IA: Do you get enough support from your colleagues and bosses when it comes to implementing and maintaining strong security and risk management plans?
SS: I find the best way to get support is to be pragmatic about our strategy. As long as I can demonstrate realistic risks and articulate valid defenses, I have always been supported by management. Most areas of conflict tend to surface when the security argument gets convoluted and vague. If you cannot successfully articulate a need, then you will not get support. Additionally, if you toss around FUD [fear, uncertainty, doubt], you will quickly lose respect and support.
IA: What steps do you find integral in getting and maintaining such support?
SS: Be practical and realistic about the risk and clearly articulate the need and solution.
IA: When you're undertaking various projects, do you have to work with managers of various business units?
SS: Definitely. Experian is a diverse company with many business units. As such, there are multiple leaders that are impacted by significant changes.
IA: Who do you report to?
SS: I report to our global general counsel, who oversees all areas of risk, including legal, compliance, information security, business continuity planning, government affairs and risk management. I believe the CISO position can work successfully in multiple reporting lines, as long as that executive understands the need and importance of information security. The only reporting line where I have seen limited success is with the CIO. When information security reports to the CIO, it tends to focus more on IT risk and does not always branch out toward other data-related risks.
IA: What about budgetary needs? We hear a lot about return on security investment. How do you show your superiors that security enables business/government endeavors? And how do you get the support, resources and funding you require to do your job?
SS: You do not overreach and you do not ask for more money than you can successfully leverage. It is important that security budgets are crafted with measurable deliverables that can be tracked throughout a project deployment and operation. Because clients have a raised awareness around security practices, it is easier to translate improved controls to client benefits. For example, improved authentication practices that do not significantly reduce the client experience are likely to be seen by clients as value-add and improve their impression of a vendor's security profile.
IA: The economy's been tight. Some have experienced budget cuts, layoffs, travel and hiring freezes and more. How did you fair? Do you foresee more of these stressful budgetary challenges in 2012? Or are things expected to improve?
SS: The past few years has required all organizations to reflect on their operational costs and see where improvements could be made. Experian maintains a practice of being fiscally sound in its approach and ensures appropriate value for services. This has not resulted in a direct drop in security spend.
IA: In regard to compliance demands, what are your priorities and how do you adhere to such regulations? Must you contend not only with regulations in the United States, but also with other countries' regulations?
SS: We operate in multiple countries and partner with our internal compliance and legal departments to correctly define and support adherence to applicable laws and regulations.