leowolfert - stock.adobe.com
When a business that holds sensitive customer data, such as their financial details, is hacked, it takes a lot to regain trust. Equifax’s current chief information security officer (CISO) is on that journey.
The Equifax breach, which unfolded over a two-month period between May and July of 2017, saw the personal data of about 150 million Americans and almost 700,000 Britons exfiltrated to computers outside the US.
“They brought me in after the security breach in 2017 with the mandate to help drive the transformation of the organisation as a whole in the wake of the breach,” says Farshchi. He is today responsible for all Equifax’s cyber security programmes, physical security, privacy and fraud.
He arrived with a track record in taking control of security at organisations hit hard by a cyber attack. For example, he was hired by US retailer Home Depot after it was shaken by a data breach in 2014, in which customer payment card data was accessed by cyber criminals.
Security and the cloud
Restoring confidence in Equifax’s cyber security comes at a time when it is moving root and branch to the cloud. With the 2017 breach fresh in the minds of customers, this could be seen as a risky time to do so.
It is incidents such as the Equifax breach that have made big businesses cautious about using public cloud, but Farshchi tells Computer Weekly a combination of building in security from the start and real-time security asset monitoring makes the cloud more secure than on-premise IT.
“[I joined Equifax] after the security breach in 2017 with the mandate to help drive the transformation of the organisation as a whole in the wake of the breach”
Jamil Farshchi, Equifax
“The cloud offers you the opportunity to do things you cannot do on-premise. To have real-time visibility of your entire security stack on-premise is virtually impossible,” he says. “You can do it on a point basis, but to do it holistically is extraordinarily difficult. The beauty of the cloud is that it is standardised.”
Equifax is predominantly moving to the Google Cloud, with all its systems either in the cloud already or on the roadmap to move to the cloud.
While moving to the cloud is the company’s major IT challenge at the moment, Farshchi was faced with other challenges when he took over as CISO at a company that had experienced a very public breach.
Rebuilding company culture
There was a lot of groundwork to do. “The number one focus that we have had since day one of the transformation is rebuild the culture and focus on tying security into the DNA of the organisation,” he says.
“If you look at the majority of security breaches and the issues organisations have today, organisations focus on the security technologies and things like that, but the reality is if you are able to get the culture piece right then you will put yourself in the best possible position.”
Farshchi says it is also essential early on to make the CISO role a direct report to the CEO, followed quickly by a major investment in technology. Equifax directed $1.4bn to the transformation required to rebuild its technology and security stack.
This is where cloud computing came in. One of the key parts of its technology transformation is the plan to become a cloud-first company. “We are migrating a vast amount of our infrastructure to the public cloud,” says Farshchi.
This is breaking the mould for many big businesses, and might be considered a surprising move for a company that suffered a huge breach. “We find that a lot of organisations are quite reticent to adopt the cloud, in some cases because of security concerns,” says Farshchi.
But investment in the latest technology infrastructure alongside security is vital for the simple reason that “you can’t have good security if you don’t have good technology”, he says.
Jamil Farshchi, Equifax
“If you look at security breaches historically, 99% of them are due to a combination of factors. This includes things like asset management, certificate management and configuration challenges, as well as patching,” adds Farshchi.
“In the modern day, these things are shared responsibilities across organisations. Unless you have a strong infrastructure with great people in the technology and security teams, then you just won’t be successful. This is one of the things we identified early on so we had a large investment in both sides.”
The organisation saw that moving to the cloud could, in fact, make the company more secure. “Our view is different and we believe the cloud offers the opportunity to be more secure if it is done correctly,” says Farshchi.
Real-time asset monitoring
Part of Equifax’s approach is ensuring that all security assets are monitored in real time, something made possible by cloud computing. “One of the key things we have done is introduce this concept of assurance,” he says.
Farshchi says a lot of breaches don’t happen because organisations didn’t have controls and things in place, but because there were weaknesses in controls that were there.
“They thought they were operating properly, but it turned out they weren’t,” he says. “The concept of assurance means we can ensure our controls are constantly working, and not just that they are effective, but that we have the coverage. Part of the problem is companies might have the right technology but it is sometimes in just one enclave and covers a handful of [security technology] assets and doesn’t have the scale it needs to protect everything.
“If you look at many of the breaches in the past, software to monitor security assets would have prevented them, because they would have had visibility of where the gaps were,” adds Farshchi.
Read more about Equifax
- Equifax chief says it takes cyber security seriously in response to scathing Senate report on the credit rating agency’s 2017 data breach, which experts say highlights failings around open source software.
- Equifax explains how it has transformed its data security strategy using multiple clouds and a more focused approach through Google Cloud Platform’s hierarchal security.
- Under the settlement with the FTC and state attorneys general, Equifax will fork out at least $575m in civil penalties and provide credit monitoring services to consumers.
While Equifax has a global tech team of over 2,000 people and about 800 security staff, half of whom are contractors and consultants, it values partnerships with suppliers to make sure it doesn’t miss out on the latest security technologies in the market.
This strategy has helped the company innovate around the concept of security asset assurance, where it is working closely with supplier C3M and its asset assurance monitoring technology.
The C3M product provides Equifax with the ability in the cloud to have real-time monitoring of security assets.
“I can have continuous monitoring and validation of over 100 different security controls in the cloud,” says Farshchi. “This means I do not have to rely on one data point, such as an asset management system or a vulnerability management system, I can use these data points and overlay them with the level of assurance I get from a tool which gives us visibility across our entire control estate to ensure we are operating effectively and within the bounds of our requirements.”
Equifax’s work with C3M is not the only example of how it works closely with suppliers to collaborate through a co-innovation approach. “We do this with a variety of suppliers,” says Farshchi.
This approach helps Equifax develop functionality that meets its requirements and helps the supplier add to its product portfolio. “For example, we told C3M that having real-time visibility of our tools is great, but if we want to go to the next level we need to do things like be able to tell our customers of the status of the security assets protecting all the products and services they buy from us.
“This gives us the ability to give them instantaneous insight into the security of the assets they leverage and makes it extraordinarily easy, via one click, to provide insight. This builds confidence on their side and helps us manage resources,” he says.
Companies such as Equifax are regularly asked to provide reports for customers on security, which is time consuming. Equifax provided the idea to C3M and the supplier worked on the technology to enable it. There are more features planned in the partnership and work to build in new features continues, says Farshchi.