Stephen Scharf, DTCC Chief Security Officer.
Setting security strategy for a global operation can require a comprehensive approach that includes alignment with business priorities—especially when the organization’s mission is to support the smooth operation of global financial markets.
One step removed from the securities trades that pulse through the global financial systems 24/7 is an infrastructure that facilitates backend clearing and processing—and ideally also provides risk mitigation, transparency, and efficiency to the marketplace. One company providing such services for a large swath of global transactions is the Depository Trust & Clearing Corporation (DTCC), which operates in 15 countries and last year processed securities transactions valued at $2.15 quadrillion.
While DTCC focuses on the safe and efficient processing of global transactions, Stephen Scharf, the company’s chief security officer (CSO), focuses on centralizing and aligning global information security, business continuity, physical security, employee safety, and crisis/incident management. Scharf says his aim is to develop and execute a holistic approach to both risk management and resilience across the organization.
In a conversation with Nitish Idnani, a principal with Deloitte Risk & Financial Advisory of Deloitte & Touche LLP, Scharf shares his insights on several critical issues, including thoughts on the potential tension between efficiency and resilience, his work with the Sheltered Harbor initiative, and the organization’s response to the COVID-19 crisis, among other topics.
Idnani: As DTCC’s CSO, what are your strategic objectives and how does resilience factor into those strategies—is it an objective, an enabler, or something else?
Scharf: It’s really a combination of all three. Our high-level security objectives are aligned to our business priorities and mapped to the firm’s broader goals. Resilience is critical to our security strategy because of the important role we play in protecting market stability globally and our designation in the U.S. as a Systemically Important Financial Market Utility (SIFMU). But resilience is less an objective than something that is embedded in every initiative we pursue. We don’t want to create security and resilience silos that are separate from DTCC’s business priorities. For example, when we consider new business initiatives that could introduce cybersecurity risk, we identify the potential issues early in the development process and tailor our security efforts to directly address those threats.
Click here to continue reading the full interview in the Wall St. Journal.