Equifax Gets a New CISO



temp-post-image

"Hire someone who can give us the cybersecurity savvy we desperately require. Stop getting breached. Show investors and regulators we can protect our assets."


Anyone helping Atlanta-based credit bureau Equifax craft its most recent New Year's resolutions would have done well to help it focus on overhauling its information security practices, procedures and people. Indeed, the data breach that began last March at Equifax and which it discovered months later rates as one of the worst in history, with personal details for 145.5 million U.S. consumers - as well as others in Britain and Canada - having been stolen. Equifax continues to face investigations by Congress, the Justice Department, the U.S. Federal Trade Commission, regulators in Britain and Canada, as well as multiple consumer lawsuits seeking class action status (see Equifax Confirms 'Probable' Breached Data Was Indeed Stolen).


Good news: The firm on Monday announced that it has hired a steady CISO hand to help with its cybersecurity overhaul: Jamil Farshchi.


"We are pleased to welcome Jamil to our team and confident that he possesses the talent and skill set needed to continue our journey toward developing industry-leading security practices and, ultimately, to help us regain trust with consumers and customers," Paulino do Rego Barros Jr., Equifax's interim CEO, says in a statement. "Jamil has a reputation for helping enterprises rebuild and fortify information security programs."


Indeed, Farshchi has a track record for helping companies that not only need to sharpen their cybersecurity practices but prove to investors that they're doing so. He arrives from Home Depot, which he joined in 2015 just months after the retailer suffered a malware attack against point-of-sale systems in more than 2,100 U.S. and Canadian stores that led to 56 million credit and debit cards being stolen.


Data Breaches Cost


Data breaches rarely put companies out of business. Studies have also confirmed that few, if any, businesses suffer long-term stock price repercussions.


But bad data breaches are often a symptom of organizations with inadequate information security policies and procedures. Breaches can also be bad for reputations and have at least a short-term impact on the bottom line.


Home Depot in 2014 reported breach-related expenses of $63 million, of which $30 million was covered by insurance payments, the Wall Street Journal reported at the time. The company also faced lawsuits claiming it had failed to address known vulnerabilities in the system for several years, despite numerous warnings (see Court Clears Way for Banks' Home Depot Suit to Proceed).


Big, bad data breaches are often bad for careers. Before Monday, Equifax's CISO position was vacant. In fact, after the data broker issued its first security alert about its massive data breach last September, its CIO, CSO as well as CEO quickly "retired."


Life After Home Depot


Enter Farshchi. During his nearly two-year tenure at Home Depot, he built "a world-class information security capability which is tailored to support the complexities of the modern retail business; strategically emphasizing risk intelligence, data devaluation and rapid response," his LinkedIn profile boasts.


Home Depot in 2015 had hired Farshchi away from his role as CISO of Time Warner, where he had created a federated, risk-based security program, according to his LinkedIn profile. Before that, he worked as vice president of global information security for Visa and CISO of Los Alamos, among other roles.


At Equifax, Farschchi will report directly to the CEO.


"Equifax is a company with tremendous potential, and I am confident that we will transform our security program into one of the most advanced and recognized globally," he says in a statement. "I am grateful for this new challenge and am looking forward to enabling the business with new insights, a fresh perspective, and a multi-dimensional way of thinking about global data stewardship and information security."


Equifax's 2018 is off to a good information security start. Let's hope it continues.