May 22, 2018

Equifax's new head of cyber enjoys direct line to CEO, board

Illustration: Sarah Grillo/Axios

A year ago, Equifax got hit with a data breach of historic scale: the Social Security numbers for nearly 150 million people. Jamil Farshchi’s job as the credit-rating firm’s new chief information security officer (CISO) is to rebuild Equifax’s defenses.

The state of play: Farshchi says Equifax has “taken a stand” on cybersecurity and is spending whatever it needs to, with "basically...an open checkbook." But key to the turnaround, or to any security regimen, he said, is something any company can do for free: have the CISO report directly to the CEO and the board of directors.

  • Why it matters (to most consumers): Americans who still feel burned by the credit bureau worry this kind of attack might happen again. Any steps the company can take to prevent such a disaster are worth pursuing.
  • Why it matters (to Equifax): The breach spurred talks of regulation on a federal and state level. The firm largely seems to have dodged that bullet for now, but a second breach could bring on more oversight.
  • Why it matters (to other companies): Studies differ, but somewhere around a third or more of CISOs do not report to CEOs or boards of directors. Instead, they report to chief information officers or other executives further down the chain. These firms could consider a reorganization of their own.

He's done this before: Farshchi came aboard Equifax in February. He says reworking the organizational chart happened between the breach and his arrival, after poor organizational structure impacted how the breach was handled. It's his second time righting the ship for a company after a historic breach, after a role at Home Depot in 2015, back when 50 million users still counted as historic.

The pitch: Giving the CISO the ear of the CEO can not only bolster requests for resources and changes to procedure, Farshchi said, but also change a company’s culture. It strengthens how other employees view the importance of security and increases the chance other top executives will seek out a security opinion when making other decisions.

After the fact: Farshchi says a CISO’s role changes dramatically after a breach. “Before a breach, your success is dependent on convincing a people about the value of security. I don’t have to do that."

  • He said he's had broad approval to increase staff, and a big pool of applicants to choose from — adding that many of the most talented candidates are drawn to companies that have awakened to the depth of the problem.

An age-old question: The debate over the CISO’s org-chart standing dates back at least a decade, but the post’s place in corporate hierarchies remains far from a given.

  • Alberto Yépez, managing director of Trident Capital Cybersecurity, described a number of hurdles CISOs face in a blog post last year: CEOs and CISOs "sport substantially different backgrounds, mindsets and business objectives."

Yes, but: That argument represents the conventional wisdom — CISOs get shut out of board rooms because it seems like they speak a different language. Farshchi argues that doesn’t wash. "Legal people speak in jargon," he said. "If there is an inability for a business to understand technology on a high level, it’s incumbent on them to learn it."

Go deeper

Updated 19 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 11:30 p.m. ET: 6,889,889 — Total deaths: 399,642 — Total recoveries — 3,085,326Map.
  2. U.S.: Total confirmed cases as of 11:30 p.m. ET: 1,920,061 — Total deaths: 109,802 — Total recoveries: 500,849 — Total tested: 19,778,873Map.
  3. Public health: Why the pandemic is hitting minorities harder — Coronavirus curve rises in FloridaHow racism threatens the response to the pandemic Some people are drinking and inhaling cleaning products in attempt to fight the virus.
  4. Tech: The pandemic is accelerating next-generation disease diagnostics — Robotics looks to copy software-as-a-service model.
  5. Business: Budgets busted by coronavirus make it harder for cities to address inequality Sports, film production in California to resume June 12 after 3-month hiatus.
  6. Education: Students and teachers flunked remote learning.

George Floyd updates

Protesters in Washington, D.C. on June 6. Photo: Samuel Corum/Getty Images

Tens of thousands of demonstrators are rallying in cities across the U.S. and around the world to protest the killing of George Floyd. Huge crowds have assembled in Washington, D.C., Philadelphia and Chicago for full-day events.

Why it matters: Twelve days of nationwide protest in the U.S. has built pressure for states to make changes on what kind of force law enforcement can use on civilians and prompted officials to review police conduct. A memorial service was held for Floyd in Raeford, North Carolina, near where he was born. Gov. Roy Cooper ordered all flags to fly at half-staff to honor him until sunset.

Updated 3 hours ago - World

In photos: People around the world rally against racism

Despite a ban on large gatherings implemented in response to the coronavirus pandemic, protesters rally against racism in front of the American Embassy in Paris on June 6. Photo: Julien Mattia/Anadolu Agency via Getty Images

Tens of thousands of people have continued to rally in cities across the world against racism and show their support this week for U.S. demonstrators protesting the death in police custody of George Floyd.

Why it matters: The tense situation in the U.S. has brought the discussion of racism and discrimination onto the global stage at a time when most of the world is consumed by the novel coronavirus.