Tom Scurrah

This Task Force led by Cybersecurity Collaborative’s own Tom Scurrah is focused on facilitating a series of knowledge sharing sessions and developing resources addressing the threat of ransomware.

This Task Force led by Cybersecurity Collaborative’s own Tom Scurrah is focused on facilitating a series of knowledge sharing sessions and developing resources addressing third and fourth party incident response

Although organizations recognize the importance of security awareness as a key component of their cybersecurity programs, creating engaging and effective training for employees has been a challenge, especially in an era of ransomware and constant social engineering attacks. This Task Force led by Tom Scurrah aims to address these challenges and develop an executive guide to security awareness.

Over the years, security has evolved as a primary topic in the Boardroom. This evolution has posed three challenges to CISOs: (1) educating Board members of basic security principles; (2) defining and gaining acceptance of Board member security responsibilities; and (3) communicating the entity’s security posture to Board members. Please join us for a scoping meeting, during which we will hear your concerns, proposed discussion topics, and desired deliverables for our upcoming Security and the Boardroom Task Force. Open to all task force eligible members!

Incident Management, which includes response plans and playbooks, has been a foundational control of a cybersecurity program.  However, in recent years, as entities recognize the increasing likelihood of being attacked, incident management has become an even more critical component of the cybersecurity program. Board members and regulators are inquiring about the robustness of the incident response plan to address not only potential breaches, but also third party and critical software vulnerabilities.

Monitoring the computing environment for potential compromises is a key component of an information security program. Traditionally, the Security Operations Center (SOC) has been the monitoring organization and Security Information and Event Management (SIEM) systems have been used to analyze logs for indicators of compromise.  Today, SOCs are facing challenges with staffing and demands for additional capabilities, like threat monitoring. Unable to build their own SOCs, companies rely on using Managed Security Service Providers (MSSPs), who may overlook indicators of compromise because of the challenges of monitoring multiple companies.

The security of internally developed and acquired software is a continuing challenge for most enterprises. Pressures to develop or acquire more application functionality in shorter time periods have driven organizations to agile development and containerization methodologies and to relying on open-source code. These decisions have impacted the way security is addressed within the Systems Development Lifecycle (SDLC) and in testing (e.g., code reviews, and vulnerability scans).

Security metrics can drive improvements to the cybersecurity program, monitor risks and controls effectiveness, and convey security posture to the Boardroom. However, many companies struggle identifying which metrics will be most effective and which graphic representations will be most useful.

Operational Technology is the hardware and software that, through monitoring and control, detects or changes a state, respectively, within industrial equipment.  Operational technology can alter the chemical composition and volume of liquids in various processes, such as oil refinement and water treatment. Therefore, these technologies must be protected from nation-state and other security threats from the Internet.  However, many of the security controls applied to information technology have not been implemented in OT environments, frustrating and concerning CISOs.

The General Data Protection Regulation (GDPR) and other international privacy laws impose legal requirements for the collection, use, and protection of personal information. These requirements include breach notifications to regulatory authorities and restrictions on the transport of personal information. To comply with these laws and regulations, enterprises must now consider the geographic location of personal information, including information processed and stored in the Cloud.

The success of last year’s task force and member demands to develop and use metrics to drive security program improvements have called for launching a second phase of the security metrics task force in March.  We welcome both previous task force members and new members.  In addition to addressing member requests, task force objectives will include: (1) building out the three-tiered CSC Metrics Framework, with a greater focus on Tier 3 (Risk and Compliance) metrics; and (2) incorporating the Security Metrics Workbook examples in a commercial tool which can be used by CSC members. Meetings will occur every other week on Thursday’s at 1pm EST until the end of the year.  Please join us for a scoping meeting on Thursday, March 9 at 1pm EST, during which we will hear your challenges and review proposed discussion topics and deliverables for our upcoming Security Metrics Task Force.

With the potential of cost savings, reduced operational complexities, and speed to market, many organizations are migrating from on-premises and third-party data centers to Cloud computing environments.  However, accompanying these “cloud first” strategies are many challenges that include protecting confidential data and operating new securit...

The secure and efficient administration of user and technology identities across multiple Cloud and on-premises environments has been a challenge for organizations. Consequently, many CISOs are examining new Identity Governance and Administration (IGA) platforms and authentication mechanisms, which will involve large investments and implementation...

A Third-Party Risk Management Implementation Guide and ToolkitThird parties, whether they provide software or services to an organization, can introduce significant security risks, including ransomware, software vulnerabilities, loss of services, and breaches of confidential information. For this reason, companies have established third party risk...

Securing Operational Technology is a challenge for many organizations that depend on the continual availability of ICS/SCADA systems to manufacture their products. For example, maintenance windows for security patches are often hard to find and raise concerns about ““breaking”” systems. Furthermore, OT systems require Internet access and, therefor...

By operating Records & Information Management (RIM) functions, data security and lifecycle management practices have been employed by organizations even before computing became the norm.  However, these practices are continually stretched to keep pace with new technologies, like AI, which can pose threats to data confidentiality and integ...

CISOs strive to develop and use security metrics as an objective way to: (1) portray the state of their security programs; and (2) effect positive change to security controls, like patching within SLAs and improving phishing email awareness. However, they are challenged by data collection difficulties, limitations of reporting tools, and uncertain...

Vulnerability management remains an uphill challenge for security teams. In this month of CISO Stories, we look at the findings of a cross-sector task force of CISOs and staff who shared their challenges and best practices for developing effective vulnerability management practices. Topics include: Managing vulnerabilities on premises, in the cloud, and in third-party environments Identification, classification, prioritization, and remediation best practices Standards and charters Organizational structures Scanning tools. Supporting tools to be shared include a CISO’s Guide to Effective Vulnerabilities; and a Vulnerability Management Maturity Checklist. Practitioners will also connect the dots on how effective vulnerability management can be used to continuously improve identity, application, cloud and network security, anti-ransomware efforts, zero trust, email security, threat intelligence, AI and third-party risk management.