In this era of lost backup tapes and stolen laptops, it's hard to imagine a company that would suffer more from a highly publicized data theft than Equifax.

As one of the three big credit-reporting agencies in the country, Equifax keeps personal and financial data on 300 million consumers. What's more, the 107-year-old, $1.55 billion company based in Atlanta has forged business relationships with hundreds of organizations inquiring about these consumers.

A large-scale data breach would threaten Equifax's reputation not only as a provider, but also a protector, of data. But, like so many established corporations that have had to retrofit security onto an existing IT infrastructure and business processes, Equifax's security plan had become a patchwork quilt.

"Historically, security [at Equifax] was very departmental. You'll have one department that does compliance and has some security people, some [employees] doing access control, some other folks managing firewalls," says Tony Spinelli, senior vice president of information security.

With 4,600 employees working in 14 countries, each business unit and geography dealt with the rising tide of security concerns and compliance requirements by implementing technology and policies based on that group's specific needs. "We had a strong security program in pockets, but with the new and emerging risks" the company knew that wasn't enough, he says.

Click to see: Tony Spinelli, senior VP, information security

Considering that an interconnected, global organization's security is only as good as its weakest link, this departmental approach is not recommended by experts. "It's the kind of thing that should be centralized," says Rich Mogull, an analyst at Gartner.