Although it's not in his title, compliance is a big part of Tony Spinelli's job as senior vice president of information security for Equifax.

But instead of following myriad federal and industry compliance regulations designed to make a company secure, Spinelli has found success by turning the idea on its head.

"Be secure, and you'll be compliant," he says.

That's not to say Spinelli and his team ignore regulations; as a public company, a financial institution and a multinational, the credit bureau lives and breathes more regulations than most companies have ever even heard of. But dealing with these complex, often vague rules in a reactive rather than strategic way is a mistake, he says.

"Most companies and [their] security leaders are getting lost because of [having to be] compliant -- regulations saying you have to do X or Y," he says. "A lot of people are letting compliance drive security, and that's as wrong as you can get."

Spinelli's approach of evaluating risk and then setting security standards across the company has offered Equifax the benefit of establishing and maintaining compliance at the same time, instead of as an afterthought.

"You have to become secure to be compliant; otherwise, you respond and react and reinvest without leverage," he says.

< Return to main story