Feb 26 2020

RSA 2020: In the Wake of a Major Breach, Equifax Makes Ambitious Changes

Its new CISO cites cultural change, security awareness and transparency as the keys to its renewal.

It’s a new day at Equifax.

In September 2017, the credit rating agency suffered one of the most notorious cybersecurity breaches in history, affecting the personal data of nearly 148 million U.S. consumers, as well as residents of Canada and England. The breach was a blow to Equifax’s reputation, and the company’s former CEO and former chief security officer moved on shortly after. 

Today, the company is determined not merely to recover the public’s trust but to establish itself as a global leader in data security. Its new CISO, Jamil Farshchi, arrived at RSA 2020 in San Francisco, one of the largest gatherings of cybersecurity professionals of the year, to tell a rapt audience exactly how it’s achieving that.

“I’m proud to say that the FBI, through a concerted effort over the last two years, was able to identify the perpetrators of our breach,” Farshchi said. The Justice Department announced the indictments of four members of the Chinese military on Feb. 10 in connection with the breach. “In the two years that the FBI was working on that case, at Equifax we’ve been working in parallel, and we’ve been driving a tremendous amount of change on our side as well.”The company has committed $1.25 billion to its cybersecurity efforts, a fairly staggering sum, Farshchi said, in part to “fundamentally transform who we are so that we can be a leader in this space.”

Culture Is Critical to Cybersecurity Success

Equifax has focused on four areas: organizational culture; compliance with regulations and certification requirements; its relationship with customers; and its specific cybersecurity controls, especially its tools and policies.

Of these, the most important to ensuring a breach doesn’t happen again is probably the company’s culture, Farshchi said, and to that end it has implemented a number of new programs internally. For example, it now ties annual employee bonuses in part to how well the company performs on quantitative cybersecurity metrics it sets each year. And to ensure workers are empowered to influence that performance, it provides feedback, on both an individual and a department-level basis, on specific data hygiene metrics.

“We’re doing this because our DNA at Equifax is obviously credit scoring,” Farshchi said. “We want to apply that same skill set to this problem. And what it ultimately does is, it slowly changes those behaviors because people are more cognizant, and it makes them advocates for security as well.” 

It’s part of an overall security awareness approach that includes everyone at the company all the way to the board of directors, he said.

Equifax Works to Regain Regulators’ Confidence

Equifax has also worked hard to re-establish the confidence of regulators and certification boards, focusing squarely on ensuring complete compliance with every requirement. Farshchi noted that it is “infinitely harder” to regain certifications that have been lost, as happened in the wake of the breach, as it is to get certified in the first place.

“My belief is that compliance should just happen,” he said. “It should be the natural byproduct of a good security program.” 

Such a program necessarily includes careful controls over security policies and processes. Organizations that endure large breaches are often the ones that allow fundamentals, such as regular patching, to slip, he argued. “If you want to succeed in this space you need to be able to do those things, and my sense is that as an industry, we don’t do the fundamentals very well.”

Equifax still has work to do. It’s only in the second year of a three-year cybersecurity renewal program. The company hired a staggering number of new cybersecurity professionals in the wake of the breach — more than 1,000, including Farshchi, who started at Equifax in February 2018 after a stint as Home Depot’s CISO. 

Farshchi admitted that the days have been long and the stress level high, but the company is committed to being open and collaborative about its cybersecurity program while it works to rebuild public trust. 

“It is extraordinarily rare for an organization to be transparent about what they’re doing in this space,” he said. “Most organizations, you put your head down, grind it out, and that’s that. The problem with that is it doesn’t allow others to learn what you’re learning — and we’ve learned a lot.”

Keep this page bookmarked for articles and videos from RSA 2020, and join the conversation on Twitter @BizTechMagazine.

skhoward/Getty Images