Equifax: The New Era of CybersecurityEquifax EVP and CISO Jamil Farshchi on Public-Private Collaboration, Transparency
The high-profile Equifax breach happened nearly six years ago. Jamil Farshchi, CISO of Equifax, discussed how the firm invested $1.5 billion, hired new staff and improved governance to prevent future attacks, but he said security organizations need to enter a new era of cooperation and transparency.
A fundamental change that needs to happen is that cybersecurity needs to have a seat at the table and be baked into the business - not just an afterthought, Farshchi said.
"For the next generation of security leaders and CISOs, I'm hoping what the leaders in this space today will help pave the path so they will have it easier than we do, so they can focus on actual risk management and so they are able to buy down that cyberthreat that we face today," Farshchi said.
In this video interview with Information Security Media Group at RSA Conference 2023, Farshchi also discusses:
- The role of public-private partnerships in combating current and future threats such as advancements in quantum computing;
- The need for greater transparency to foster greater sharing between organizations;
- Mantras for the next generation of cybersecurity leadership.
During his tenure at Equifax, Farshchi led an unprecedented $1.5 billion transformation and built one of the most advanced, effective and transparent cybersecurity and privacy programs in business today. Prior to Equifax, he held leadership roles at The Home Depot, Time Warner, Visa, Los Alamos National Laboratory and NASA.
Tom Field: Hi there. I'm Tom Field. I'm senior vice president at editorial with Information Security Media Group. Talking about the new era of cybersecurity, here to talk about it with me is Jamil Farshchi, executive vice president and CISA with Equifax. Jamil, it's pleasure to have a chance to catch up with you again.
Jamil Farshchi: It is great to be here.
Field: Now I know you get asked this question all the time, you're sick of answering it. It's been six years now, right? Six years since the event. Tell me about this. I know that you have been very transparent in the work that you've done since you joined Equifax. How is cybersecurity at Equifax most different today than it was at the time of the event?
Farshchi: Honestly, there's not much that I can think of that's the same six years ago. I mean, we've made a one and a half billion dollar investment, we've hired top-tier talent, we've incorporated all these new governance structures. So there's not much, the same at all anymore. I think the one thing that I would think I'm most proud of, and that we've really turned the corner on that we didn't do before, is focusing on partnership and trying to shape the broader security landscape. Our work with the federal government, our work with a lot of our customers and partners, vendors throughout the ecosystem, it's driven a big change. And I think that that's probably the most monumental one.
Field: Now, one thing we don't talk about nearly enough in this six years is half of that has been post COVID. And so in addition to recovering from the breach, you've had to go through digital transformation, accelerated cloud migration, creation of this hybrid workforce. How has all of this changed you most as a cybersecurity leader?
Farshchi: Look, there has been first off on COVID, we had a leg up on that. I know a lot of other organizations had challenges trying to make that shift. But look, because of the investments we had made in security, before that, we were able to really just take it in stride, because we had the fundamental architecture and we had trained our workforce to be able to work remotely and to do things remotely and so forth. So that was fantastic. In terms of things, the things that I would like the next generation - everything - I mean, look, I am here today because of all of the mistakes that I've made, I've done a good job of not repeating most of them. But for the most part, it's been a whole host of challenges that I've faced, and been able to sort of persevere through them based on the learnings they're in; I think the next generation of security leaders and CISOs. I'm hoping that the work that we, as leaders in this space, do today will help pave the path so that they will have it easier than we do so that they can focus on the actual risk management and being able to bite down that cyberthreat that we all face today. Instead of dealing with, "Hey, is security important? Like do we need to fight to get a seat at the table?" We want our voices heard. Those are many of the challenges we face, we spend a lot of our time on, that I'm hoping the next generation doesn't have to.
Field: Have to ask you about some issues. I know we're important to you. And the first is the new era, as you say, of cybersecurity. What's the new value of collaboration now between the public and the private sector? Is that something you've talked about a lot publicly?
Farshchi: Yeah, look, we've got empowered nation states, we've got organized crime attacking U.S companies on a regular basis, ransomware, whatever. And then you look at some of the stats, weak supply chain security alone accounts for roughly 50% of the breaches that we have today. I mean, the threat landscape is all over the place. And so I think that partnership is essential. And it's why we've leaned in so hard with a lot of vendors as design partners to be able to help shape the technology future. It's why we lean in with Cisco and the FBI to be able to get meaningful threat intelligence to help protect us, but at the same time, to be able to allow them to disseminate that to help protect our partners. And so I think that we're in a place today where we absolutely have to do it. And I'll give you one really good example. If you think about things like quantum computing, the quantum bread is going to - whether you think it's going to be in five years or seven years or 10 years, it's going to come. And when you look at how prepared, our preparedness today, we're just not there. To solve for it, you need to have the government come up with quantum proof standards, you need to have the vendor community developed technologies that actually supports it. We as organizations need to invest heavily to be able to rearchitect and reinvest in our infrastructures. But even more than that, I could do all of those three things. But unless every single other party within that ecosystem actually does the same thing. We are not going to be prepared. I can't communicate through crypto with another organization unless they also make those investments themselves. So I don't think it's any more about a situation about, "Hey, it's good to partner, we should do this." It's going to put us in a better position. I think the key is we have to do it if we want to win in the future.
Field: Now talk to me about what you call the new era of cybersecurity disclosure. You're speaking about this. How do you feel about the new demands for transparency?
Farshchi: Look, Tom, there's a lot of consternation around these new demands and the level of rigor that goes along with them. I mentioned a second ago, all the investments and stuff that we've done at Equifax, because of what we have done over the last six years, we meet, virtually all of the requirements that are coming down the pipeline already that have been proposed, you know, some new form that I have to attest to, or whatever, we did that, but the beauty of it is, out of that one and a half billion plus that we've spent virtually, none of it, maybe a tiny rounding error would be applied toward this particular problem. We just did it because it was the right thing to do. And the level of effort that it takes for us to consistently do it is virtually none. So I think a lot of the fear mongering around this issue is unfounded. I think once organizations do it, it's not that difficult. It doesn't put you in a tough place. And let's be honest, just transparency hurt. I mean, as it as an investor community, if you're a shareholder, if you're a customer, if you're if an American citizen, anything like it is useful to be able to have that information. And so I think it's a great thing to do.
Field: Want to ask you about risks. I know you co-chair the working group that produced the new bipartisan policy center report on top cybersecurity risks and 2023. Two questions: What stands out? What surprised you?
Farshchi: I'll give you one answer. We went through this thing. And I remember when we first started, we were all in it. This is, I mean, we've got some top minds in cybersecurity within this suite of sitting congressmen in there as well, synergies and stuff, too. We were all sitting there thinking when we started, we're going to come up with all of these novel threats and blow everyone away. We got to the last meeting, I remember. And there was one person - I won't name who it was - he was a prominent CISO who looked at, reviewed it and it was like, "Man, he's like, do we need to change something here? Because this is all the same stuff that everybody already knows." And that was the takeaway, honestly, you know, we obviously kept it the way it was, because that's what we fundamentally believe were the greatest risks. But the takeaway was we've dealt with the same problems. I used to work here in San Francisco when I worked at Visa, this was over a decade ago, the same things that we have on our list from top risks for 2023 were the same things we were battling, you know, 10 years ago. And I think it should be a call to action for our industry. We've got to make these changes. Because what we're seeing today, all the carnage out, company after company getting breached, it's because we aren't tackling these fundamental issues.
Field: That ties into my next question. It's about the value of communication. Here, your words come back to you. You said recently that communication is the one thing if you could snap your finger and fix. So my question is what's broken? What's the impact of this being broken? How can it be fixed?
Farshchi: The most common challenges that as a CISO that we face are, I need a seat at the table, I want to be able to talk to my board more than 15 minutes for, you know, over the course of a year. I need technology to be able to do something they won't patch or whatever it might be. My own team complains I don't have a cogent strategy, like they don't know which direction we're going. All of these problems have one root cause, our ability to communicate, our ability to be able to drive that narrative that ultimately drives some sort of action, and makes it important enough that people are going to prioritize it above the bevy of other things that are out there. And I think that, as a security practitioner, myself coming up through the ranks, you know, when you get evaluated at the end of the year, for who's the top performers, who's a hypo, you typically look at, "Hey, who's got this degree, who's great at, you know, packet analysis, who's great at this architecture infrastructure." The one person who's like, oh, man, he's great at communications, that person never gets the promotion. And so we find ourselves today where security has continued to increase in terms of its prominence, and its visibility within companies, within boards and so forth. And yet, we've got a group of leaders in this space who haven't really been ever been challenged, ever been pushed to be good communicators. And so I think that that ultimately ends up being one of the root causes to many of the challenges that we face. And if we can solve for it, even improve it. I think it puts us all in a much better position.
Field: Talking about the next generation of cybersecurity leaders, the people that are going to succeed you. What do they need to do differently and bring to the table differently even than what you've done?
Farshchi: Well, I hope it just continues down the path. I don't see some major left-hand or right-hand turn in terms of what their skill sets are and what they need to bring to the table. What I hope is that they can watch what we're doing today, and some of the hurdles that we're jumping over and some of the things that are tripping us up, and they're able to consistently evolve. I continue to believe that adaptability is the number one skill, like, you know, even outside of communication for our role, things are changing at lightning pace. If I look at the field today and what we're doing today, in my role today, compared to what it was back when I was at Visa or whatever, when I started, it's monumentally different and so I think just continuing to evolve and do the best they can to fight the good fight.
Field: Glad we had the opportunity to sit down and talk to you man. Thank you very much.
Farshchi: Thank you. I appreciate it.
Field: We were talking with Jamil Farshchi, he is the EVP and CISO with Equifax. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and your attention.