The Washington Post Co.’s Stacey Halota blends technical savvy with business acumen, Illena Armstrong reports.
Stacey Halota has a lot of champions supporting her often complex and sometimes confounding cause.
This might be because she travels hither and yon to get her security and privacy messages across to various departments and business leaders at The Washington Post Co. (TWPC) – a highly decentralized, global organization. It could be because, given her wide breadth of professional experiences, she’s partial to trumpeting the business need for security just as much as she enjoys mixing it up with her fellow tech heads in the trenches. Or it may well be that she’s simply “the right person with the right skill set to tackle this,” as one former boss puts it.
“She’s just so effective at getting business units to understand and quantify the risks so they can understand why it’s so important for them to follow her recommendations,” says John “Jay” Morse Jr., the now retired CFO with TWPC.
Formerly the CSO of TWPC and now the company’s vice president of information security and privacy, Halota was the right pick to receive SC Magazine‘s CSO of the Year Award for 2009, say her many supporters.
“I tell you, you’ve got a real winner here,” says Morse. “And I’m really proud of her.”
Responsible for hiring her to TWPC some six years ago, he says it was “the smartest thing I ever did.”
At the time, the multi-billion media and education company was in the somewhat torturous throes of Sarbanes-Oxley compliance and in need of help with the security- and auditing-related issues surrounding it. Halota was the clear choice to fill their newly created CSO post at the time, given her background with technology in both the private and government sectors and her knowledge of the audit process because of her work at consulting firm PricewaterhouseCooper.
Once the foundation was laid for continuous Sarbanes-Oxley compliance, Halota’s function quickly evolved, taking on other aspects of information security, such as privacy issues, and helping the global media organization strengthen its protections of critical data.
According to Morse, this was no easy task since TWPC’s infrastructure was not standardized and each business unit had its own technical group. Halota came in and gave very complex problems understandable and easily doable answers, he says. And this was done during a time when many security practitioners generally were not very well-received in organizations and there was not a tremendous amount of trust given to them, he says. But Halota’s patience and drive helped, along with the hiring of great minds within the various business units to aid her in her many corporate security-related goals.
“She was always up front and she’s excellent at anticipating,” says Morse. “We ended up being proactive quicker than other companies.” And, he adds, following her recommendations the company spent a lot less money than it expected to when standardizing and securing its networks.
“She made things that are pretty complex for most companies pretty routine for ours,” he says.
Eddie Schwartz, CSO of network security monitoring company NetWitness, says that’s always been one of her greatest attributes. She has many, but it’s the blending of business acumen and technical know-how that has served her so well over the years.
“She started out in a very technical realm and then she transcended that,” says Schwartz. “She just has that balance in her head – both creative and technical. It’s unusual to find someone who does both well.”
Schwartz recalls meeting Halota back in 1993 during a TCP/IP class. While he was gunning to seize the label as the “smartest one in the class,” he says Halota easily beat him to it. After doing some work together for Virginia-based Computer Sciences Corporation, which involved some contract work for a couple of government agencies, Schwartz became the technical director for an information security lab at the U.S. Department of State. He says it was an easy choice for him to appoint Halota in 1995 as his lab director there, given her ability to manage people and easily connect security functions to the value of business assets.
But their work together didn’t end there. Their respective professional careers saw them running into one another again. While Schwartz was CISO at Nationwide Insurance, he hired PwC to help set up the nascent security for his company’s Microsoft server farm. Halota was a top player in PwC’s Microsoft Security Practice at the time so ended up leading the Nationwide Insurance project. Then, when Schwartz moved on to managed security services provider Guardent, which is now part of VeriSign, he hired Halota as his director for his D.C.-based field office. It wasn’t too long after this stint that Halota landed her job at TWPC.
In most of her roles, he says the main thing that she brought to the table was to ensure that the security program achieved advocacy from the top down. In his experience, many CSOs/CISOs often get hung up on “turf” and other areas of the job that really are irrelevant. Halota’s focus on executive-level awareness and visibility across business units is critical to making information security permeate all areas of an organization. Getting buy-in from lead executives and the business units is critical, as is protecting a corporation’s revenue-generating streams and maintaining its overall data privacy practices. Halota continues to maintain strong credibility with the technical community, both within TWPC and the information security industry generally. Focusing on all these areas enabled her to gain traction and become a trusted member of the executive staff throughout her career.
“That unique combination allowed Stacey to be successful,” says Schwartz.
She and other leading pros, who started out when security was just really beginning to emerge as a discipline, often have held a variety of jobs, both in the government and private sectors, have an incredible wealth of experiences, and have developed a wide breadth of knowledge.
“I can’t think of anyone who’s had such a positive trajectory,” he says. “People like Stacey are just hitting their strides now.”
Voting her the CSO of the Year for the 2009 SC Awards U.S., the panel of judges apparently couldn’t agree more. To further honor her achievements as senior director, information security & privacy at TWPC, we sat down with Halota to find out more about this past year’s accomplishments and what goals she has set for herself and the company for the next year.
Illena Armstrong: Can you highlight the positions and organizations that helped you prepare for your stint for The Washington Post Co.?
Stacey Halota: I have been involved in information technology, security and/or privacy for the past 22 years. My first focus was in pure information technology and I think that gave me a valuable foundation for working in information security. I have been a network administrator, database administrator and application developer, and I can’t tell you how useful it is to know how these technologies function when it comes to securing them. In my early career, I was Novell and Microsoft certified. In the mid-90s, I moved away from hands-on IT and shifted my focus entirely to information security. Later on, I added privacy.
I’m very fortunate to have been able to work in diverse environments throughout my career. I started in a small IT company and, from there, transitioned to a consultant for the Bureau of Diplomatic Security of the U.S. Department of State. Following my State Department position, I worked for PricewaterhouseCoopers, then Guardent [now part of VeriSign] before joining The Washington Post Co. (TWPC) in 2003. Having worked around the world at U.S. embassies and consulates, for government agencies and for multi-billion dollar companies, I have gotten to see information security and privacy challenges from many different perspectives. I have also had a lot of varied experience in different industries, like financial services and health care. These experiences really helped me when I started at TWPC because our company is so diverse.
I currently maintain my CISSP, CISA and Certified Information Privacy Professional (CIPP) certifications. I highly recommend CSOs get the CIPP, even if your job description does not include privacy, because so much data protection goes hand-in-hand with privacy initiatives.
Q: Any mentors who really helped you over the years to get to this point of understanding about information security?
A: I have been incredibly lucky to have had many mentors over the course of my career who have helped me, not only with information security, but with other important things like leadership and mentoring others. Three in particular really embodied the best of what a mentor does – getting you out of your comfort zone so you can go to another level in your career. The first was Eddie Schwartz, who convinced me to leave the small company where I had been for many years, to focus entirely on information security. The second was Paul Connelly, the partner that I worked for at PricewaterhouseCoopers, who showed me how to be a mentor to others and how to create teams that work effectively together. The third was John “Jay” Morse, my boss who just retired from TWPC, who created my position and really guided me in dealing with a company that is as decentralized as TWPC. He effectively consolidated several years’ worth of learning about how this company works into a few months so that I could hit the ground running.
Q: What have been your major achievements in the last year of which you’re most proud (and likely helped you receive this recognition)?
A: I had several multi-year initiatives that came together last year. One was the full implementation of our Archer tool, where we track compliance and information security initiatives. Archer lets me see at a glance what controls we have implemented and how they map to compliance – for example, which controls meet both SOX and the Payment Card Industry standard.
Another initiative was a group of projects aimed at reducing the volume of sensitive information that we store. We completed the installation of a suite of technologies to enhance its protection, including Mazu’s [now Riverbed] network behavioral anomaly detection tool. We also began the installation of Symantec’s Vontu product and contracted with Veracode to perform continuous company-wide web application testing. These products were layered on to the existing controls that we had implemented in prior years, allowing many years of hard work to come together.
Q: Who in your organization helped with these achievements?
A: Stephen Davis, my counterpart at Kaplan [one of the world’s largest providers of educational services], played a huge role. Kaplan is our largest division and it often provides me with a test bed for new products. I am extremely grateful for its large commitment of time and resources. Others who were critical were my colleagues at our other divisions in both business and technology who helped execute our corporate information security and privacy strategies.
Q: Do you get enough support from your colleagues and bosses?
A: Absolutely. I could not work for a better company than this one. From our CEO down, I get a tremendous amount of support. Don Graham [CEO and chairman of the board] sets the incredible “tone at the top” of integrity and doing the best we can for our employees and customers. My colleagues at all of the business divisions are just terrific.
Q: What steps do you find integral in getting and maintaining such support?
A: I have worked over the past five years at TWPC to build relationships throughout the company. We usually have one or two cross-company events per year that facilitate this, and I travel regularly to our different business divisions.
Regular and timely communication is one of my biggest priorities. No one likes to be surprised by a last minute project for which they need to allocate time and money. I try to be very mindful of getting my plans out to the divisions so that they can budget for both appropriately.
Q: When you’re undertaking various projects, do you have to work with managers of various business units?
A: I think that one of the most important things that a CSO can do is understand business needs. I work with different departments at each company, including IT, HR, legal and finance. Many of my projects span most or all of these departments.
Q: Is there an ideal hierarchical structure when it comes to ensuring IT security is being addressed adequately in a corporate environment?
A: I report to Hal Jones, our CFO, with a dotted line to the audit committee and Veronica Dillon, our general counsel. In my consulting roles prior to joining TWPC, I often gave advice on where the information security function should reside. I have found that it is not so much who the information security person reports to (CIO, CEO, CFO, etc.) but how far down they are in the hierarchy. I often found issues with companies who had the information security function reporting from several layers down in the IT department because they did not have the influence that they needed to get things accomplished.
Q: In regard to compliance demands, what are your priorities and how do you adhere to such regulations?
A: TWPC is not only decentralized and global, it is very diverse. We deal with information security and privacy compliance demands that are industry specific (for example, the cable industry and higher education), international data privacy law, myriad state-based laws and many others. My priority is addressing these issues holistically through a sound information protection program and avoiding duplication of effort.
Q: How do you avoid duplicating efforts to address the number of mandates to which you must answer?
A: Our Archer tool has been instrumental in this. I have several dashboards and reports that I use to show which controls map to which regulations.
Compliance issues have prompted corporate leaders to understand more about security. However, there may be some thought that compliance with certain mandates actually means critical data is secure. As recent incidents like Heartland illustrate, that’s not the case. How do you make sure those corporate leaders who are supporting you and are responsible for allocating resources understand this so that you get the required support and budget you need for your projects (which ultimately are part and parcel of business activities)?
I have always tried to make a clear distinction between compliance and security. My goal is to focus on information security and privacy while making sure that our compliance bases are covered. For example, several years ago when we first began rolling out our network behavioral anomaly detection tool, it was purely an information security-based initiative – nothing in our compliance realm called for it. However, I noticed that in a recent article in SC Magazine, an executive at Heartland was quoted as saying that from a technology standpoint, the company now plans to deploy a new solution to identify network anomalies in real time. So, they may have been compliant, however, they were lacking an essential piece of information security technology that showed they were losing information. To me, this is one of the best examples that I have seen lately highlighting being compliant versus being secure. This is an ongoing challenge for all of us.
Q: What are some of the major challenges you believe you and your counterparts at other companies/government entities face in the next year?
A: Threats are constantly evolving. One of my challenges has been trying to put policies, procedures and technology in place so that I can try to keep a step ahead of them. That is why I am such a big advocate of anomaly detection, which we use in several different products for our networks and databases. In analyzing new threats, sometimes you just don’t know what you don’t know. However, anomaly detection can assist with spotting something unusual that might turn out to be problematic. Our challenge with these tools, however, is using them to the fullest of their capabilities. They evolve and become more powerful every year.
Q: What’s your best advice to others when it comes to building a strong security program?
A: I think it is good to start with a standard like the ISO 27001. I chose this for TWPC because we are global and I think it is one of the best standards out there. Obviously, you have to get more granular to deal with specific technologies; however, I believe the ISO 27001 is a strong foundation that you can build on.
Then, of course you need a great team to help with the implementation. Keep in mind that your team is not just information security people. You need to leverage other departments as well, especially information technology. Also, never forget to focus on risk to finetune your data protection efforts. This is particularly critical in times like these when resources are being stretched to the limit and budgets scrutinized.
Q: What is on your agenda for the coming year?
A: In addition to my projects that continue from year to year, such as compliance initiatives (my team tests all information technology controls for SOX and monitors our other compliance initiatives, like PCI), one of my big priorities is making sure that we are maximizing the use of our existing information security technology. I always want to be mindful of the investments that we have made, and to that end I am arranging a series of training classes to make sure that we are up to speed on the latest features of our technology.
Q: Any forward-thinking plans that you’d like to highlight in the way of security implementations?
A: I am doing a lot of research surrounding enterprise rights management, which would be a multi-year implementation project. Right now, we have a combination of policies and technologies in place to govern data classification. However, I would like to simplify our environment if possible.
Q: What are the threats/newer applications that you think you and others in your position must address this year?
A: It is amazing to me when I think that my BlackBerry has more computing power, connectivity and data storage capability than my first home computer. While they are not new, mobile devices, the incredible storage capabilities of USB devices, the changing definition of what a network perimeter is, and the blurring of the lines between work and home applications (Facebook, other social networking sites and blogs to name a few), really challenge a CSO in protecting information appropriately while not hampering business unnecessarily – and they are constantly evolving. As an education and media company, it is our business to communicate, and while I don’t see technology getting less powerful or sophisticated, it’s my job to keep up with it and make it as safe as possible.
Q: Any advice on how to tackle these?
A: I am looking at things like enterprise rights management so that I can reduce the number of point solutions that we have and simplify our approach to data protection. My goal is to enforce as many of our policies with technology that I can and take out the human error factor. I am also making sure that we leverage the capabilities of our existing technology, for example, BlackBerry encryption.
STACEY HALOTA: Beyond the job
Stacey Halota doesn’t only ensure communications are open and flowing between her security staff and the rest of the employees at The Washington Post Co.. She also does volunteer work for a nonprofit group called that Mustard Seed Project, which seeks out sponsors and donations to aid orphans in East and Central Africa.
“I am actually heading back to Rwanda for the third time this August,” she says.
All told, she’s been doing this volunteer work for the past four years. A U.S. corporation formed in 1993, the Mustard Seed Project supports the ministries of John Rucyahana, the Bishop of Rwanda. She specifically focuses on the needs of children in Rwanda.
“One of the ministries that I have been particularly involved in is the Sonrise School, which was started after the 1994 genocide to support children who had been orphaned. I help get sponsors for children, and I personally sponsor 18 children,” she says.
It is because of her commitment to these children that she adds, only half jokingly, that one of her “biggest challenges is figuring out how I am going to put 18 children through college! The first graduates in 2010.”
She next will lead a mission trip for her church – the main reason behind her third visit to Rwanda this summer. “A lot of the trip is focused on spending time at Sonrise with the children,” she explains.
Halota notes she’s always looking for sponsors. If you find you’re interested in learning more, you can visit the nonprofit group’s website at www.mustardseedproject.org.
DIVERSE PORTFOLIO: Washington Post Co.
The principal operations of The Washington Post Co., headquartered in Washington, D.C., include educational services, newspaper and magazine print and online publishing, television broadcasting and cable television systems. It employs 19,000 people and earned an annual revenue of $4.2 billion in 2007.
Its largest division is Kaplan, a global provider of educational services, with $2.3 billion in revenue in 2008 and operations in more than 30 countries.
The company also owns Cable ONE; Washington Post Media (The Washington Post, washingtonpost.com, Express and El Tiempo Latino); Post-Newsweek Stations (Detroit, Houston, Miami, Orlando, San Antonio and Jacksonville); The Slate Group (Slate, TheRoot.com, TheBigMoney.com and Foreign Policy); The Gazette and Southern Maryland Newspapers; The Herald (Everett, Wash.); Newsweek magazine (Newsweek.com) and Budget Travel (BudgetTravel.com); and CourseAdvisor, an online lead generation provider.