Experian’s Tom King tackles role of CISO from the ground up- Valutrics
Tom King, the chief information security officer at Experian’s U.S. headquarters in Costa Mesa, Calif., has previously held the role of CISO at Barclays, Barclays Capital, Lehman Brothers and Credit Suisse First Boston. He didn’t start his career in security, however. People are often surprised to learn that his undergraduate and graduate studies were in environmental sciences. What’s more, King spent most of his early career as a geologist in the petroleum and groundwater industries. “My first significant use of IT was to perform simulations of large-scale groundwater withdrawals using mainframe computers,” he said.
Geology is a complex, multi-disciplinary field, which helped King hone his ability to look at problems holistically and systemically. “Of course, we have to understand the technology, but our role of CISO is much broader than that now,” said King, who joined Experian Solutions Inc., a subsidiary of global financial information services provider Experian plc, in November 2015.
King was appointed CISO one month after the U.S. consumer credit bureau publicly disclosed a significant data breach. The breach exposed the personally identifiable information — Social Security numbers, dates of birth, license numbers — of roughly 15 million consumers who applied for financing at wireless carrier T-Mobile USA. Information Security magazine caught up with King to get his take on the role of CISO and the unique challenges of implementing information security strategy in high-risk environments.
You’ve held various CISO posts for 20 years, which must make you one of the most experienced CISOs anywhere. What have been the biggest changes in the role of CISO over that period, and how has the field changed?
Tom King: The biggest change has been the [expansion of] information security from a technical function focused on technical protections to an integral part of a holistic risk management framework. Along with this has come the recognition that protecting the firm’s information assets is everyone’s responsibility. It is not limited to just technology or information security teams.
The adoption of the three lines of defense model for risk management over the last several years has made it easier to communicate a framework in which all areas of an organization participate in information security. The framework helps clarify the role of information security and removes the ambiguity, which could contribute to blurred lines of accountability.
I think most people — not just people in our profession — now recognize that information security threats are a fact of life; they are not something that happens to some other industry or company. And that everyone has to be informed about what to look for and remain vigilant to protect the assets of a firm.
You’ve also dealt with enterprises that seem likely to be targets. What has helped you to succeed in these environments, and what types of things are you focusing on at Experian?
King: It is essential that you understand the true risk profile of an organization by anticipating the likely threats: what bad actors would be motivated to attack and what systems and vulnerabilities they may try to exploit. You need to continually address these questions in the development of an information security strategy and be nimble in the deployment of countermeasures when new risks are identified.
Shortly after [I joined] Experian, we initiated a very large awareness program that has had full management support. We have conducted town hall meetings on information security in 23 cities around the world, and the response to this has been tremendous. We have really seen a cultural shift. Our people feel a sense of pride knowing they are part of safeguarding our assets. Roles and responsibilities are very clear. Security is a top priority for Experian, and we’re committed to continuous investments in upgrading talent, processes and technologies needed to protect our systems.
Having spent so much time as a CISO, what advice could you give to those who have come to the position more recently or might aspire to the role of CISO? Are there credentials or skill sets that are critical?
Tom King
King: I don’t personally think credentials are essential if you can demonstrate capability through experience and success. I have worked with many very successful information security professionals who come from diverse academic backgrounds and have few if any certifications. That said, a new CISO must have a solid understanding of their business environment, the regulatory requirements [it] must abide by, the threat landscape in which [it] operates, a solid understanding of security practices and technologies and the ability to pull it all together into a cohesive strategy, which meets the business need. In addition, a successful CISO will need to be able to communicate this [strategy] to the entirety of the organization — not just senior management and not just technologists: everyone.
How does Experian work with other organizations to help ensure security and preserve data privacy?
King: Networking is an essential part of the job for almost everyone who works in information security. We routinely meet with our industry peers to discuss regulatory issues, best practices and pertinent technological developments. Similarly, during incidents, like zero-day announcements, it is very useful to gain insights from others on threat intel and detection methods. There is understandably solidarity in our industry — we all benefit from a unified front.
What are you most worried about or most focused on these days?
King: We all talk about how the pace of technological change is straining our ability to protect a changing business, while at the same time attackers are becoming increasingly sophisticated. These two factors make it difficult to match a security strategy with a rapidly changing business. However, at the same time, we have rapidly evolving technologies [that] we can use to gain insight into threats and provide a better security program. The challenge is building an information security program, which is sufficiently dynamic, to take advantage of these changes. That is one of the challenges that make this field so interesting.