CSO of the Year: Stephen Scharf
CSO of the Year: Stephen Scharf

“He knows from Bloomberg that it's not a thankful job,” says Aitel. “People don't come up to you and say, ‘Hey, good job on stopping all those attacks.' They only come to you when something bad happens. There's no positive feedback in that job – only negative. So it takes a special brain to say, ‘I'm doing a good job. I know it internally. I don't have to have external feedback on that.'”

Such intrinsic drive likely came in handy as Scharf moved to his current post at Experian, where he's done much to strengthen the company's overall information security and compliance posture, says his boss Robert Nelson (left), global general counsel.

“Stephen was hired to lead the globalization of our information security program,” says Nelson. “His leadership has provided for consistent security practices across the organization and resulted in increased resiliency in our infrastructure.”

In addition, Scharf also has had a hand in ensuring that the company's own product offerings are sound, adds Nelson. “By helping to identify and reduce risk during the product lifecycle, Stephen has supported our growth strategies by ensuring the deployment of appropriate controls.”

As a company that generated $4.2 billion in revenue during its last fiscal year, this is no small feat. Experian has operations in 41 countries and employs 15,000 people.

“Through a robust collection of partners, resellers and direct subscribers, we provide data products which enable our clients to make critical financial decisions,” explains Nelson. “We also offer many direct-to-consumer products that provide assistance with credit monitoring and identity protection.”

Scharf's role in helping to maintain the company's internal controls and safeguarding the integrity of its solutions is critical and requires the combination of technical prowess and business acumen. Armed with these traits, strong CSOs can help leaders understand and support any IT security necessities that are required to run successful organizations in today's technology-based world.

“Stephen is able to translate security requirements from technical speak into business drivers,” says Nelson. “Before Stephen joined Experian, we had a regional approach to information security. Each region operated successfully, but leveraged different methods. By globalizing the program, we have been able to elevate the best practices in each region into our global standard.”

Immunity's Aitel puts it more directly: “Previous to Stephen, they were getting hacked and, now, not so much.”

And while the company probably will one day find itself victimized by cyber criminals – after all, “no one plays perfect ball” – Scharf, who, remember, is very clear-headed and calm, thinks long-term, adds Aitel. These attributes combined with his in-depth and varied experiences will serve any company well today.

When Scharf was at Bloomberg in New York as the company's information security lead, he was subsequently assigned the task of overseeing the physical security side of the house. A little taken aback and a tad bit stressed by this addition to his duties since it was a space with which he had little experience, Scharf still was undeterred by the challenge. But, he needed some mentoring and guidance in this area, so he turned to Cullinane, who was working for a financial institution in Massachusetts at the time and had oversight of IT and physical security. Spending “a bunch of time” with his friend and the security team in New England, Scharf proved a quick study, says Cullinane. He became one of the most innovative pros at the time, marrying physical and IT security requirements to establish a balanced risk perspective by putting “bleeding-edge” controls in place.

“He's done an extraordinary job,” says Cullinane. “He looks at things and tries to think of better ways to solve problems. He's absolutely one of the best in the business.”

The various practices he's put into place at Experian seem to bolster the compliment.

“Stephen is focused on helping to ensure our security strategy matches closely with our business objectives,” says his boss Nelson. “He routinely meets with senior leadership to understand their goals and adapts our security initiatives as needed to reduce areas of risk. Our security program continues to evolve, and enhancements are always taking place where measurable improvements can be gained.”

For his part, Scharf says he never regretted opting for humanities over science in college.

“I feel that a humanities background gives you core skills in writing, literature, history, philosophy and psychology that transcend any profession,” he says. “I cannot tell you how many computer science majors I have met that still cannot write a grammatically correct email, or reference historical facts and figures.”

At the same time, given the huge growth of undergraduate and graduate programs offering concentrations in information security, Scharf ponders his current field's future.

“It will be interesting to see if the level of creativity diminishes as a result of the lack of other perspectives,” he says.

Scharf also offered his perspective on other areas near and dear to CSOs: