In no particular order, here are the sites I consider must-haves for anyone who wants to stay up to date on IT security issues.
F-Secure: Unlike other industries I’ve covered (cough, cough banking cough, cough) security company blogs tend to be reliable and hugely informative. F-Secure is just one of many great examples of this. They put a premium on sharing code – so this is a site for alpha geeks and not just casual readers. Irrelevant side note: F-Secure is a Finnish company – don’t worry, the site is fluent in English – and Finnish is one of the strangest languages in the world. My son just took an intro to it and told me, “It has 16 cases (Google Grammatic Cases if you don't know what I'm talking about). One of those is the Partitive "OHGODWHY" case which changes a word based on when the word entered the language.”
Internet Storm Center: Ummm, do I really have to say anything about this one?
Schneier On Security: He is very smart and willing to call B.S. when he spots it. That by itself makes this blog a jewel. The fact that he actually knows how to write is not to be sneered at either. This and his monthly Crypto-Gram email newsletter are must reads for both casual observers and hardcore code types.
Threat Post: From Kaspersky Labs, it has a very good news feed. The real reason to go here though are its three great expert bloggers: Dennis Fisher, Paul Roberts and Robert Lemos. Their blogs are deep and frequently unexpected looks at threats and issues.
Network World: At the risk of sounding like a homer, I find the feed on security issues to be a great way to keep up on breaking news.
Naked Security: This site from Sophos Labs is basically a news organization of and for IT security experts. I frequently run into companies that want to position themselves as “thought leaders” when what they mean is soft-sell marketing. This is not that. This is the goods.
SlashDot: Still good after all these years. You have to wade through a lot of posts on other topics (which are usually pretty damn interesting) but it’s always worth it.
The Register: It has good information and but I don’t know why its security feed has such a lousy noise-to-signal ratio: Way too much irrelevant stuff in it.
InfoSec Island: Another blog from a security company, InfoSec tends to have white paper type posts along with a pretty good news feed.
I've undoubtedly missed some other good ones. All suggestions welcomed.