Think Your Company’s Chief Information Security Officer Is Super Busy?
On a typical day, the chief information security officer at a multinational corporation might deal with a few hundred serious cyberattacks. Jamil Farshchi, CISO at credit bureau giant Equifax, deals with four to five million a day. It’s the difference between occasional skirmishes and nonstop intergalactic warfare.
Farshchi spoke at the recent Information Security Symposium hosted by NSF-ISR, a leading global management systems certification organization. The theme of the symposium was the importance of forming a culture of security within all organizations to protect against increasing cyber threats.
When asked how he manages to deal with the constant onslaught, Farshchi laughed and said, “Well, some nights I don’t get much sleep, and I’ve also lost all my hair.” Equifax Inc. is a major credit reporting firm and collects data on more than 800 million consumers and 88 million businesses worldwide.
The career path Farshchi followed prepared him well for what he faces at Equifax. “I've been in security my entire career,” he says. “With great stops along the way, including protecting nuclear weapons at Los Alamos National Laboratory and handling six to seven trillion dollars’ worth of payments when I was at Visa.
“Then Home Depot brought me in after the mega breach they experienced in 2014, and I helped to rebuild the program there. Most recently, I've been at Equifax. After the 2017 breach we experienced, I helped rebuild our program and position us as a leader in this space. So an interesting career, and I've certainly been on the front lines.”
Being at the forefront has taught Farshchi the value of creating a culture of security within an organization, in addition to having top security talent. “Here at Equifax, we’ve tried to build in both,” he adds. “We uplifted the security talent, hiring about a thousand individuals in the wake of the incident.
“Then we strengthened that with a strong push to build a security-first culture throughout the organization. The combination of those two things really set us up for success. It’s why we’re able to defend against three to four million attacks every single day.”
Listen to Jamil Farschi discuss Equifax’s cybersecurity preparation, and he sounds much like a seasoned NFL coach. “Look, we play like we practice. Organizations often fail to put in the right level of effort practicing for that really dire incident. As a result, when those things occur, you’re not ready for it, and it becomes a hair-on-fire moment.
“I can speak from experience, having been involved with organizations that have dealt with mega security incidents,” Farshchi says. “Things get chaotic very quickly. You have to prepare correctly, and I mean top-to-bottom preparation across the whole organization. It can’t just be just a few internal teams.
“Because when a big thing hits, you need everyone involved. Whether it’s legal, finance or communications, every single unit is going to need to help the organization solve it. Coordinating all of that and having people able to respond effectively is really difficult to build. It only comes with constant preparation.”
With that constant preparation comes a culture of security within an organization. And for Jamil Farshchi, maybe fewer sleepless nights and a bit more hair. Even after all those “hair-on fire” moments.