Culture Is Critical to Cybersecurity Success
Equifax has focused on four areas: organizational culture; compliance with regulations and certification requirements; its relationship with customers; and its specific cybersecurity controls, especially its tools and policies.
Of these, the most important to ensuring a breach doesn’t happen again is probably the company’s culture, Farshchi said, and to that end it has implemented a number of new programs internally. For example, it now ties annual employee bonuses in part to how well the company performs on quantitative cybersecurity metrics it sets each year. And to ensure workers are empowered to influence that performance, it provides feedback, on both an individual and a department-level basis, on specific data hygiene metrics.
“We’re doing this because our DNA at Equifax is obviously credit scoring,” Farshchi said. “We want to apply that same skill set to this problem. And what it ultimately does is, it slowly changes those behaviors because people are more cognizant, and it makes them advocates for security as well.”
It’s part of an overall security awareness approach that includes everyone at the company all the way to the board of directors, he said.
Equifax Works to Regain Regulators’ Confidence
Equifax has also worked hard to re-establish the confidence of regulators and certification boards, focusing squarely on ensuring complete compliance with every requirement. Farshchi noted that it is “infinitely harder” to regain certifications that have been lost, as happened in the wake of the breach, as it is to get certified in the first place.
“My belief is that compliance should just happen,” he said. “It should be the natural byproduct of a good security program.”
Such a program necessarily includes careful controls over security policies and processes. Organizations that endure large breaches are often the ones that allow fundamentals, such as regular patching, to slip, he argued. “If you want to succeed in this space you need to be able to do those things, and my sense is that as an industry, we don’t do the fundamentals very well.”
Equifax still has work to do. It’s only in the second year of a three-year cybersecurity renewal program. The company hired a staggering number of new cybersecurity professionals in the wake of the breach — more than 1,000, including Farshchi, who started at Equifax in February 2018 after a stint as Home Depot’s CISO.
Farshchi admitted that the days have been long and the stress level high, but the company is committed to being open and collaborative about its cybersecurity program while it works to rebuild public trust.
“It is extraordinarily rare for an organization to be transparent about what they’re doing in this space,” he said. “Most organizations, you put your head down, grind it out, and that’s that. The problem with that is it doesn’t allow others to learn what you’re learning — and we’ve learned a lot.”