A Note from Equifax CISO Jamil Farshchi on the release of Equifax's inaugural Security Annual Report
The cyber attacks we’re seeing today are unprecedented.
This past year, we witnessed scores of ransomware attacks on hospitals, police departments, schools, and city governments. In electoral battleground states like Pennsylvania and Florida, foreign actors conducted email campaigns to intimidate voters and incite social unrest ahead of the 2020 US presidential election.
As we grappled with COVID-19, state-sponsored adversaries broke into the computer systems of pharmaceutical companies and research universities intending to steal coronavirus vaccine data.
Then came the SolarWinds breach. Sophisticated nation-state actors infiltrated vast segments of business and national security by exploiting an under-the-radar supplier. Just weeks later, we learned that Microsoft Exchange Servers used by thousands of organizations and millions of people were hacked.
Cybersecurity is no longer a looming threat; it’s our daily reality. And, as our technology evolves – shifting and accelerating every aspect of our lives – it brings with it a new paradigm of cyber risk. The key here is that the challenges we face in cyber aren’t relegated to large businesses or government agencies. This risk is universal. No matter your age, where you work, or where you live, no one is immune to these threats. We are all on the front lines.
Sunlight is the best disinfectant
Imagine taking your family out to dinner. Approaching the restaurant, you notice a sign on the door that reads, “Health Code Grade: F.” You wouldn’t step another foot forward. No one would. Today, there are no publicly available ratings that show how well companies are doing on security. And yet, we interact with businesses online and in-person every day without knowing how safe they really are.
If done properly, creating a common security standard would enable us to hold brands and businesses accountable before it’s too late. It would incentivize them to invest in security and prioritize areas like privacy. And, it would make it easier for all of us – business, government, and the general public – to manage cyber risk.
I believe this type of security data should be public. So that’s exactly what Equifax is doing. In this report, we’re publishing how our company compares to other industries when it comes to security maturity, posture, and awareness – benchmarks that show how well an organization can adapt to cyber threats and manage risk over time. Our scores aren’t perfect, but they are a step in the right direction and one that every organization should follow.
Knowledge drives behavior
Cybersecurity has an education problem. If consumers don’t know how to spot threats, how can they protect their personal information or keep their identities safe? If corporate executives or board members don’t understand cybersecurity, how will threats receive the right level of governance, oversight, and investment? If lawmakers aren’t cyber savvy, how can they enact smarter and stronger cyber policy?
The lack of expertise in cyber hurts every business and government entity. Despite being among the highest-paying jobs, studies suggest that there are 3.5 million unfilled positions in cybersecurity today. If we want to win in cybersecurity, we need the talent. So, whether it’s K-12 or higher education, there needs to be a renewed focus on cybersecurity curriculum in our schools and creating opportunities for more people to gain exposure to the field.
These steps will undoubtedly help us narrow the enormous gender and racial diversity gaps we have in security. Women comprise nearly half of the labor force in the US and nearly 40% worldwide, but in the security field, that number is only 24%. Black security professionals make up only 9% of the US security industry. We won’t succeed if we aren’t able to bring in talent from every corner of our population.
A seat at the table
Despite the fact that 85% of US critical infrastructure is owned by the private sector, business leaders aren’t a part of the cyber conversation at the right levels of government.
One of the consequences of not having a seat at the table: valuable threat intel. The threat intelligence that cyber professionals get from the government today is typically limited, dated, and oftentimes inactionable. We need a pathway for the government to share with the private sector classified and unclassified information to the greatest extent possible. This intel is essential to national security and would put businesses on far better footing when defending against threats, especially in the heat of battle.
More broadly, the absence of meaningful collaboration leaves our true cybersecurity potential untapped. Much of the innovation and technical know-how resides within the business community. Private sector ingenuity has given us one-click retail and instant connectivity with friends and family. It’s given us safer cars and safer medicine. It’s created countless new jobs, powered millions of small businesses, and catapulted start-ups from college dorm rooms to the floor of the New York Stock Exchange. The examples are endless. We need that level of skill and imagination at the table alongside our leaders in government.
The fundamental act of working together isn’t a silver bullet (spoiler: there is none), but partnership can be a vital tool in upping our capabilities – especially for small or medium-sized businesses who need to lean on the security expertise of others. We can’t win in cybersecurity by operating solely within our own four walls. But, with a collective defense, I believe we can.
Choosing to fight
The reality is that every organization, large or small, is a target for a cyber attack. And, when a breach happens, how you respond matters.
Unfortunately, most companies that are breached will simply fix the issue and move on. This has become the norm, but it doesn’t have to be. Our team chose a different path. Following the cyber attack on Equifax in 2017, we made a commitment to transforming our company’s security from the top down; using our investments and expertise to help protect others; and collaborating with leaders in government and business to make society more secure.
Today’s cyber challenges are unprecedented – and Equifax is ready. Few companies have invested more time and resources into ensuring that consumers' information is protected. But we can’t win this war alone. We need more companies to lean in on cybersecurity. We need more people who are working every day to build better resilience, shape the legislative agenda, and share best practices.
We have the opportunity to usher in a new era of cybersecurity. I hope you will join us in this fight.
To learn more about the Equifax Security transformation, please read our 2020 Security Annual Report