When Jamil Farshchi takes the stage this morning at InfoSec World 2020 to deliver the keynote “Leaders Needed: Preventing the Next Big Breach,” no one would doubt the Equifax CISO knows from whence he speaks. After all, he joined the credit monitoring company after a devastating breach reported in 2017 exposed information on tens of millions of customers, called into question the credit reporting company’s security practices, tarnished its reputation, ignited Congressional probes and resulted in the retirement of its CEO. Since moving to Equifax from Home Depot in 2018, Farshchi has spoken candidly with SC Media about the company’s efforts to learn from the breach and become a leader in security.
SC Media: Equifax was the target of a heap of criticism – and a good bit of anger – after the breach. What was behind the calculation to speak openly about the incident rather than let it fade away as subsequent incidents grabbed the headlines?
Jamil Farshchi: Most companies when a breach occurs say “oh, crap,” and keep their heads down. From the very beginning we wanted to be an example and help others learn and grow from what happened to us. It’s part and parcel of our strategy to be transparent.
SC: Transparency can be an elusive goal and seemingly run counter to security’s mission to protect an organization’s assets, much of which is done behind the scenes. How did effect transparency in the company?
JF: Being a security guy, we’re paranoid. We did calls with people [employees, partners, etc.] with project updates. We said here’s the problem we’re having to get our arms around. We’re going into great detail about our work. As difficult as it was, in the end it helped us all to improve together. And it gave us insight into what others went through. We got a lot out of it.
SC: What went wrong at Equifax?
JF: Fundamentally, the problem is culture. There’s a broader challenge in the industry to take more risk and not the right level of investment. You can have the best security team in the country and a bad culture, [leading to disaster]. A mediocre security team with a good culture is going to fare better. I report directly to the CEO and that’s rare. Everyone takes responsibility.
SC: What’s a lesson learned from this journey?
JF: The difference between life and death, success and failure is based on foundational controls,, not managing insider threat tools, not doing patches. You have to focus on risk rather than standards compliance. You’ve got to build in a culture of risk. You have to get risk to a threshold acceptable to the business. I want multiple data sets across the organization, not fully relying on one source. We’ve got to have assurance controls work or know that they don’t. The clarity of the data allows us to make better decisions to manage it.
SC: What matters most to security?
JF: Being able to drive the right behaviors throughout the organization with the right level of support. The focus should be on broader-based behavior. That ultimately percolates into the culture on whole.
SC: Where does Equifax go from here?
JF: Any organization can be breached and security never ends. We’re coming to the end of our security transformation plan and we’ve made tremendous progress, but it doesn’t end here. We have the drive and initiative to go forward. We’re not looking for one product or innovation. Most organizations build employee awareness as a checkbox. We’ve built it in and provide immediate feedback so employees can see how their behavior negatively impacts something. But we’re not using it as a stick. We also don’t need to go for a moonshot or just throw education at them. If it’s contextualized they can truly learn by the experience itself. Positive exposure is what [causes] behavior to improve. Cultural behavior is the most difficult to change, but change will come as long as you show incremental improvement.