Stephen Scharf: Ensuring Trust
“Being satisfied with a program now does not mean you will be satisfied with it tomorrow. The threats, attacks, types of attackers are always changing.”
“Leadership isabout making the team better than the sum of its parts. Leaders look for people who will bring out the best from others and make the whole team better. Great leaders are force multipliers,” shares Stephen Scharf, the leader at Experian entrusted with protecting the business’ brand and customer information from ever changing and expanding threats.
“Security is a journey, not a destination. You are never finished,” he notes. “And being satisfied with a program now does not mean you will be satisfied with it tomorrow. The threats, attacks, types of attackers are always changing.”
Stephen is someone who understands and is comfortable with change. Graduating with a major in history and a minor in English, he entered the IT world, selling software. As he learned more supporting software platforms and operating systems he switched to systems administration and network engineering. However, he consistently found securing more compelling than managing information systems. He joined consultancy @stake as managing security architect, working at their global financial service clients. Stephen then transitioned to Bloomberg to run the application security program. He was first hired to run application security, and then took over as Global CSO about 12 months later.
“Combining physical and information security at Bloomberg allowed me to learn their business and deliver risk management, resilience, training and investigation services across the enterprise,” he says. “We focused on security strategies that holistically protected customers and employees.” His performance at Bloomberg was noticed and he was recruited to Experian.
“The Experian organization is very interesting, and I enjoy working in this environment. The company brings financial information, fraud detection and analytic tools and markets them through direct to consumer and business to business channels. We have many models that create unique risk profiles and keeps things fresh.”
Security also focuses internally on its 17,000 employees and works closely with HR to be proactive against workplace violence and global workforce protection. Security must also be aware of insider threats and design job descriptions and roles to purposely separate tasks and integrate PCI regulations.
“Everyone is very aware of the trust that has been placed upon us. Because we are an IT company, Enterprise Risk Management is a paramount issue, and we have no lack of support. I report information, security risks and challenges to the board quarterly. Experian is focused on investing the time and effort to create a robust, layered approach. We cannot afford to be 99-percent correct because that one percent still presents an unacceptable level of risk. Our holistic approach to risk and security enables us to be vigilant across all the threat profiles. No vector is taken for granted.”
Currently, cloud computing, mobile security and advanced persistent threats are getting significant attention. “The technology environment is constantly changing requiring the reevaluation of our controls,” he says. “Our mission is to find creative ways for the business units to move forward while continuing to serve the needs of the consumers and businesses who rely on our data. We are not the department of ‘no.’ I remind the team that cars do not have brakes to go slower; they have brakes to go faster. Without brakes you would not be inclined to drive very fast.”
And that is where security’s value to the company’s mission and success becomes clear. “Security contributes by translating a complicated set of practices and merging them into a set of business strategies. How much risk we accept and how much risk we choose to mitigate is translated into business proposals and decisions.”
“I enjoy the creativity of those I work with and the dynamic nature of the challenges,” he notes. “Experian has highly skilled people, and I am always impressed with the way they find solutions. Support comes from the top down and the bottom up. Having executive champions has been critical in ensuring security is treated as a critical business driver.”
“Security is becoming both an acceptable and desirable profession. And as security, especially information security in the media gains coverage, it raises the career interest level. Earlier in my career Dave Cullinane, then CISO at eBay, invited me onto the ISSA Board. That was significant, and I have always remained active in the industry. There are numerous opportunities for networking and career development in security today.”
An amazing Security 500 Conference speaker, Stephen currently serves on the board of ASIS. He enjoys time with his family and every now and then, a friendly game of poker.
- Annual Revenue: $4.7 Billion
- Security Budget: Confidential
- Advanced Persistent Threats
- Cloud Computing
- Mobile Security
- Asset Protection/Loss Prevention (for Resale)
- Enterprise Resilience
- Global Security Operations Center
- Intellectual Property
- Physical/Asset Protection (Not for Resale)
- Workforce Protection