Equifax wants to win your trust back. Here’s its plan.
Jaap Arriens/NurPhoto via Getty Images
Until last September, many people didn’t know what Equifax was, or why it had all their information. But after the credit-monitoring company announced its breach on September 7, 2017, with hackers stealing social security data on 147.7 million Americans, Equifax quickly became a household name in the worst possible way. The hack affected more than half of the American population, including Jamil Farshchi, who would become Equifax’s chief information security officer six months later. Farshchi has a history of rebuilding cybersecurity from rubble: he became Home Depot’s CISO after a hack exposed more than 50 million credit card accounts. He aims to do the same for Equifax.Since then, he’s laid out a three-year plan for Equifax to regain your trust, and made security every person’s job at the company.
CNET sat down with Farshchi at the Black Hat cybersecurity conference in Las Vegas on Thursday to discuss his plans, and the hardest part about trying to fix Equifax. Here’s an edited transcript. I know you were one of the victims affected by the Equifax breach. What was your reaction to it? Like anyone, you’re disappointed. For me, it was concerning because I just had my daughter, so at the time I wasn’t sure how it mapped out. My view is my data’s already been stolen, I have zero sense of any level of privacy, but I do care about my daughter. So I was worried about that. Fortunately, the timing didn’t work out, she was not a victim, so that’s great. Just like anyone, it impacts you and it’s something you obviously feel would never have occurred.Do you think that the other 147 million Americans had this ‘my data is already stolen’ reaction that you had? It’s hard for me to speculate on the population, but I’m sure it varies.
Equifax’s massive data breach just got worse
What was your reaction when Equifax reached out to you to fix its security problems? What compels me and motivates me is the challenge of the opportunity. One of my previous bosses gave me a great piece of advice one time. He said, “Jamil, never take a job, that when you take it, you’re not a little bit nervous about that goal. That you’re really stretching yourself and taking yourself to the next level.”When I was discussing the Equifax opportunity, that’s how I felt. This is a big challenge, I feel like it’s going to make a difference, if I’m successful, and it’s going to impact a lot of people. How do you expect anyone to trust Equifax again after a breach like this? Jamil Farshchi, Equifax’s new CISO, was also a victim of the company’s massive breach.
I think we’re putting our best foot forward in a variety of areas.From a culture perspective, they made my role report directly to the CEO, that’s a very meaningful change that very few organizations in the Fortune 100, 1000 or 2000 (don’t) even have. We have built-in incentives for shared faith and security throughout the entire organization. We have tied in to the annual bonus structure a specific security goal that if not reached, then it deducts the bonus for all bonus-eligible employees. We’re investing heavily, over $200 million this year, so we have the resources necessary to deliver. We have tremendous support from the entire executive leadership team. We have a new CTO who comes from IBM with an outstanding philosophy, which is, “technology, if done right, should eliminate the vast majority of security risks,” which I think most of my colleagues agree with. We build security from the get-go and you shouldn’t have to worry about it later on. We have a CEO who is infinitely focused and personally vested in ensuring that we protect all the data that is entrusted to us. All the pieces are in place, and if you truly build a world-class security organization — Yes, we learned a lot, yes we made a mistake, but if we turn this around and build one of the best organizations out there from a security standpoint, I think that warrants a level of building trust. You were also called in to fix Home Depot’s cybersecurity problems in 2015. With Equifax, are you running the same playbook? In broad strokes, it’s the same approach. Specifically though, because it’s a completely different type of business, where Home Depot is a B2C (business to consumer), we’re a B2B (business to business) here at Equifax. We’re more regulated than Home Depot was. There’s different dynamics within the organization, and I fundamentally believe that if you want to build a world-class security organization, it has to align with the business itself. In terms of risk treatment strategy, those change with a broad brush approach. From a talent, leadership, risk management, control frameworks systems like that. I’m using the same playbook that I used there. Because it helps us to accelerate and realize improvements in risk reduction in a much shorter fashion. We’re coming up on a full year since Equifax announced its breach last September. The response to the disclosure was very critical. Had you been CISO during that time, what would you have done differently? It’s hard for me to speculate on things. I’m not a huge fan of doing the Monday morning quarterbacking.Mark Zuckerberg said that Facebook would take about three years to fix. What’s Equifax’s timeline? We have a three-act plan that we’ve established. Year one is build, year two is mature, and year three is when we believe we’ll become leaders in the space. By 2020, we fundamentally believe that we will be in that position. Your plan to fix Equifax will take three years. How long will it be to fix its broken trust with the public? It’s hard for me to speculate on that one. My focus is on making us a world-class security organization, and we’re going to deliver on that promise. When you were CISO at Home Depot, and Time Warner, you had to build everything from the ground up. Was that the case at Equifax, too? This is one of the great things that I was pleasantly surprised by when I joined Equifax. There actually is a strong team there. We have a lot of meaningful technologies that are bleeding edge tech security capabilities and so-forth. One of the things that impressed me the most is that very few organizations detect the breach themselves. We didn’t when I was at Home Depot, it was a third party that told us about it. Equifax discovered it ourselves. We knew we were breached. And that’s a testament to the level of technical skill sets we have, coupled with the infrastructure as well. There has been a good foundation built on in certain key areas that’s allowed us to build our security up. What’s been the hardest thing for you to drill into Equifax’s security culture?I wouldn’t say there’s anything that hasn’t stuck. The thing about culture change is that it’s hard. It takes a while, it’s not like implementing a tool. Technology is pretty easy, it’s the people, the culture point that’s hard. There’s nothing that hasn’t been adopted or well-received, the key message I have is shared fate. If I talk to someone who’s not in security, and they go, “You’re talking about security, that’s your job,” if there’s not that sense of shared fate where they go, “OK, I own this as well, I’m also a part of this,” then ultimately we’re going to fail. My goal is to make sure that we drive that sense of “shared fate” across the entire company. What’s different when you’re running security post-breach and pre-breach? There’s a huge difference. The role of post-breach CISO is really a change leader. You’ve got to pull in all these pieces and parts, you’ve got to manage the culture aspects, you’ve got to manage the regulators, and all the different priorities that are ongoing, including the implementation and executions that you typically don’t have to.It’s a whole different set of skills you need than pre-breach. Pre-breach, what you’re doing is trying to sell security. You’re trying to have those risk dialogues, to communicate, “hey, we really do need more budget.” In a post-breach environment, everyone already knows. They know how important security is, because they’ve felt it, they’ve witnessed it first-hand. You have less of a salesmanship aspect, it’s about delivering and executing. Wouldn’t it make more sense if everyone just acted as if they were in a post-breach environment to be more proactive? Yes.
I was just in Australia a couple of weeks ago, and I spoke on exactly what you just said. There is a new paradigm of CISOs that embody a lot of these post-breach attributes. They have built-in deep relationships with the board of directors. They’re leveraging talent across their organizations.If you act like a post-breach CISO, if you do the things that have allowed Home Depot and will allow Equifax to get past this situation, I would argue that you probably will not have to deal with a breach at all. Those skill sets will keep you out of the doghouse.