Tom Scurrah

Tom Scurrah

Cybersecurity Collaborative
VP, Cybersecurity Programs and Content

For over 20 years, Tom has practiced as a cyber security professional as an executive director of information security for Verizon, a founder of two cyber security consulting firms, and Vice President of Content and Programs for the Cybersecurity Collaborative.

Tom is CEO of MyDataOnly, Inc., which offers privacy and security consultation and security (penetration) testing services. Tom began his career in IT in programming and strategic planning and later founded a customer satisfaction measurement firm.

Tom holds four security certifications (CISSP, CISM, PCIP) and one privacy certification (CIPP/US). He has a master’s degree from MIT’s Sloan School of Management and is a Marine Corps veteran.

Task Force
Q3 2021
This Task Force led by Cybersecurity Collaborative’s own Tom Scurrah is focused on facilitating a series of knowledge sharing sessions and developing resources addressing the threat of ransomware.
More info
Task Force
Q4 2021
This Task Force led by Cybersecurity Collaborative’s own Tom Scurrah is focused on facilitating a series of knowledge sharing sessions and developing resources addressing third and fourth party incident response
More info
Task Force
Q2 2022
Although organizations recognize the importance of security awareness as a key component of their cybersecurity programs, creating engaging and effective training for employees has been a challenge, especially in an era of ransomware and constant social engineering attacks. This Task Force led by Tom Scurrah aims to address these challenges and develop an executive guide to security awareness.
More info
Task Force
Q2 2022
Over the years, security has evolved as a primary topic in the Boardroom. This evolution has posed three challenges to CISOs: (1) educating Board members of basic security principles; (2) defining and gaining acceptance of Board member security responsibilities; and (3) communicating the entity’s security posture to Board members. Please join us for a scoping meeting, during which we will hear your concerns, proposed discussion topics, and desired deliverables for our upcoming Security and the Boardroom Task Force. Open to all task force eligible members!
More info
Task Force
Q2 2022
Incident Management, which includes response plans and playbooks, has been a foundational control of a cybersecurity program.  However, in recent years, as entities recognize the increasing likelihood of being attacked, incident management has become an even more critical component of the cybersecurity program. Board members and regulators are inquiring about the robustness of the incident response plan to address not only potential breaches, but also third party and critical software vulnerabilities.
More info
Task Force
Q3 2022
Monitoring the computing environment for potential compromises is a key component of an information security program. Traditionally, the Security Operations Center (SOC) has been the monitoring organization and Security Information and Event Management (SIEM) systems have been used to analyze logs for indicators of compromise.  Today, SOCs are facing challenges with staffing and demands for additional capabilities, like threat monitoring. Unable to build their own SOCs, companies rely on using Managed Security Service Providers (MSSPs), who may overlook indicators of compromise because of the challenges of monitoring multiple companies.
More info
Task Force
Q3 2022
The security of internally developed and acquired software is a continuing challenge for most enterprises. Pressures to develop or acquire more application functionality in shorter time periods have driven organizations to agile development and containerization methodologies and to relying on open-source code. These decisions have impacted the way security is addressed within the Systems Development Lifecycle (SDLC) and in testing (e.g., code reviews, and vulnerability scans).
More info
Task Force
Q4 2022
Security metrics can drive improvements to the cybersecurity program, monitor risks and controls effectiveness, and convey security posture to the Boardroom. However, many companies struggle identifying which metrics will be most effective and which graphic representations will be most useful.
More info
Task Force
Q4 2022
Operational Technology is the hardware and software that, through monitoring and control, detects or changes a state, respectively, within industrial equipment.  Operational technology can alter the chemical composition and volume of liquids in various processes, such as oil refinement and water treatment. Therefore, these technologies must be protected from nation-state and other security threats from the Internet.  However, many of the security controls applied to information technology have not been implemented in OT environments, frustrating and concerning CISOs.
More info
Task Force
Q1 2023
The General Data Protection Regulation (GDPR) and other international privacy laws impose legal requirements for the collection, use, and protection of personal information. These requirements include breach notifications to regulatory authorities and restrictions on the transport of personal information. To comply with these laws and regulations, enterprises must now consider the geographic location of personal information, including information processed and stored in the Cloud.
More info
Task Force
Q1-Q4 2023
The success of last year’s task force and member demands to develop and use metrics to drive security program improvements have called for launching a second phase of the security metrics task force in March.  We welcome both previous task force members and new members.  In addition to addressing member requests, task force objectives will include: (1) building out the three-tiered CSC Metrics Framework, with a greater focus on Tier 3 (Risk and Compliance) metrics; and (2) incorporating the Security Metrics Workbook examples in a commercial tool which can be used by CSC members. Meetings will occur every other week on Thursday’s at 1pm EST until the end of the year.  Please join us for a scoping meeting on Thursday, March 9 at 1pm EST, during which we will hear your challenges and review proposed discussion topics and deliverables for our upcoming Security Metrics Task Force.
More info
Task Force
Q2 2023
More info
Cybercast
With the potential of cost savings, reduced operational complexities, and speed to market, many organizations are migrating from on-premises and third-party data centers to Cloud computing environments.  However, accompanying these “cloud first” strategies are many challenges that include protecting confidential data and operating new securit...
More info
Cybercast
The secure and efficient administration of user and technology identities across multiple Cloud and on-premises environments has been a challenge for organizations. Consequently, many CISOs are examining new Identity Governance and Administration (IGA) platforms and authentication mechanisms, which will involve large investments and implementation...
More info
Cybercast
A Third-Party Risk Management Implementation Guide and ToolkitThird parties, whether they provide software or services to an organization, can introduce significant security risks, including ransomware, software vulnerabilities, loss of services, and breaches of confidential information. For this reason, companies have established third party risk...
More info