoid making expensive mistakes that leave them open to cyber-attack.
The growing cyber-threat landscape poses some awkward questions for present and future authentication methods, argues Barry Scott.
The video games industry generates billions of revenue, but only 20 percent achieve profit, due to cheats breaching security, hence the need for stricter implementation and enforcement of controls says Amit Sethi and Rennie Allen.
Regulation and infrastructure from off-shore finance and gaming industries are being leveraged to make the Isle of Man a centre for cypto-currencies says Peter Greenhill.
Moving to the cloud is inevitable, but it demands new ways of thinking about data security, and new approaches to secure this new border says Martin Borrett.
Internet-connected smart meters are gaining traction in the energy space but security must be considered, says Rueven Harrison.
Your future lies before you like a field of driven snow. Be careful how you tread it, for every step will show. Luke Aaron considers our trail of digital breadcrumbs.
Doug Drinkwater takes a two minute look at cybercrime-as-a-service, the new business model for hackers
Notification laws haven't stemed the tide of breaches in the US, so will the new EU regulations serve any purpose here? Ross Dyer says, Yes, and they're coming soon, so get ready.
Despite the value of critical enterprise data, many organisations are not aware of what their 'crown jewels' information is, says Carmina Lees, director of security services in UK & Ireland, IBM
Halloween nightmares for CISOs come in many shapes and sizes, and our commentators tell us what scares them on the network.
Stop the kill-chain higher up to increase chances fo preventing an attack says Patrick Peterson.
Web sites that take advertising need to protect against inadvertently delivering malware to their users, before, during and after an attack, explains Terry Greer-King.
Flexible working can bring security pitfalls, according to Imation's Nick Banks.
Track and audit changes on the network, especially by privileged users, and make it known that monitoring happens in order to reduce misuse says Michael Fimin.
Security consultant Dr Jessica Barker says that the next step to getting more women into cyber security hinges on changing minds and career pathways.
Zero-day vulnerabilities are a fact of life in cyber-security, which is why looping is so essential, says Darren Anstee.
Outsourcing your CISO is an option medium sized organisations should consider says Carl Shallow, who advises a Pay As You Go model to buy in expertise.
New approaches are needed to overcome security concerns related to use of big data analysis suggests Andy Grant, with 'containerising' data and merging data on the fly among options suggested.
Security strategy to prevent mobile data loss involves careful considerations regarding the user, device, and network. Mike Raggo advises implemening a range of controls including use of an enterprise mobility management platform.
Passwords have numerous failings, including their ability to be shared or stolen, meaning that they are not a secure way to authenticate identity, and other options must now be adopted says Dana Epp
The ability of attackers to exploit XSS flaws is more an economic issue than a technical one says Ilia Kolochenko who calls for prompt professional action when vulnerabilities are identified.
The coming Internet of Things explosion is more than your firewall can cope with says Steven Rosen, advising companies to take additional measures to deal with new threats.
Used and broken Android tablets often retain access to passwords even when wiped - so be careful how you dispose of them says Ken Munro.
Wearable technology raises many of the same concerns as smart phones and USBs - recording, storing and transmission of data by individuals - and your security policies should include that risk says Paul Martini.
If implemented well, choosing your own device (CYOD) brings benefits beyond BYOD or company-imposed mobile devices says David Brady.
Torben Andersen describes the top eight reasons why multi-factor authentication is a security best practice that CEOs need to ensure is implemented.
The days of magnetic tape as a storage media need not be over says Christian Toon who makes the case for revisiting its attributes.
Face-to-face information-sharing with peers is a vital route to learn industry fraud-prevention lessons says Tim Lansdale.
There are security vulnerabilities when using passwords, but Tyler Moffitt says that there are steps that you can and should take to make sure your data less easy to access.
Biometric id options need appropriate mobile computing support to ensure that they too are not compromised says Jon Geater.
Having comprehensive cyber risk policies that are not followed can be as detrimental as not having a policy at all says Peter Given.Good who advises that good risk-insurance will demand appropriate procedures are both in place and implemented.
Whatever Snowden's motivations, Ilia Kolochenko contends that the industry has misused the resulting information and often sold kit rather than true security solutions and expertise.
Despite the recent iCloud breach, cloud security is better than its current image suggests - and if you are demanding of your supplier, it can be better still says Jamal Elmellas.
Deploying appropriate technology is necessary to protect business critical information stored within racks and cabinets at data centres says Mark Hirst.
Individuals want privacy for their data, but they will share it if they can explicitly choose to do so having been told what benefits they will gain says Sachiko Scheuing.
Increased consequences for the loss of non-financial data, especially fines from regulators, is expected to drive a more rigorous approach to data protection suggests Fergus Kennedy.
Intelligence-led third party red-teaming testers can identify the blind spots that in-house teams thought they had covered suggests Simon Saunders.
Identity, payment and security need to become seamless and inherently more secure in themselves than anything we currently use for mobile identity, says Nick Barth.
Moves to increase SME participation in government IT tendering drew criticism, but Peter Groucutt explains how G-Cloud has helped reduce security concerns as one of the objections
Companies must think like a hacker and commit to penetration testing to protect themselves from data breaches, says Chema Alonso.
App vulnerabilities need to be thought about holistically, so the network and database in which they reside also need to be considered says Josh Shaul.
The growing impact of web exploits isn't just limited to the enterprise market and must be countered on an industry-scale, says Pedro Bustamante.
A different attitude to privacy and security among many new workplace entrants is a potential risk that has to be managed says Chris Sullivan.
Protect against real-world threats and test the most likely scenarios using relevant models, including low-tech, says Gavin Watson.
Josh Goldfarb asks how can the infosec community move from informal and exclusive trust circles to more mature formal information sharing approaches, without losing agility and effectiveness.
International use of personal data emphasises the differing laws that need to be adhered to, but there are solutions explains Alan Kessler.
Technology and standards need to evolve to cope with the rise of the connected car says Fred Kost.
The government's initiative to set a baseline certification scheme for cyber security, Cyber Essentials, is now underway and John Godwin encourages companies to get certified as soon as possible.
The ever-changing threat landscape is causing problems, with many business networks unable to keep up with the pace of innovation, argues Gavin Millard.
Further lessons from Heartbleed, beyond the hype, include caution when listening to advice, such as re-setting passwords, says Chris Russell.
A holistic approach to security management is needed to bridge the gap between stategy and technology says Chris Yule.
When the two IPs meet (intellectual property and internet protocol) the value of the business becomes vulnerable says Dave King, with IT often just providing a sticking plaster to hide C-suite ignorance.
Industry needs a brighter collaborative approach to help bring it out of the dark ages says Alan Carter
Don't capitulate, have a plan in place, and of course, prevention is better than cure when it comes to tackling the prospect of DDoS ransom attacks says Dan Holden.
Nation-state attacks on CNI will be faciliated by the internet of things, and government regulation is needed to set standards, but the actual likelihood of CNI attacks remains very low says Raimund Genes.
The tools exist to by-pass many data leakage programmes and facilitate mass exfiltration of data, so enable internal whistelblowing - to avoid external access says Edward Parsons.