Fresh off a financial settlement over its 2017 data breach that affected roughly half the U.S. population, Equifax is forging ahead with a $1 billion-plus investment in a new security plan — and CISO Jamil Farshchi was eager to tout the credit reporting agency’s progress so far in a session this week at the RSA Conference in San Francisco.
Farshchi, who was hired as CISO in February 2018 after previously helping Home Depot clean up its security practices following its own breach, said that moving forward, the company is focusing on three key pillars: assurance in its data and controls, automation and generating security awareness among senior leadership, as well as lower-level employees, who will be scored on their security practices.
Farshchi asserted that Equifax has already succeeded in improving its corporate culture, controls and compliance, while also partnering with customers and industry organizations to share lessons learned. Indeed, he was particular effusive about the company’s openness about its recovery efforts so far.
“[I]t is extraordinarily rare for an organization to be transparent about what they’re doing and the initiatives that are underway to be able to transform after that breach,” said Farshchi. “Most organizations, you put your head down, you grind it out and that’s that. The problem what that approach, in my opinion, is that it doesn’t afford the opportunity for everyone else to learn from the things that you’ve gleaned trough that crisis event.”
Since the breach, the company has hired more than 1,000 employees in IT and cybersecurity, despite a shortage of talent in this field. The company also had to regain its compliance certifications after losing them as a result of the incident.
“[I]t is infinitely more difficult to be able to regain a certification once you’ve lost it than it is to get it in the first place and certainly to renew it on an annual basis. So we went through a huge effort to do that,” noted Farshchi, who had undergone the experience perviously with Home Depot.
Farshchi spent a bulk of his presentation further detailing plans and objectives for improving assurance, automation and awareness.
The assurance component involves maintaining focus on basic fundamentals and regularly testing data controls and the entire security stack to make sure the company is not making false assumptions about its security profile. In essence, Farshchi wants multiple data points that offer a multi-layered view of the network environment, rather than relying on a single source of truth that might be unreliable.
Farshchi cited the company’s migration to the cloud using the Google Cloud Platform, noting the company has instituted assurance on top of its controls there. “So as of today, we can measure around 120 of our controls in that space — and the beauty of it is, unlike an on-prem environment, everything is standardized, so I can know real time, all the time, the effectiveness of every single one of those controls across the entire estate, which is really, really powerful…”
Meanwhile, Equifax’s effort to increase automation — in areas such as risk-scoring and remediation of network weaknesses, for example — is intended to streamline activities and get controls in place faster by relieving IT employees of burdensome, time-consuming manual processes. Farshchi asserted that the company is not trying to displace employees or downsize, but rather optimally leverage its employees.
Finally, to improve awareness, Farshchi’s team is instituting measures to better communicate with Equifax’s board of directors and the general workforce.
For the former, the team has developed framework designed to plainly communicate current security goals and posture to senior leadership. The framework includes a control map that details what controls the company has already implemented, as well as the predominant threat vectors Equifax must watch out for. This allows the directors to see where the company is best protected, where risk still exists and how the security team intents to reduce that risk. Equifax plans to open source this framework for other organizations to use.
To address the general workforce, the company is instituting a system to score employees on their security practices much like they rate consumers’ credit scores. For example, if employees click through on a simulating phishing email, that will adversely affect the scorecards they receive on a monthly basis, and hopefully influence more responsible behavior in the future.
“We’re doing this because our DNA in Equifax is obviously credit scoring and so we know how to do analytics… on this and we’re just applying that same skill set to this problem,” said Farshchi.