Womens head image_300x190

Though cyber attacks have been around for years, in 2014 there was an explosion in the volume of attacks and a marked increase in the losses and damages they inflicted. In 2015, this does not seem to be lightening up. In February, Anthem health care insurers were compromised, putting 80 million current and former customers...

Read More »

Security and assessment module_300x190

When I started out in security, only very large organizations with a mature set of business processes dared to talk about implementing some form of governance, risk, and compliance (GRC) or enterprise program (e-GRC). They generally did it in an attempt to get ISO or similar certification, or to “move their programs to the next...

Read More »


This week, I’m at a big vendor’s big conference – a conference which, on the surface, may not appear to be primarily about security: IBM’s Information on Demand event in Las Vegas. “But you’re a security analyst.  Why are you going to IOD?” you ask. (And if you didn’t, let me explain:) With over 12,000...

Read More »

posted by Scott Crawford   | November 22, 2010 | 0 Comments


Is it possible to have security and privacy? The question has been brought to a head recently, with the intense backlash to the US Transportation Security Administration’s more assertive passenger security checks – a reaction that seems likely to become only more heated with the coming of the busy holiday travel season. The issue for...

Read More »

posted by Scott Crawford   | November 11, 2010 | 0 Comments

The Verizon RISK team have just published their VERIS community application. Structured on the VERIS (Verizon Enterprise Risk and Incident Sharing) framework, this application is a tool they have made available to extend to anyone the ability to contribute information on data breach incidents, to enrich the already considerable body of breach data Verizon has...

Read More »

posted by Scott Crawford   | August 31, 2010 | 0 Comments


In my last post, I talked about getting beyond “the business of no” in security, to a more effective and thorough approach in which organizations define their objectives, actually implement them, maintain visibility into the environment for consistency with those objectives or activity that could indicate threats, and respond accordingly. This more mature approach is...

Read More »