When she stepped into the job of vice president of information security and privacy at Graham Holdings Company (then The Washington Post Company) in 2003, Stacey Halota had to carve out new territory because her position had never existed at the corporate level before.
After more than a decade leading the large and diverse holdings company through developing and implementing information security and privacy programs to address Sarbanes Oxley, privacy laws and Payment Card Industry compliance, Halota is still guiding Graham Holdings through the murky waters of diversified media in the cyber age.
“When I first got here in 2003, we were just sailing into the Sarbanes Oxley waters,” Halota says. “This is a very decentralized company with many different types of business units and we needed a consistent baseline for what our controls should be.”
Indeed, Graham Holdings – which sold its flagship Washington Post newspaper to Amazon founder Jeff Bezos last year – is comprised of a variety of business units that run the gamut from six local TV stations to a cable company to a bevy of news publications (including Slate, theRoot and Foreign Policy) and Kaplan, one of the world’s largest educational services providers. The media giant still operates all these businesses separately, which for Halota means maintaining oversight over widely varied technologies, information systems and privacy laws, while still managing to gain some consensus for her security programs across the corporation. “With so many different businesses and priorities, for information security to be successful, you have to understand what the business people want,” Halota says. “You need to interact with each business.”
And being in the high-profile media business means that Halota and her team need to be aware of the specific threats of cyber attack that face their businesses, such as the sophisticated attacks on The Washington Post that were reported early last year. “There’s a lot of conversation about advanced persistent threats,” says Halota, “but it’s important not to lose the basics of the program, to know where the critical information is located.”
To that end, she says, she concentrates on being “pragmatic, business-focused and risk-driven” in order to deliver a solid basic information security program across the diverse landscape of the business.
Yuvi Kochar, Graham Holdings’ chief technology officer and vice president of technology, says that Halota has shown a gift in collaborating with the various business units of the company, helping them evaluate their cyber security risk and create and manage their own information security programs. Admitting that people know they get attention when a media company is hacked, Kochar says that Halota has gotten personally engaged in these threats when needed and the organization has made significant progress under her.
“She’s got a very balanced approach, focusing on things that mitigate risk and reduce exposure,” says Kochar. “She’s not just doing what everyone else is doing.”
Kochar adds that Halota has been well-received by executives in all the business units because “she’s found a way to develop relationships, not by holding back, but by acting as a resource for enhancing security rather than being a traffic cop handing out tickets.”