“Your biggest enemies in a breach are time and perfection,” notes Equifax chief information security officer (CISO) Jamil Farshchi. “Time and perfection will ultimately crush you.”
Farshchi would know. Since starting his career at NASA, Farshchi has taken on an expanding range of security roles at high-profile cyber targets such as Los Alamos National Laboratory, Visa, and Time Warner. Most recently, the veteran security executive has focused on helping companies that have suffered massive cyber crises—first by joining retailer Home Depot in 2015, and then at Equifax, the credit-reporting agency, technology, and analytics firm. Farshchi joined Equifax shortly after the 2017 cyberattack that ultimately compromised some 147 million customers’ personal data and resulted in the US’s largest data-breach settlement to date.
In the wake of that crisis, Farshchi and his team are doubling down on efforts to increase transparency, rebuild trust, and strengthen Equifax’s risk culture. Farshchi recently talked with strategy+business about the company’s progress thus far, the challenges and rewards of leading in crisis, the future of the CISO role, and his own memorable—if accidental—experience as a hacker.
The following is an edited version of the conversation.
S+B: How did you get interested in cybersecurity?
FARSHCHI: My first real foray into security was in college. I was tinkering around on the school’s network and ended up gaining access to a bunch of credentials—user names and passwords—through some security vulnerabilities. Being Mr. Naive at the time, I thought, “This is really cool,” and I decided to take it to the dean of my college. It was only when I was getting ready to step into his office that I realized, “Oh, shoot. I might get expelled for this.” Fortunately, he was very kind and appreciative, and he ended up giving me a yearlong fellowship to help the university with security.
S+B: So you could have ended up a cybercriminal instead of a CISO?
FARSHCHI: [Laughs] A lot of my classmates at the time liked the idea that we could change our grades. But no, my lesson learned from the whole thing is that doing the right thing pays off. It turned out to be a great experience for me—not only did it help the school and I got a little bit of money for the fellowship, but we were able to get those security issues fixed and people were protected. A win-win.
S+B: Let’s talk about a much bigger crisis—the 2017 Equifax breach. You were brought in specifically to help the company recover from that event, which at the time was one of the largest breaches ever. What’s it like to go through a crisis like that in real time?
FARSHCHI: Honestly, it’s hard to describe. It’s like a gut punch. It’s scary. It’s chaotic. It’s demoralizing. It’s all those feelings crammed into one period of time. There were incidents of Equifax employees walking out of the office and literally getting spit on by random people because of the level of vitriol around the crisis. As a leader, your job is to help instill confidence and direction—a sense that things will be OK—while the organization as a whole is on its knees.
S+B: How do you approach that challenge?
FARSHCHI: Your biggest enemies in a breach are time and perfection. Everyone wants everything done in a split second. And having perfect information to construct perfect solutions and make perfect decisions is impossible. Time and perfection will ultimately crush you.
Your biggest enemies in a breach are time and perfection. Everyone wants everything done in a split second. And having perfect information to construct perfect solutions and make perfect decisions is impossible.”
By contrast, your two greatest allies are communication and optionality. Communication is being able to lay out the story of where things are, and to make sure everyone is rowing in the same direction. It’s being able to communicate the current status, and your plans, to regulators—and at the same time being able to reassure your customers and make sure they have confidence that you’re going to be able to navigate to the other side.
Optionality is critical, because no one makes perfect decisions in this kind of firefight. Unless you’re comfortable making decisions that might not be right at any given point in time, you’re going to fail. [As a leader,] you need to frame up a program and the decisions you’re making in such a way that you’re comfortable rolling them back or tailoring them as you learn more, and as things progress.
S+B: What did that effort look like? What areas did you choose to tackle first?
FARSHCHI: I focused on three things at once, really, starting with people. People are the definition of whether you succeed or fail. And in any crisis, some people freeze, while others become mountain movers. For example, my deputy CISO, Russ Ayres, wasn’t even in security at the time. He was a developer. But he stepped in and delivered, on the technical facets, the customer discussions, meeting with regulators—all of it.
I think it’s part of our job as leaders to be able to identify the strengths of our people and position them where they’re most able to succeed. Crises are great for making assessments of people and their skill sets.
The second area was our go-forward strategy, and it was not super deep or crazy complex. It’s purely a high-level thing that says, “Here’s what we want to be in the future. Here’s how we’re going to be able to get there,” with a handful of high-level initiatives. Again, the goal isn’t perfection. The goal is to be able to instill confidence in people that it’s not going to be pure chaos anymore, that we have a path.
S+B: And the third area?
FARSHCHI: Culture. It’s absolutely critical. The mistake a lot of people make in a crisis is to defer on culture because it doesn’t seem like something you should do immediately. The problem with that is that culture takes a long time to establish. And change is inevitable at this point. When you’re in crisis mode, people are far more apt to buy into what you’re trying to establish from a culture standpoint.
S+B: How do you know if your organization has a strong or weak risk culture? What are the signs?
FARSHCHI: Look at where security sits within your organization. Is it buried in the bowels of technology, or does it have a seat at the table? I report directly to the CEO. That’s a strong statement on how much cyber risk means to the company. Looking at the organizational structure is a really strong sign of what’s important to a company.
On the other hand, I’ve seen organizations where they conduct annual enterprise risk assessments and no one really cares about them. It’s a once-a-year checkbox, and they just go through the motions. That’s a weak risk culture.
You’re in a better position if risk is integrated as a core component of the different disciplines in your organization—where you have meaningful, thoughtful discussions about it. If those discussions occur often—and not only at lower levels of the organization but through to senior executive and board levels—you’re probably in good shape. Believe me, the rest of the organization is watching. If they see that risk is getting a lot of airtime, that reporting lines are changing, security is being elevated in importance, and the board of directors covers cyber as a topic every quarter—those things matter.
Finally, risk culture is assessed through action. You probably have a weak culture if discussions don’t really amount to anything, and a strong one if the organization is making decisions favoring risk—not simply chasing every incremental dollar of revenue. If you’re not willing to slow down a digital transformation or delay the release of a product because of a security risk, that probably suggests that the organization does not have the right kind of culture. Those are the tough trade-offs that, to me, demonstrate that the company is willing to put its money where its mouth is in terms of managing risk effectively.
S+B: How do incentives figure in building a robust risk culture?
FARSHCHI: It’s important to make risk a component of every employee’s job, to the degree that they know that if they do the right thing, they are going to be rewarded. Typically, incentives are linked to sales and financial performance. At Equifax, we started with a risk-linked performance incentive for every bonus-eligible employee in the entire company. And then we evolved that further to every employee, period. We even rolled it out to contractors.
S+B: How does it work?
FARSHCHI: We measure risk around about 13 different employee behaviors—for example, are we disabling people’s credentials in a timely way when they leave the company? Each behavior has an associated training module, so if someone didn’t score well on a security metric, they get more information on what’s expected and how to improve. Everyone gets a scorecard, and I report to the executive team every month when we do our security updates.
We have a 100-point index that reflects a projection across the entire employee base. When we started, our score was roughly 54 to 55, and that was only based on three behaviors. As of today, we are at approximately 93 to 94. Every time we add a new behavior, our score will dip because people are not used to it yet. A month or two later, it jumps up because people learn.
I think it’s a really powerful and objective story of improvement, because we’ve been able to drive that increase in performance, and that culture of security, across the entire employee base even as we’ve added requirements and behaviors.
S+B: How does trust figure into all this, including the culture you’re building?
FARSHCHI: Trust is essential. From an employee standpoint, people are often scared to death to raise their hand and say there’s a problem. People need to have trust to be able to escalate risks. At the same time, people have to trust that the security team is competent enough to mitigate risks. Actioning a risk comes with some type of trade-off; maybe it’s lost revenue because an application has to be taken down. So, before that happens, people have to trust that the security team can fix the issue within the proposed scope, time, and budget. Otherwise, the business is going to lose either way.
Finally, the security team can’t be the boy who cried wolf, with everything being labeled a critical risk and the sky always falling. Our colleagues in the business have to believe what we’re saying to take it seriously.
S+B: How do you build trust with your customers—or in the case of a breach, regain trust?
FARSHCHI: Mark Begor, our CEO, is a strong advocate for “Say, do.” We can talk about something all we want, but we need to do what we say we’re going to do. One of our goals around trust is to be transparent with our customers, our investors, and to be a leader in this space. For too long, companies and security professionals have tried to keep everything in a clutch-hold, because they thought that disclosing anything would expose their problems to hackers and regulators, or highlight gaps that would fire up customers.
So we’ve leaned into several actions. For example, we’ve made cybersecurity a far more prominent part of our proxy statements. We also publish our Security Annual Report, which is dedicated entirely to security and being transparent about the state of play and what we’re doing.
We also recently created a dashboard that gives our customers—more than 280 onboarded so far, including some of the largest companies in the world—real-time visibility into our security posture. I know this transparency wins us business—I’ve had customers tell me as much—but it also helps us build trust. And we think that doing this is good for the broader industry.
Not everyone will adopt a practice like this, but I’m optimistic that it can at least give hope to other security leaders and companies out there—hope that we can do this together if we’re willing to step up and do the right thing.
S+B: Where do you see the role of CISO heading in the future?
FARSHCHI: Where is it not headed? It’s come a long way, and I see it continuing to expand. The first iteration of the CISO role merged cyber and physical security. Since then, a ton of additional roles that are much more common now have been married up to security. If you look at my role, I’m responsible for cyber, physical security, privacy, and our crisis management function. I even have a commercial P&L on top of it all. I see the CISO becoming the de facto leader for virtually all the technical risks within an organization— given the skill sets, where technology is going, and how important it’s becoming to the lifeblood of virtually every organization. I think you’re also going to start seeing CISOs on boards far more frequently than you do today.
S+B: Have your experiences of managing in crisis changed you as a leader?
FARSHCHI: A lot of people look at my career and think I’m a firefighter, but I don’t view myself that way. What really motivates me is being able to make a difference. Whether it’s finding emerging threats, handling mega breaches, or rebuilding a program—those are the kinds of opportunities I tend to seek out and get a lot of enjoyment from.
I love being able to look back at how much change these programs and people have driven, and the development we all have had as a result. I hope I can make a small difference in people’s lives and make it a little bit easier for that fledgling CISO who may not be getting the attention or resources he or she needs.
S+B: What kind of advice would you have for that person?
FARSHCHI: I spend a lot of time coaching and guiding my peers—CISOs, soon-to-be CISOs, aspiring CISOs, security pros—who reach out to me. And while I dedicate as much time as I can to them, these conversations absolutely help me, too. I certainly still need guidance and want to find better, more effective ways to do things.
One thing that comes up all the time is how hard it is for security professionals to keep up with pace of change, and all the digital transformation happening. And it is hard—it’s hard for me, too. But the saving grace to it all as it relates to security is that if you do the fundamental things, the basics—if you’re patching your systems, keeping your certificates up to date, making sure you’re managing your credentials—these basic, basic things will stop 99.9% of the stuff out there, period. You don’t necessarily have to be on the bleeding edge to mitigate the vast majority of your risk. You just need to do the basics really well. Do the blocking and tackling, day in and day out, and you’re going to do fine.
Jamil Farshchi is EVP, Chief Information Security Officer at Equifax.