Equifax CISO Jamil Farshchi has pulled back the curtains on cyber security operations, saying that he believes “transparency to all stakeholders to the deepest degree reasonable” makes for a more secure company.
“If we have transparency, it makes sure we’re up to snuff in every facet of our program. It makes sure that no one is looking at a patch log and says ‘It’s no big deal,’ because they know everybody is looking,” he says. “I think it ultimately makes you more secure, and you’re able to withstand any sort of targeting.”
Farshchi’s not just waxing philosophical: He is, in fact, sharing details about the work he and his team are doing, the threats they’re facing, and the challenges they have.
The company, a multinational consumer credit reporting agency, in March released its 2021 Security Annual Report. It outlines the company’s cyber security investments and provides details about its policies and procedures.
“If you’re a customer or an investor, it shouldn’t take a breach for you to find out a given company’s security posture. Companies should be required to make public the health of their own cyber security,” he says.
As most veteran CISOs know, Farshchi’s approach has not been the profession’s historical stance. Instead, the workings of the security function traditionally have been opaque to external groups — particularly customers — as well as internal business units and executive colleagues.
That opaqueness, however, came at a cost.
“Transparency isn’t the norm in security, and it’s weakened us. It’s disrupted digital supply chains, exposed addressable vulnerabilities, hindered our collective intelligence, undermined goodwill, and unnecessarily extended response times,” Farshchi says.
Pushed in part by the ever-increasing level of threats, CISOs and their executive counterparts came to see the value in everyone having a better understanding of the security function and its importance.
“Security by obscurity does not work”
Even national leaders are calling for more collaboration and cooperation. President Biden called for more partnerships in his May 2021 Executive Order on Improving the Nation’s Cybersecurity.
The Securities and Exchange Commission (SEC) in March 2022 proposed a rule change “to enhance and standardise disclosures regarding cyber security risk management, strategy, governance, and incident reporting by public companies.”
And Congress this spring passed its Cyber Incident Reporting for Critical Infrastructure Act, requiring companies in the critical infrastructure sector to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a significant cyber incident and within 24 hours of making a payment in ransomware cases.
Taken all together, Farshchi says, the recent actions represent a solid move forward. But he believes more needs to happen if the country’s companies and communities want to become more secure, calling out the need for more communication and more collaboration as well as an increase in the number of CISOs willing to publicly discuss what works in cyber security and what doesn’t.
“I don’t believe we should hide anything,” Farshchi says, explaining that he believes that security organisations owe such forthrightness to their constituents because otherwise “that’s me making a risk decision for them without them even knowing about it. The idea of keeping [that information] under lock and key flies in the face of reason. Security by obscurity does not work.”
He adds: “We’ve done our part at Equifax to increase transparency.”
Farshchi defines transparency as “providing constituent groups with the visibility they need to make better security decisions.”
“You can have a different message for different audiences,” he explains.
For stakeholders broadly, that means issuing the yearly report (with the 2021 report being its second annual one) and laying out how the company is furthering its security transformation.
For customers, it means holding information summits and talking about controls and best practices in terms they’d understand.
For the broader security community, it means hosting lessons-learned briefings “to give a helping hand to other organisations” and partnering with others, including government entities, “so they can help bring up policies that can help the broader universe of stakeholders out there,” Farshchi says.
“We can’t solve today’s cyber challenges without talking about them and collaborating with one another,” Farshchi says. “Cyber security is already steeped in enough complexity and secrecy; we shouldn’t add to that problem by staying quiet or only talking within our four walls.
"If we want to change the trend line of successful attacks — if we want to make our companies and communities more secure — we need more communication, more collaboration, and more transparency in security, not less."
He adds: “We’ve chosen this approach because security shouldn’t be a trade secret.”
A mandate for change
As CISO, Farshchi says he knows the importance and value of that openness — and the problems created when it’s not there.
Like many security executives today, he says his company seeks information from its own business partners and vendors about their security programs to ensure they’re meeting certain standards and thereby limiting the possibility of introducing additional risk to Equifax.
However, Farshchi acknowledges that such efforts don’t always yield adequate insights and the needed visibility to make truly informed decisions.
Equifax has also been on the other side of this: The company suffered a significant breach in 2017, a highly publicised event that prodded executives at many other companies to boost their cyber security acumen and investments as well as prompted a new cyber security approach at Equifax itself.
Farshchi joined Equifax as CISO in February 2018 after serving as the CISO at The Home Depot for three years. He came into Equifax with a mandate for change.
“There’s little if any aspect of our security program that hasn’t been completely overhauled from what was in place in 2017,” he says.
“We invested over $1.5 billion to rebuild our security and technology systems from the ground up. We hired more than 600 highly-skilled cyber security professionals to protect consumer data. Multiple independent ratings now show that our security maturity and posture exceed every major industry average.”
In addition to his role at Equifax, Farshchi serves on the board of directors at the National Technology Security Coalition, the Georgia Institute of Technology Institute for Information Security Privacy, and the Piedmont Park Conservancy in Atlanta.
Farshchi believes the push for more transparency — from him, Equifax, other security leaders and the government — has an opportunity to make a significant impact and generate real improvement.
He points to the SEC actions on cyber security, saying they could be “a game-changer in our space by forcing cyber security into the boardroom [with] policy change driving this whole notion for transparency.”
“It’s huge, it’s an extension of what we’re trying to do at Equifax but at a much larger scale. I think it can ensure that CISOs have a seat at the table and it gives the opportunity for security to actually engage with board members. In many organisations, this just isn’t the case today.”
Such change can’t come soon enough, according to Farshchi. Organisations are contending with much more risk as they become more digital. “When you think about the impact that cyber can have on an organisation — any organisation — and you look at the probability of an attack occurring, there is no risk out there that’s more prominent than this one.
"And it’s only going to get greater as we move forward. And because of that, we’re going to have to get to a much better place in terms of security.”