Equifax CISO Jamil Farshchi’s three-act, ‘shared fate’ security plan
Even in normal times, credit reporting agencies are never among the world’s most admired companies. So it’s easy to see why Equifax’s brand reputation has suffered immensely thanks to the massive breach that saw information on 148 million people taken from the company and two former employees charged with insider trading.
New Equifax CISO Jamil Farshchi is working to overcome the “visceral” reaction he’s witnessed post-breach. A veteran of massive rehabilitation efforts via his time spent as CISO at Home Depot, Farshchi is embarking on a plan to move Atlanta-based Equifax beyond its security lapses to a position where the company is actually seen as security leader.
In an exclusive interview with CyberScoop, Farshchi describes his “three-act plan” to secure Equifax, which includes having the entire company understand that cybersecurity doesn’t fall to the IT division.
“Security isn’t just security’s job,” he said. “Everyone needs to feel it through and through or we won’t be successful otherwise.”
Farshchi also touched upon how the cybersecurity conversation has changed in the C-suite, how he has leaned on other Atlanta-based experts for help and whether the company has figured out who carried out the massive hack last year.
This interview has been edited for length and clarity.
CyberScoop: What’s the one big concept that you have been trying to drive since starting as Equifax CISO?
Jamil Farshchi: The number one thing, by far, is driving the culture change. It’s not just my top priority, but it also tends to be the most difficult aspect of the turnaround initiative.
The biggest challenge I’ve always seen is the broad-based change initiatives as it relates to just shifting the whole mindset of the company. At Home Depot, it was challenging because we had 400,000 employees. At Equifax, the challenge is not the sheer number of employees, but it’s the true scope and scale of the company. We are in virtually every region of the world. Then to compound that is the fact that the breach was a very significant event and impacted people in a very visceral way. It was a gut punch to the organization as a whole.
So I’ve been able to take a multitude of steps to be able to drive that broad-based change. I report to the CEO, and I’m one of the few CISOs who has that reporting line.
We instituted things like in our annual incentive plan, we’ve tied in security specifically into that. So it’s a component of every single person’s annual incentive plan. We have to be able to meet our targets that we’ve set forth. Otherwise, everyone is going to be penalized as a result of it. It’s part of driving in that whole culture of shared fate throughout the organization. Security isn’t just security’s job. Everyone needs to feel it through and through or we won’t be successful otherwise.
CyberScoop: What are some new initiatives that you’ve put in place on the operations side?
My philosophy is always been about fundamentals. There’s a lot of folks who look for the “silver bullet” or gravitate toward emerging technologies. But I’ve seen it time and time again that the way to truly differentiate, the way to truly manage risk, is to really focus on those fundamentals. These processes, the controls, they are things that aren’t particularly sexy: Having a very stringent process for patch management. Having a very well-oiled machine, so that you can first identify whatever a vulnerability is on a continuous basis, figuring out what application that ties to, and where it ties to our infrastructure.
Being able to have a strong feedback loop, act on those insights, and talk to your teams that are going to be driving the patching. Following that cadence on an ongoing basis and meeting your SLA consistently. These things aren’t sexy, but when done really well. you’re able to effectively understand the weaknesses that you have across the board you’re able to be able to make meaningful risk-based decisions.
These are the kind of things that I really try to focus on when I build out my programs. We’re doing that across the board, whether it’s from the patching side, or whether it’s from certificate management, our ability to protect our data and do the data devaluation capabilities that we’re bringing to bear.
CyberScoop: I recently read you are trying to stand up a “fusion center” model for the company. Can you tell me a little bit more about that?
JF: The fusion center model actually ties into one of the themes I mentioned earlier: shared fate. The fact that we’re more effective as a complementary team that’s cohesively aligned versus having silos of different groups.
The fusion center concept is such that you marry up your physical security and all of the activities, visibility and detection capabilities on that side with the cyber team itself. What we’re doing is taking it one step further and we’re injecting the IT operational folks in as well.
What we’re going to have once the facility is complete is a group of individuals that are cross-functional; that tie into the different layers of activity that could potentially cause harm.
So if we see a user system that’s compromised for some reason, and you could marry that back up from an operational standpoint in terms of when was that system provisioned, what operating system is running, when was the last time it checked in, things like that — you’ll have the people that are all of the key stakeholders sitting in the same room, all working from the same playbook, which helps you to be able to identify issues and resolve the problem quickly.
CyberScoop: That’s really interesting, especially since the fusion center is used in government and it’s not a well-regarded term. Tell me a little bit more about why you think this model work at Equifax. How does it differ from a SOC?
JF: A SOC is pretty much a stand-alone, siloed function. A SOC doesn’t marry up the NOC and other IT operations functions. It almost certainly never includes the physical security components as well.
I think that it will generate a tremendous value. Quite frankly, we did a very similar thing when I was at Home Depot. We generated a lot of operational efficiencies and effectiveness as a result of it. There’s a whole host of other organizations, particularly in financial services, that have leveraged the same model.
It’s not like it’s a brand new idea. It’s just an application of a successful private sector model for us here at Equifax.
CyberScoop: You said you report directly to the CEO. How has the conversation morphed around cybersecurity in the C-suite?
JF: I think that’s one of the most critical pieces that we’ve been shifting. I wouldn’t say that we’re at that point of maturity where I feel that all of the dialogue is exactly where I would like it to be. I would also say that given the fact that we’re still building up our capabilities, that we’re still working on a lot of our hardening. The breach is still fairly recent enough that the discussion still in many ways surrounds the risk.
We have several projects that were pursuing. We’re putting in $200 million this year into security investments. The discussion is around, ‘OK, we have all of these different initiatives, whether it’s tokenization, network segmentation, data devaluation. Which ones are the most critical for us? Which ones ultimately reduce the greatest amount of risk for us in the aggregate throughout the organization?’
These discussions we’ve been having have been very eye-opening, because I’m not sure it’s a discussion that has been had certainly at the C-suite level. It’s been encouraging having the level of support to have to those discussions.
CyberScoop: We’re approaching a year since the first intrusion. Where is the company on its post-breach timeline? Are you past full remediation? Have you moved into a different phase?
JF: I think that from a remediation standpoint, yes, we’ve remediated everything related to the breach itself. The way I’ve laid out the strategy is through a three-act plan.
Each act encompasses approximately a year. The first act is really building up those foundational controls that I talked about earlier. It’s build, mature, and then the final act is to lead. Our goal is to ultimately be a world-class security organization from a thought leadership standpoint, so other organizations can apply our lessons learned.
What I’m really focusing on is making sure that we have that those core foundational pieces in place, those capabilities that I think that we can build upon and continue to optimize, and once we get those then we move into more of the emerging technologies.
CyberScoop: Have you determined who was responsible for the breach, whether it was a nation-state, a criminal group, or a lone hacker?
JF: At this time, we do not know.
CyberScoop: What type of threats worry you? What do you look at when in terms of attackers and what do you think the company should be looking out for?
JF: I’ve done this myself at every company that I’ve worked for. When I look at the general position about Equifax in terms of the breach and the level of vitriol that surrounded that, it’s difficult to look at any of the specifics and say ‘Well, this group is probably as big of a threat as another one.’ We certainly have information that would be attractive to nation-states. Our data would be valuable to organized crime. From an activist standpoint, depending on your ideology, we would be an attractive target for them as well. When we went through it did the analysis on it. We really couldn’t say there’s one that’s more important than the other one. We basically have to assume all our meaningful risk and be able to build our defenses around all the actors out there.
CyberScoop: It’s been widely reported that an unpatched flaw in Apache Struts was partly to blame for the breach. Has has there been any talks about moving away from Apache or making any other IT upgrades? If there are, are you influencing them in any way?
JF: Yes and yes. We have had many discussions about that. We’re actively going through an inventory of all of our applications as part of that $200 million investment this year. Going forward we are looking at the re-platforming of key systems and making decisions as to what’s the best application framework. We may use Apache, maybe using Spring, it will depend on the application itself. I’ve been intimately involved in these discussions in terms of the sunsetting and re-platforming.
But from my perspective, security shouldn’t be the predominant driver for all of those discussions. We should help to try to enable whatever the business is trying to achieve. I feel like even if you have a particular Struts vulnerability, there are other compensating controls you can actually bring to bear to help minimize the risk. We have in a seat at the table and we help to articulate what those risks are, and then based upon the decision, we will apply the appropriate controls and architectural designs to be able to help manage them.
CyberScoop: How much of that $200 million investment is going to hiring? Are you bringing more people aboard specifically for cybersecurity? How do they factor into the overall security apparatus at the company?
JF: We’re certainly using some of that money for incremental uplift and headcount. I was not necessarily expecting this when I came on board, but there is a lot of talent on the team as it is. But nevertheless, we are making a concerted effort to bolster the size of the security team, targeting nearly 100 hires this year alone. We will probably cross that number by the end of the third quarter.
What we’re doing is rather than just hiring everybody under the sun, we’re trying to focus more on technical skill sets across the different capability areas that we have. We’re really emphasizing security engineering, security architecture. What we’ve done is that we’ve established a multi-prong strategy for talent acquisition standpoint, whether it’s establishing meaningful relationships with key schools, such as Georgia Tech, which is right down the street from us here. Posting things like hackathons, to be able to bring in talent that way.
CyberScoop: Speaking of talent, Equifax just brought in Bryson Koehler as CTO. He had some experience at IBM working with data security. How do you see him adding to what you are trying to accomplish?
JF: He is critical. I’ve been very impressed since he’s come on board. He and I have had a very similar philosophy about technology and security. We talked about this first time I ever met him, he fundamentally believes that security should be built in from the get-go. We need to leverage as much automation as possible and that standardization is critical to long-term success. It really puts us in a strong position because at the end of the day, if IT is done right, most of the security risk is actually never ultimately realized, because you don’t generate it from the get-go.
CyberScoop: I also heard you’ve been reaching out to the ecosystem around Equifax as part of your plan. Can you tell me about the Atlas program?
JF: We’ve taken a really strong and meaningful approach towards building partnerships. Basically, the notion behind Atlas was, Atlanta, for better or worse, has been the victim, or been home to the victims, of several of the largest breaches out there. Equifax, Home Depot, the city of Atlanta. Even for those who haven’t had a large public breach, any CISO worth their salt has dealt with a breach to some degree.
What wanted to do, and what we did, was bring them all together. We had a really good roundtable dialogue for several hours, going over our war stories.
We’re in the process now putting together a white paper that we’ll release based on what we’ve learned. Every quarter, going forward, we’ll get together on another topic, and we’ll produce something to be able to help not just us but other groups based on the lessons that we’ve all learned collectively. One of our strategic pillars is ensuring that we are able to build lasting relationships with a lot of the key players out there, whether it’s with Atlanta CISO groups or our customers. We spent a lot of time and energy in working to learn the best practices.