BlackHat 2019: Security Lessons from the Front Lines

Jamil Farshchi, the Chief Information Security Officer at Equifax, speaking at the BlackHat 2019 conference, told the audience that security practitioners and business people are guilty of losing sight of the perspectives of customers, investors, regulators, and other stakeholders affected by the success or failure of their work.

He argued for a reset that would expand the focus beyond specific items like strengthening controls and obtaining compliance certifications to repairing a widespread loss of trust.

 “I figured this out earlier in my career in my first job after college at NASA. After the 2003 Columbia disaster, an internal investigation set out to find the root cause of the explosion that destroyed the craft.

“What they said was at NASA, an accident was inevitable. Think about that: an accident was inevitable.”

Farschi said the conclusions pointed to problems in NASA’s organizational structure and decision process. This wasn’t an indictment of the lack of specific individual controls so much as it was a searching critique of the prevailing corporate culture at the space agency.

It’s a lesson that every security manager facing a post-mortem would do well to take to heart.

“If you focus just on individual controls that failed, you’re missing the bigger picture,” he said.

“The questions were all fine,” he said. But he nonetheless was left wondering whether they were the right questions.

What Can You Do?

Farschi said security managers have a uniquely valuable role to play in leading and supporting a company’s ability to maintain trust. Practitioners can start by asking themselves the following questions:

• Is your head of security positioned within the organization in a way they can influence the entire enterprise? If you’re just doing security, then you’re bound to fail.
• Does your head of security have regular interaction with the board of directors? That’s an essential prerequisite for CSOs or CISOs to manage up within the organization.
• Are there economic incentives for doing security right? Meaningful economic incentives linked to the performance of your security program will go a long way to improving overall security.
• Do you carry out consistent crisis exercises with the participation of the leadership team as well as the board of directors.  
• Has your organization ever delayed or halted a critical enterprise initiative because of security or privacy? If the answer is yes, then you have the right governance process in place and your management has the conviction to actually do something about identifying risks.

Even if an organization fields a mediocre security team, he said, they’ll be successful if all 5 boxes are checked. The converse is also true: If they fail to embrace those practices, even a company with an excellent security team will fail to drive real change.

“Everyone says that cyber security is important,” Farschi said. “It’s easy to talk about it. Actually, doing something and putting the pieces in place takes effort.”