Building programs, assuring budgets and guarding against future threats are all in a day's work for Experian's Stephen Scharf, reports Illena Armstrong.
Disciplines like philosophy or history fail to conjure up images of the stereotypical information security professional in the mind's eye. Backgrounds like this, though, have spawned some immensely inventive and often accomplished chief security officers over the years.
In fact, according to many experts, the IT security market largely has been formed on the backs of individuals from various branches of learning. It's because of these diverse experiences and wide-ranging credentials that the field has been so energizing to the many professionals who have fostered its continued growth and current entre into the mainstream.
“Dan Geer made a great observation when he said that the makeup of the people in our profession is dramatically shifting,” explains Stephen Scharf, global CISO of Experian, and SC Magazine's 2012 CSO of the Year award winner, which is announced each year at the SC Awards U.S. gala in February. “Fifteen years ago, people got into security from a different field. This was very exciting because they brought their existing skill sets when solving problems. So when you put together a network engineer, a Windows engineer, a lawyer, a programmer, a biostatistician and a kid from the NSA to solve a problem, you get some really creative solutions. That is starting to shift as more security folks are entering the industry directly from college.”
Scharf admittedly joined the profession via the old-school approach. “My mother offered me some great advice when I was struggling with what to pick as a major,” he says. “She said that whatever you major in will not define your lifelong profession. So, instead of stressing about what you want to be, it is better for you to declare a major that you enjoy and [from which you] will learn something.”
Learning is an activity Scharf engages in everyday, says his friend and industry peer Dave Cullinane (right), CSO and vice president of eBay, and SC Magazine's CSO of the Year in 2005.
“He's a quick study, just brilliant,” says Cullinane, adding that once Scharf has a sound understanding of a subject area, he's quick to use the knowledge in inventive ways to improve situations – often without disruption to others. “He's a really good student of the profession.”
Right after college, Scharf was a sales representative for Generative N/C Technology, a small company where he did sales, customer support and even ran the company's trade show presence. “That is where I cut my teeth on technology and got excited about it,” he says.
IT was among various areas of interest for Scharf in his younger days. “I have always been someone who likes to tinker and [I tend] to focus on things that are logical and analytical,” he says. “This is why technology has always appealed to me.”
After getting a taste for the industry at Generative, Scharf went on to work as a systems and network engineer for a bank, moved over to a server group manager for a lab, and then took a senior security consulting gig at the well-known professional services company @Stake (where Geer was CTO).
Dave Aitel, a National Security Agency research scientist at age 18, who moved on to @Stake six years later where he also worked as a senior security consultant, says Scharf is an anomaly. As he honed both his technical and policy knowledge, he flourished as a consultant. The over-arching requirement to teach executive clients how to partner security needs with corporate goals further bolstered a natural transition to the CSO role.
“He has a cool head,” says Aitel, adding that is key to managing multimillion dollar risks to the business. “You can't be excitable in [the CSO] post. It's a marathon. Stephen's not thirsty. If you're too thirsty, you wouldn't last two weeks.”
It was in 2002 that Aitel left @Stake to launch Immunity, a software security company, where he is now CTO. Around that time, Scharf moved on to financial news corporation Bloomberg where he worked for Aitel's wife, who was CSO at the time. Later, he took over the post.
“He knows from Bloomberg that it's not a thankful job,” says Aitel. “People don't come up to you and say, ‘Hey, good job on stopping all those attacks.' They only come to you when something bad happens. There's no positive feedback in that job – only negative. So it takes a special brain to say, ‘I'm doing a good job. I know it internally. I don't have to have external feedback on that.'”
Such intrinsic drive likely came in handy as Scharf moved to his current post at Experian, where he's done much to strengthen the company's overall information security and compliance posture, says his boss Robert Nelson (left), global general counsel.
“Stephen was hired to lead the globalization of our information security program,” says Nelson. “His leadership has provided for consistent security practices across the organization and resulted in increased resiliency in our infrastructure.”
In addition, Scharf also has had a hand in ensuring that the company's own product offerings are sound, adds Nelson. “By helping to identify and reduce risk during the product lifecycle, Stephen has supported our growth strategies by ensuring the deployment of appropriate controls.”
As a company that generated $4.2 billion in revenue during its last fiscal year, this is no small feat. Experian has operations in 41 countries and employs 15,000 people.
“Through a robust collection of partners, resellers and direct subscribers, we provide data products which enable our clients to make critical financial decisions,” explains Nelson. “We also offer many direct-to-consumer products that provide assistance with credit monitoring and identity protection.”
Scharf's role in helping to maintain the company's internal controls and safeguarding the integrity of its solutions is critical and requires the combination of technical prowess and business acumen. Armed with these traits, strong CSOs can help leaders understand and support any IT security necessities that are required to run successful organizations in today's technology-based world.
“Stephen is able to translate security requirements from technical speak into business drivers,” says Nelson. “Before Stephen joined Experian, we had a regional approach to information security. Each region operated successfully, but leveraged different methods. By globalizing the program, we have been able to elevate the best practices in each region into our global standard.”Immunity's Aitel puts it more directly: “Previous to Stephen, they were getting hacked and, now, not so much.”
And while the company probably will one day find itself victimized by cyber criminals – after all, “no one plays perfect ball” – Scharf, who, remember, is very clear-headed and calm, thinks long-term, adds Aitel. These attributes combined with his in-depth and varied experiences will serve any company well today.
When Scharf was at Bloomberg in New York as the company's information security lead, he was subsequently assigned the task of overseeing the physical security side of the house. A little taken aback and a tad bit stressed by this addition to his duties since it was a space with which he had little experience, Scharf still was undeterred by the challenge. But, he needed some mentoring and guidance in this area, so he turned to Cullinane, who was working for a financial institution in Massachusetts at the time and had oversight of IT and physical security. Spending “a bunch of time” with his friend and the security team in New England, Scharf proved a quick study, says Cullinane. He became one of the most innovative pros at the time, marrying physical and IT security requirements to establish a balanced risk perspective by putting “bleeding-edge” controls in place.
“He's done an extraordinary job,” says Cullinane. “He looks at things and tries to think of better ways to solve problems. He's absolutely one of the best in the business.”
The various practices he's put into place at Experian seem to bolster the compliment.
“Stephen is focused on helping to ensure our security strategy matches closely with our business objectives,” says his boss Nelson. “He routinely meets with senior leadership to understand their goals and adapts our security initiatives as needed to reduce areas of risk. Our security program continues to evolve, and enhancements are always taking place where measurable improvements can be gained.”For his part, Scharf says he never regretted opting for humanities over science in college.
“I feel that a humanities background gives you core skills in writing, literature, history, philosophy and psychology that transcend any profession,” he says. “I cannot tell you how many computer science majors I have met that still cannot write a grammatically correct email, or reference historical facts and figures.”
At the same time, given the huge growth of undergraduate and graduate programs offering concentrations in information security, Scharf ponders his current field's future.
“It will be interesting to see if the level of creativity diminishes as a result of the lack of other perspectives,” he says.Scharf also offered his perspective on other areas near and dear to CSOs:
Illena Armstrong: How long have you been in information security? Can you highlight the positions and organizations that helped you prepare for your stint for Experian? What about pertinent training and certifications?
Stephen Scharf: I have worked in information security for the last 14 years. Before working in the field, I held various positions in information technology, customer service and sales. I believe that having a background in IT operations allows me to better understand the impact of security actions/strategies. I also believe that having previous experience in sales and customer support has allowed me to better communicate with business leaders while focusing on client growth and satisfaction.
IA: Can you point to any mentors who helped you to get to this point of understanding about information security?
SS: My current and previous boss(es) have been supportive in my drive to build successful security programs and teams. I am also grateful for my consulting experiences while working at @stake. I had the benefit of partnering with many brilliant security researchers, and I did the best I could to absorb as much as possible during my four-year consulting tenure.
IA: What have been your major achievements in the last year of which you're most proud?
SS: I have continued to foster collaboration and consistency across our global business in areas of information security practices and procedures. By focusing on repeatable processes, I have been able to foster a “build once, use many” practice. This has resulted in the removal of unnecessary duplication within security architectures and global strategies. Specifically we have deployed a consistent application security process, which seeks to deploy equal parts of developer training and application testing.
IA: What were the major challenges associated with these?
SS: By focusing on consistency in operations, we have also been able to demonstrate measureable cost savings. It is costly to do the same thing five different ways. By reducing complexity, we have been able to consolidate some vendor relationships and thus drive down unit costs due to higher volumes. We have also justified increased automation in some areas by articulating the reduction in manual intervention. For example, PC infections waste valuable time for both the affected employee and the help desk. By reducing the number of infections, we also can reduce the amount of wasted personnel hours and thus justify the cost of a preventative solution.
IA: Who in your organization helped with these achievements?
SS: Help is offered from many areas. First off, we have a great security team that continually converts strong ideas into actions. We then partner with sourcing and supply chain to vet through vendor solutions and evaluate third-party security controls. We then partner with our IT organization to effectively roll out technical solutions. We then partner with HR and legal to ensure that appropriate policies are crafted to drive employee behavior.
IA: What processes and solutions/vendors helped you reach your project goals?
SS: We have partnered with multiple vendors which supply hardware, software and consulting services. We reduce our complexity by limiting the number of vendors we leverage, but at the same time we are conscious of not falling into the trap of monoculture. We leverage dissimilar solutions/vendors when appropriate to ensure that a single gap is not propagated extensively.
IA: What about Experian's own solutions?
SS: Experian sees the security and privacy of data under its management as one of its highest priorities. We have a vast collection of internal practices, as well as a comprehensive set of security policies, that we leverage. We routinely participate in client audits, and walk our customers through our practices. We also have completed our sixth year of PCI certification for our products and services that touch credit card data.
IA: Is this a sign that more companies and individuals care more about how organizations are shepherding their critical content, that they care about the security of their details when dealing with vendors?
SS: Absolutely. The concept of “trust, but verify” has quickly replaced trust alone. Because these practices have penetrated into the sales process they tend to drive results. As a result, I find myself and my team continually active in these areas. We spend ample time auditing our vendors, and also spend time getting audited by our clients.
IA: Do you get enough support from your colleagues and bosses when it comes to implementing and maintaining strong security and risk management plans?
SS: I find the best way to get support is to be pragmatic about our strategy. As long as I can demonstrate realistic risks and articulate valid defenses, I have always been supported by management. Most areas of conflict tend to surface when the security argument gets convoluted and vague. If you cannot successfully articulate a need, then you will not get support. Additionally, if you toss around FUD [fear, uncertainty, doubt], you will quickly lose respect and support.
IA: What steps do you find integral in getting and maintaining such support?
SS: Be practical and realistic about the risk and clearly articulate the need and solution.
IA: When you're undertaking various projects, do you have to work with managers of various business units?
SS: Definitely. Experian is a diverse company with many business units. As such, there are multiple leaders that are impacted by significant changes.
IA: Who do you report to?
SS: I report to our global general counsel, who oversees all areas of risk, including legal, compliance, information security, business continuity planning, government affairs and risk management. I believe the CISO position can work successfully in multiple reporting lines, as long as that executive understands the need and importance of information security. The only reporting line where I have seen limited success is with the CIO. When information security reports to the CIO, it tends to focus more on IT risk and does not always branch out toward other data-related risks.
IA: What about budgetary needs? We hear a lot about return on security investment. How do you show your superiors that security enables business/government endeavors? And how do you get the support, resources and funding you require to do your job?
SS: You do not overreach and you do not ask for more money than you can successfully leverage. It is important that security budgets are crafted with measurable deliverables that can be tracked throughout a project deployment and operation. Because clients have a raised awareness around security practices, it is easier to translate improved controls to client benefits. For example, improved authentication practices that do not significantly reduce the client experience are likely to be seen by clients as value-add and improve their impression of a vendor's security profile.
IA: The economy's been tight. Some have experienced budget cuts, layoffs, travel and hiring freezes and more. How did you fair? Do you foresee more of these stressful budgetary challenges in 2012? Or are things expected to improve?
SS: The past few years has required all organizations to reflect on their operational costs and see where improvements could be made. Experian maintains a practice of being fiscally sound in its approach and ensures appropriate value for services. This has not resulted in a direct drop in security spend.
IA: In regard to compliance demands, what are your priorities and how do you adhere to such regulations? Must you contend not only with regulations in the United States, but also with other countries' regulations?
SS: We operate in multiple countries and partner with our internal compliance and legal departments to correctly define and support adherence to applicable laws and regulations.
IA: While compliance has prompted corporate leaders to understand security needs more, there may be some thought that compliance with certain mandates means security of critical data. As many incidents illustrate (think WikiLeaks or some others, like Heartland ), that's not the case. How do you make sure those corporate leaders who are supporting you and are responsible for allocating resources understand this so that you get the required support and budget you need for your projects (which ultimately are part and parcel of business activities)?
SS: It is important to explain that security is a process and not a “tick the box” exercise. A successful security strategy must take into account relevant compliance activities, but cannot be solely based on those activities. Compliance exercises absolutely help to reduce risk, but they do not guarantee the elimination of risk.
IA: If you have a number of mandates to which you must answer, how do you avoid duplicating efforts to address these?
SS: For external mandates, it is helpful to use a tool, such as the Unified Compliance Framework, which allows for mapping across multiple controls. We also align our internal assessments to map back to our policies and procedures. This removes ambiguity from ad hoc security reviews and forces consistent criteria across different business operations.
IA: How do privacy issues factor into what you do?
SS: Privacy of data is a critical component of our governance programs. Each new product/service must pass through a series of legal and compliance reviews to ensure that data is used in accordance with our privacy policies, in addition to industry regulations.
IA: What privacy regulations (in the United States and abroad) must you comply with? What are your organization's main objectives when it comes to privacy, and how do you ensure these goals are met? Is there a privacy officer with whom you work at your company?
SS: I work closely with our privacy team as they address the many external requirements that are relevant to our global operations. Some of the items we follow are HIPAA, PCI, GLBA, FISMA, as well as EU data protection requirements.
IA: We've heard there's a dearth of good help lately. When hiring information security practitioners, what experience/knowledge/certifications/attributes do you look for? What advice would you give to individuals looking to enter the field of information security?
SS: Great people are always hard to find and consistently in high demand. When looking at candidates, I focus more on experience and results and less on certification and degrees. What have you accomplished and how creative you can be is a greater draw than an acronym after a name. For new individuals entering the field, I would strongly suggest they get some complementary skills to add to IT security. Having some operational experience is always a plus. This way you have a better understanding of the impact of your security recommendations. It is hard to build credibility with your IT counterparts if you have no understanding of how tough their job is.
IA: How do you see the job of information security professionals evolving in the distant future? Will the job be evermore integrated into day-to-day business? How will this effect job growth and job security in this space, do you think?
SS: I see information security evolving to a more defined risk management process. Many organizations are starting to see information security as one of many governance areas they need to address. This also includes legal, compliance and insurance. I see the profession evolving out of the IT space and partnering with a broad set of operational risks that report and address exposures more broadly across an organization.
IA: What is on your agenda for the coming year?
SS: Experian has a history of growth via acquisition. Activities next year will focus on the continued integration of our acquired entities, as well as a myriad of continual improvements across our application and network infrastructure.
IA: What other specific projects are on tap for this year and starting in the next? Any forward-thinking plans that you'd like to highlight in the way of security implementations/other projects?
SS: We continue to dedicate time and money toward our internal security awareness campaigns. Our team is able to use an appropriate amount of humor in order to deliver entertaining content, while still handling the material in a respectful way.
IA: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year? What about the major threats to your organization and its critical data?
SS: Employee diligence is an ongoing effort. As previously mentioned, we spend considerable time and money on employee awareness. We understand that employees are focused on getting their jobs done and do not always think before clicking. Therefore, we marry our awareness efforts with numerous automated protections to help defer the risk of malicious activity initiated by user behavior.
IA: Any advice on how to tackle these?
SS: A program of constant diligence. When responsible for protecting a highly complex and distributed environment, it is important to leverage scalable technical solutions that complement robust end-user training programs.
IA: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
SS: I do not foresee a new class of attacks, but rather continued sophistication of existing attack vectors. I believe that malicious events will continue in the same frequency and leverage greater use of stealth. The obvious signs of the ‘Nigerian scam' messages will be replaced with highly credible and real-looking phishing and other social threats that prey on the average user. The continued proliferation of social media will aid in fostering these attack vectors and lead to an increased success rate.
IA: What are the security technology must-haves companies/governments should have in place?
SS: We have grown past the basic use of firewalls and anti-virus. Those are now defined as the preschool requirement of security. More robust security programs will leverage a mixture of data leakage prevention solutions, malware detection, application level firewalls and forensic tools.
IA: What about policies and programs?
SS: These are a must-have in any organization. The security policy defines what is acceptable. It is then possible to leverage policies to establish control baselines, which are measured across the organization.
IA: What's your best advice to others when it comes to building a strong security program?
SS: Ensure that your security strategy maps successfully to your company's risk profile. Security is highly subjective and can be ultra-conservative, such as top-secret government installations, or it can be loose and flexible, like a new start-up organization. A successful security executive must understand the appropriate level of risk in their organization and then build their security program to complement that risk level.
IA: Any hobbies, destination spots or other more personal areas of your background that you would like to share?
SS: Not that much. I recently started to pick up golf and enjoy a good game of poker or chess. I also volunteer in the industry and currently sit on the board of directors of ASIS [a securitty organization with 37,000 members worldwide that develops educational programs]. I am also a past member of the board of directors for the Information Systems Security Association [ISSA, a nonprofit, global organization of information security professionals and practitioners].
A winding road
Stephen Scharf's diverse background has led to some creative thinking on the job as a CSO, which seems to have served him well. Here's a rundown of what he did after studying world wars and took on the small ones fought in businesses everyday:
Generative N/C Technology – “Started as sales rep selling nesting software. Basically, it was a CAD/CAM product that moved manufacturing parts on raw material like a giant jigsaw puzzle. This allows manufacturing teams to maximize raw material in reducing waste when cutting parts.”
Paragon Federal Credit Union – “Worked as a systems and network engineer. Mostly Novell and Windows with some mainframe. Token ring network with Novell 3.11 and Windows 3.1.”
Berlex Laboratories – “Worked as manager of the server group. Still focused on Windows administration and network engineering. Started to work on security-related projects and got bit by the security bug. Spent so much time trying to get on security projects that I decided to make a career out of it and change employers so I could do it full time.”
@stake – “Full immersion into information security. Started as senior security architect and worked on pen tests, vulnerability assessments, policy reviews, architecture reviews. Promoted to managing security architect and led engagement teams rather than acting as sole contributor. This allowed me to transition from a strictly IT focus to also include business relationship skills.”
Bloomberg – “Started as manager of the application security group and then took over the CSO role.”
Experian – “Hired as first global CISO. Replaced regional-defined structures and created global program.”
And, with this, Scharf was chosen by a panel of industry luminaries to win the CSO of the Year title at the 2012 SC Awards.
College days: A full understanding
Experian's global CISO Stephen Scharf, this year's SC Magazine CSO of the Year Award winner, majored in history and minored in English during his university days. The idea of becoming an information security professional was far from his thoughts. Instead, he says he became “intrigued by European events in the 20th century. Specifically, I focused on events post World War I, events leading up to and capped at the end of World War II.”
Before hitting college, Scharf had aspirations to become a lawyer. But, after spending some time in the offices of a judge and family friend, he found the profession less appealing. Having a “history buff” as a father had rooted his love for times gone by, anyway, and his mother's advice on choosing a major only supported the notion that such a pursuit was the right move.