Tony Spinelli, senior vice president of information security for Equifax, says: "Be secure, and you'll be compliant."
But instead of following myriad federal and industry compliance regulations designed to make a company secure, Spinelli has found success by turning the idea on its head.
"Be secure, and you'll be compliant," he says.
That's not to say Spinelli and his team ignore regulations; as a public company, a financial institution and a multinational, the credit bureau lives and breathes more regulations than most companies have ever even heard of. But dealing with these complex, often vague rules in a reactive rather than strategic way is a mistake, he says.
"Most companies and [their] security leaders are getting lost because of [having to be] compliant -- regulations saying you have to do X or Y," he says. "A lot of people are letting compliance drive security, and that's as wrong as you can get."
Spinelli's approach of evaluating risk and then setting security standards across the company has offered Equifax the benefit of establishing and maintaining compliance at the same time, instead of as an afterthought.
"You have to become secure to be compliant; otherwise, you respond and react and reinvest without leverage," he says.
Learn more about this topic
Buyer's Guide: SecurityPostini upgrades hosted security services
04/03/07Baich: Data theft problem no easy fix