This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
|Leap of Faith|
Bloomberg chief makes unusual leap from sales to security
Name: Stephen Scharf
Title: Head of security at Bloomberg
Key career move: Volunteering with ISSA
Stephen Scharf's path to becoming head of information security at Bloomberg had a rather unlikely start: sales.
Fresh out of college with a degree in history, he got a job selling CAD/CAM-based nesting software to manufacturers of helicopters, tractors and other heavy equipment. The software helped engineers figure out the optimal parts positioning on sheet metal to cut down on material waste. He loved going out on the manufacturing floor filled with big machinery--"every kid's dream," Scharf says.
But, he was more interested in the products than selling them. So, he the shifted his focus to technical support and set his sights on a career in IT. He worked as a systems administrator and network engineer. Eventually, as security-related projects filled more and more of his time, he found his true calling.
Scharf transitioned to security consulting firm @stake (acquired in 2004 by Symantec), where he performed both IT security and physical security assessments mostly for financial services firms. He also expanded his knowledge of industry trends by volunteering for the Information Systems Secu-rity Association (ISSA).
After four years of consulting work, he joined Bloomberg, a major outlet for financial data, news and analysis. Like everyone who works for the company, Scharf doesn't have an official title; he heads up both physical and IT security.
His varied background of sales, support, engineering and consulting gives him the skills necessary for the job, which requires him to wear many hats, Scharf says. Having IT experience coupled with an understanding of business helps him take a measured approach, weighing risks with the cost of their remediation.
"We spend a lot of time and effort securing our environment, and you have to be able to translate that into the associated costs and benefits [from a business sense]," he says.
Keep in mind, too, that the definition of what's good often changes. Technical skills, in fact, may regain importance.
Alan Paller, director of research for the SANS Institute, says that people who have been writing security policies and audit reports aren't directly making their companies more secure, and the state of security is much worse than what managers have led people to believe.
"I can see just over the horizon a shift toward equally valuing the rarer skill of securing systems to the common skill of writing about and managing security," Paller says. "This means that the CISO has to focus more on the technology side of the job. Most CISOs have known this secretly and are intellectually prepared for it. It's a challenging shift because the professionals are being measured not on whether they wrote a report, but whether they've made a system secure. This forces more of a partnership between security and operations, as opposed to them having a 'gotcha' relationship."
Paller says that enterprises have been relying for too long on process-based metrics--such as whether a policy is written, disaster recovery plans are in place or in-house security awareness training is conducted.
Now, some businesses are moving to attack-based metrics that gauge the performance of people and systems against particular vectors like DoS attacks, Trojans, root-kits and spyware.
"As soon as you change the metrics, which is happening now, you value the people who get scores up more than those who write reports," Paller says.
He stresses that his theory doesn't devalue the skills of a security manager; it just elevates the worth of those with technical chops. With audits happening more frequently--in many instances, quarterly instead of annually--organizations are placing more emphasis on secure systems and processes.
"Assuming the value you're paying for management skills is fair, you're going to pay close to the same money for those who can meet demand," Paller says. "It isn't only about management." Paller concedes that this shift may take a couple of years.
In the meantime, many enterprises will pattern their security offices around risk management, the very skill that Continental's Gold was searching for. "What's hard to test is aptitude. I wanted someone who could think outside traditional security parameters," he says.
This was first published in July 2006