Building programs, assuring budgets and guarding against future threats are all in a day's work for Experian's Stephen Scharf, reports Illena Armstrong.
Disciplines like philosophy or history fail to conjure up images of the stereotypical information security professional in the mind's eye. Backgrounds like this, though, have spawned some immensely inventive and often accomplished chief security officers over the years.
In fact, according to many experts, the IT security market largely has been formed on the backs of individuals from various branches of learning. It's because of these diverse experiences and wide-ranging credentials that the field has been so energizing to the many professionals who have fostered its continued growth and current entre into the mainstream.
“Dan Geer made a great observation when he said that the makeup of the people in our profession is dramatically shifting,” explains Stephen Scharf, global CISO of Experian, and SC Magazine's 2012 CSO of the Year award winner, which is announced each year at the SC Awards U.S. gala in February. “Fifteen years ago, people got into security from a different field. This was very exciting because they brought their existing skill sets when solving problems. So when you put together a network engineer, a Windows engineer, a lawyer, a programmer, a biostatistician and a kid from the NSA to solve a problem, you get some really creative solutions. That is starting to shift as more security folks are entering the industry directly from college.”
Scharf admittedly joined the profession via the old-school approach. “My mother offered me some great advice when I was struggling with what to pick as a major,” he says. “She said that whatever you major in will not define your lifelong profession. So, instead of stressing about what you want to be, it is better for you to declare a major that you enjoy and [from which you] will learn something.”
Learning is an activity Scharf engages in everyday, says his friend and industry peer Dave Cullinane (right), CSO and vice president of eBay, and SC Magazine's CSO of the Year in 2005.
“He's a quick study, just brilliant,” says Cullinane, adding that once Scharf has a sound understanding of a subject area, he's quick to use the knowledge in inventive ways to improve situations – often without disruption to others. “He's a really good student of the profession.”
Right after college, Scharf was a sales representative for Generative N/C Technology, a small company where he did sales, customer support and even ran the company's trade show presence. “That is where I cut my teeth on technology and got excited about it,” he says.
IT was among various areas of interest for Scharf in his younger days. “I have always been someone who likes to tinker and [I tend] to focus on things that are logical and analytical,” he says. “This is why technology has always appealed to me.”
After getting a taste for the industry at Generative, Scharf went on to work as a systems and network engineer for a bank, moved over to a server group manager for a lab, and then took a senior security consulting gig at the well-known professional services company @Stake (where Geer was CTO).
Dave Aitel, a National Security Agency research scientist at age 18, who moved on to @Stake six years later where he also worked as a senior security consultant, says Scharf is an anomaly. As he honed both his technical and policy knowledge, he flourished as a consultant. The over-arching requirement to teach executive clients how to partner security needs with corporate goals further bolstered a natural transition to the CSO role.
“He has a cool head,” says Aitel, adding that is key to managing multimillion dollar risks to the business. “You can't be excitable in [the CSO] post. It's a marathon. Stephen's not thirsty. If you're too thirsty, you wouldn't last two weeks.”
It was in 2002 that Aitel left @Stake to launch Immunity, a software security company, where he is now CTO. Around that time, Scharf moved on to financial news corporation Bloomberg where he worked for Aitel's wife, who was CSO at the time. Later, he took over the post.