WEBVTT 1 00:00:00.330 --> 00:00:02.760 Tom Field: Hi there. I'm Tom Field. I'm senior vice president 2 00:00:02.760 --> 00:00:05.640 at editorial with Information Security Media Group. Talking 3 00:00:05.640 --> 00:00:08.430 about the new era of cybersecurity, here to talk 4 00:00:08.430 --> 00:00:11.310 about it with me is Jamil Farshchi, executive vice 5 00:00:11.310 --> 00:00:14.580 president and CISA with Equifax. Jamil, it's pleasure to have a 6 00:00:14.580 --> 00:00:15.780 chance to catch up with you again. 7 00:00:15.810 --> 00:00:17.010 Jamil Farshchi: It is great to be here. 8 00:00:17.190 --> 00:00:18.690 Tom Field: Now I know you get asked this question all the 9 00:00:18.690 --> 00:00:21.000 time, you're sick of answering it. It's been six years now, 10 00:00:21.000 --> 00:00:26.640 right? Six years since the event. Tell me about this. I 11 00:00:26.640 --> 00:00:29.790 know that you have been very transparent in the work that 12 00:00:29.790 --> 00:00:33.390 you've done since you joined Equifax. How is cybersecurity at 13 00:00:33.420 --> 00:00:38.280 Equifax most different today than it was at the time of the 14 00:00:38.280 --> 00:00:38.730 event? 15 00:00:39.140 --> 00:00:40.610 Jamil Farshchi: Honestly, there's not much that I can 16 00:00:40.610 --> 00:00:45.920 think of that's the same six years ago. I mean, we've made a 17 00:00:45.920 --> 00:00:48.740 one and a half billion dollar investment, we've hired top-tier 18 00:00:48.830 --> 00:00:51.950 talent, we've incorporated all these new governance structures. 19 00:00:52.640 --> 00:00:56.300 So there's not much, the same at all anymore. I think the one 20 00:00:56.300 --> 00:00:58.310 thing that I would think I'm most proud of, and that we've 21 00:00:58.310 --> 00:01:02.210 really turned the corner on that we didn't do before, is focusing 22 00:01:02.210 --> 00:01:05.420 on partnership and trying to shape the broader security 23 00:01:05.420 --> 00:01:08.810 landscape. Our work with the federal government, our work 24 00:01:08.810 --> 00:01:11.840 with a lot of our customers and partners, vendors throughout the 25 00:01:11.840 --> 00:01:14.990 ecosystem, it's driven a big change. And I think that that's 26 00:01:14.990 --> 00:01:16.520 probably the most monumental one. 27 00:01:16.800 --> 00:01:18.570 Tom Field: Now, one thing we don't talk about nearly enough 28 00:01:18.570 --> 00:01:24.360 in this six years is half of that has been post COVID. And so 29 00:01:24.390 --> 00:01:28.080 in addition to recovering from the breach, you've had to go 30 00:01:28.080 --> 00:01:32.100 through digital transformation, accelerated cloud migration, 31 00:01:32.460 --> 00:01:36.960 creation of this hybrid workforce. How has all of this 32 00:01:37.110 --> 00:01:39.720 changed you most as a cybersecurity leader? 33 00:01:40.200 --> 00:01:43.890 Jamil Farshchi: Look, there has been first off on COVID, we had 34 00:01:43.890 --> 00:01:46.710 a leg up on that. I know a lot of other organizations had 35 00:01:46.740 --> 00:01:50.280 challenges trying to make that shift. But look, because of the 36 00:01:50.280 --> 00:01:53.010 investments we had made in security, before that, we were 37 00:01:53.010 --> 00:01:56.040 able to really just take it in stride, because we had the 38 00:01:56.040 --> 00:01:59.340 fundamental architecture and we had trained our workforce to be 39 00:01:59.340 --> 00:02:03.210 able to work remotely and to do things remotely and so forth. So 40 00:02:03.240 --> 00:02:07.800 that was fantastic. In terms of things, the things that I would 41 00:02:07.830 --> 00:02:12.870 like the next generation - everything - I mean, look, I am 42 00:02:12.870 --> 00:02:16.320 here today because of all of the mistakes that I've made, I've 43 00:02:16.320 --> 00:02:20.400 done a good job of not repeating most of them. But for the most 44 00:02:20.400 --> 00:02:25.590 part, it's been a whole host of challenges that I've faced, and 45 00:02:25.590 --> 00:02:27.600 been able to sort of persevere through them based on the 46 00:02:27.600 --> 00:02:31.800 learnings they're in; I think the next generation of security 47 00:02:31.800 --> 00:02:36.300 leaders and CISOs. I'm hoping that the work that we, as 48 00:02:36.300 --> 00:02:39.960 leaders in this space, do today will help pave the path so that 49 00:02:39.960 --> 00:02:43.470 they will have it easier than we do so that they can focus on the 50 00:02:43.470 --> 00:02:46.680 actual risk management and being able to bite down that 51 00:02:46.680 --> 00:02:50.010 cyberthreat that we all face today. Instead of dealing with, 52 00:02:50.220 --> 00:02:53.070 "Hey, is security important? Like do we need to fight to get 53 00:02:53.070 --> 00:02:56.250 a seat at the table?" We want our voices heard. Those are many 54 00:02:56.250 --> 00:02:59.460 of the challenges we face, we spend a lot of our time on, that 55 00:02:59.460 --> 00:03:01.320 I'm hoping the next generation doesn't have to. 56 00:03:01.500 --> 00:03:02.970 Tom Field: Have to ask you about some issues. I know we're 57 00:03:02.970 --> 00:03:06.150 important to you. And the first is the new era, as you say, of 58 00:03:06.150 --> 00:03:10.770 cybersecurity. What's the new value of collaboration now 59 00:03:10.800 --> 00:03:13.680 between the public and the private sector? Is that 60 00:03:13.680 --> 00:03:15.300 something you've talked about a lot publicly? 61 00:03:15.570 --> 00:03:20.040 Jamil Farshchi: Yeah, look, we've got empowered nation 62 00:03:20.040 --> 00:03:24.360 states, we've got organized crime attacking U.S companies on 63 00:03:24.360 --> 00:03:28.110 a regular basis, ransomware, whatever. And then you look at 64 00:03:28.110 --> 00:03:32.910 some of the stats, weak supply chain security alone accounts 65 00:03:32.910 --> 00:03:37.440 for roughly 50% of the breaches that we have today. I mean, the 66 00:03:37.440 --> 00:03:41.430 threat landscape is all over the place. And so I think that 67 00:03:41.430 --> 00:03:44.280 partnership is essential. And it's why we've leaned in so hard 68 00:03:44.280 --> 00:03:46.830 with a lot of vendors as design partners to be able to help 69 00:03:46.860 --> 00:03:50.550 shape the technology future. It's why we lean in with Cisco 70 00:03:50.550 --> 00:03:53.970 and the FBI to be able to get meaningful threat intelligence 71 00:03:54.090 --> 00:03:57.180 to help protect us, but at the same time, to be able to allow 72 00:03:57.180 --> 00:04:00.810 them to disseminate that to help protect our partners. And so I 73 00:04:00.810 --> 00:04:03.600 think that we're in a place today where we absolutely have 74 00:04:03.600 --> 00:04:07.110 to do it. And I'll give you one really good example. If you 75 00:04:07.110 --> 00:04:10.050 think about things like quantum computing, the quantum bread is 76 00:04:10.050 --> 00:04:12.090 going to - whether you think it's going to be in five years 77 00:04:12.090 --> 00:04:15.990 or seven years or 10 years, it's going to come. And when you look 78 00:04:15.990 --> 00:04:19.290 at how prepared, our preparedness today, we're just 79 00:04:19.290 --> 00:04:22.770 not there. To solve for it, you need to have the government come 80 00:04:22.770 --> 00:04:27.240 up with quantum proof standards, you need to have the vendor 81 00:04:27.240 --> 00:04:30.660 community developed technologies that actually supports it. We as 82 00:04:30.660 --> 00:04:32.820 organizations need to invest heavily to be able to 83 00:04:32.820 --> 00:04:37.440 rearchitect and reinvest in our infrastructures. But even more 84 00:04:37.440 --> 00:04:40.080 than that, I could do all of those three things. But unless 85 00:04:40.110 --> 00:04:43.290 every single other party within that ecosystem actually does the 86 00:04:43.290 --> 00:04:46.680 same thing. We are not going to be prepared. I can't communicate 87 00:04:46.710 --> 00:04:49.590 through crypto with another organization unless they also 88 00:04:49.590 --> 00:04:51.840 make those investments themselves. So I don't think 89 00:04:51.840 --> 00:04:55.140 it's any more about a situation about, "Hey, it's good to 90 00:04:55.140 --> 00:04:58.800 partner, we should do this." It's going to put us in a better 91 00:04:58.800 --> 00:05:02.700 position. I think the key is we have to do it if we want to win 92 00:05:02.730 --> 00:05:03.360 in the future. 93 00:05:03.600 --> 00:05:06.240 Tom Field: Now talk to me about what you call the new era of 94 00:05:06.240 --> 00:05:10.890 cybersecurity disclosure. You're speaking about this. How do you 95 00:05:10.890 --> 00:05:13.830 feel about the new demands for transparency? 96 00:05:14.490 --> 00:05:18.120 Jamil Farshchi: Look, Tom, there's a lot of consternation 97 00:05:18.150 --> 00:05:22.410 around these new demands and the level of rigor that goes along 98 00:05:22.410 --> 00:05:25.500 with them. I mentioned a second ago, all the investments and 99 00:05:25.500 --> 00:05:28.980 stuff that we've done at Equifax, because of what we have 100 00:05:28.980 --> 00:05:31.770 done over the last six years, we meet, virtually all of the 101 00:05:31.770 --> 00:05:34.470 requirements that are coming down the pipeline already that 102 00:05:34.470 --> 00:05:39.000 have been proposed, you know, some new form that I have to 103 00:05:39.000 --> 00:05:42.300 attest to, or whatever, we did that, but the beauty of it is, 104 00:05:42.690 --> 00:05:45.360 out of that one and a half billion plus that we've spent 105 00:05:45.450 --> 00:05:49.260 virtually, none of it, maybe a tiny rounding error would be 106 00:05:49.290 --> 00:05:52.470 applied toward this particular problem. We just did it because 107 00:05:52.470 --> 00:05:55.110 it was the right thing to do. And the level of effort that it 108 00:05:55.110 --> 00:05:59.700 takes for us to consistently do it is virtually none. So I think 109 00:05:59.700 --> 00:06:05.340 a lot of the fear mongering around this issue is unfounded. 110 00:06:05.370 --> 00:06:08.670 I think once organizations do it, it's not that difficult. It 111 00:06:08.670 --> 00:06:11.580 doesn't put you in a tough place. And let's be honest, just 112 00:06:11.580 --> 00:06:14.400 transparency hurt. I mean, as it as an investor community, if 113 00:06:14.400 --> 00:06:18.060 you're a shareholder, if you're a customer, if you're if an 114 00:06:18.060 --> 00:06:21.240 American citizen, anything like it is useful to be able to have 115 00:06:21.240 --> 00:06:23.820 that information. And so I think it's a great thing to do. 116 00:06:24.120 --> 00:06:26.190 Tom Field: Want to ask you about risks. I know you co-chair the 117 00:06:26.190 --> 00:06:29.580 working group that produced the new bipartisan policy center 118 00:06:29.580 --> 00:06:34.020 report on top cybersecurity risks and 2023. Two questions: 119 00:06:34.080 --> 00:06:35.880 What stands out? What surprised you? 120 00:06:37.460 --> 00:06:40.910 Jamil Farshchi: I'll give you one answer. We went through this 121 00:06:40.910 --> 00:06:44.390 thing. And I remember when we first started, we were all in 122 00:06:44.390 --> 00:06:47.390 it. This is, I mean, we've got some top minds in cybersecurity 123 00:06:47.390 --> 00:06:50.900 within this suite of sitting congressmen in there as well, 124 00:06:50.900 --> 00:06:54.290 synergies and stuff, too. We were all sitting there thinking 125 00:06:54.290 --> 00:06:57.500 when we started, we're going to come up with all of these novel 126 00:06:57.500 --> 00:07:01.070 threats and blow everyone away. We got to the last meeting, I 127 00:07:01.070 --> 00:07:04.820 remember. And there was one person - I won't name who it was 128 00:07:04.820 --> 00:07:08.930 - he was a prominent CISO who looked at, reviewed it and it 129 00:07:08.930 --> 00:07:11.900 was like, "Man, he's like, do we need to change something 130 00:07:11.990 --> 00:07:13.970 here?Because this is all the same stuff that everybody 131 00:07:13.970 --> 00:07:17.840 already knows." And that was the takeaway, honestly, you know, we 132 00:07:17.840 --> 00:07:20.000 obviously kept it the way it was, because that's what we 133 00:07:20.000 --> 00:07:23.180 fundamentally believe were the greatest risks. But the takeaway 134 00:07:23.180 --> 00:07:27.320 was we've dealt with the same problems. I used to work here in 135 00:07:27.320 --> 00:07:29.690 San Francisco when I worked at Visa, this was over a decade 136 00:07:29.690 --> 00:07:33.290 ago, the same things that we have on our list from top risks 137 00:07:33.290 --> 00:07:36.890 for 2023 were the same things we were battling, you know, 10 138 00:07:36.920 --> 00:07:41.570 years ago. And I think it should be a call to action for our 139 00:07:41.570 --> 00:07:44.750 industry. We've got to make these changes. Because what 140 00:07:44.750 --> 00:07:48.680 we're seeing today, all the carnage out, company after 141 00:07:48.680 --> 00:07:51.410 company getting breached, it's because we aren't tackling these 142 00:07:51.410 --> 00:07:52.310 fundamental issues. 143 00:07:52.760 --> 00:07:54.500 Tom Field: That ties into my next question. It's about the 144 00:07:54.500 --> 00:07:57.860 value of communication. Here, your words come back to you. You 145 00:07:57.860 --> 00:08:01.310 said recently that communication is the one thing if you could 146 00:08:01.490 --> 00:08:04.520 snap your finger and fix. So my question is what's broken? 147 00:08:05.030 --> 00:08:08.210 What's the impact of this being broken? How can it be fixed? 148 00:08:08.930 --> 00:08:11.420 Jamil Farshchi: The most common challenges that as a CISO that 149 00:08:11.420 --> 00:08:14.870 we face are, I need a seat at the table, I want to be able to 150 00:08:14.870 --> 00:08:17.600 talk to my board more than 15 minutes for, you know, over the 151 00:08:17.600 --> 00:08:21.350 course of a year. I need technology to be able to do 152 00:08:21.350 --> 00:08:25.520 something they won't patch or whatever it might be. My own 153 00:08:25.520 --> 00:08:28.310 team complains I don't have a cogent strategy, like they don't 154 00:08:28.310 --> 00:08:32.600 know which direction we're going. All of these problems 155 00:08:32.600 --> 00:08:36.560 have one root cause, our ability to communicate, our ability to 156 00:08:36.560 --> 00:08:40.070 be able to drive that narrative that ultimately drives some sort 157 00:08:40.070 --> 00:08:43.310 of action, and makes it important enough that people are 158 00:08:43.310 --> 00:08:46.340 going to prioritize it above the bevy of other things that are 159 00:08:46.340 --> 00:08:50.270 out there. And I think that, as a security practitioner, myself 160 00:08:50.270 --> 00:08:53.420 coming up through the ranks, you know, when you get evaluated at 161 00:08:53.420 --> 00:08:55.850 the end of the year, for who's the top performers, who's a 162 00:08:55.850 --> 00:08:59.720 hypo, you typically look at, "Hey, who's got this degree, 163 00:08:59.720 --> 00:09:02.840 who's great at, you know, packet analysis, who's great at this 164 00:09:02.870 --> 00:09:06.770 architecture infrastructure." The one person who's like, oh, 165 00:09:06.770 --> 00:09:08.870 man, he's great at communications, that person 166 00:09:08.870 --> 00:09:12.740 never gets the promotion. And so we find ourselves today where 167 00:09:12.740 --> 00:09:15.320 security has continued to increase in terms of its 168 00:09:15.320 --> 00:09:18.830 prominence, and its visibility within companies, within boards 169 00:09:18.830 --> 00:09:23.210 and so forth. And yet, we've got a group of leaders in this space 170 00:09:23.270 --> 00:09:26.390 who haven't really been ever been challenged, ever been 171 00:09:26.390 --> 00:09:29.420 pushed to to be good communicators. And so I think 172 00:09:29.420 --> 00:09:32.540 that that ultimately ends up being one of the root causes to 173 00:09:32.570 --> 00:09:35.270 many of the challenges that we face. And if we can solve for 174 00:09:35.270 --> 00:09:38.180 it, even improve it. I think it puts us all in a much better 175 00:09:38.180 --> 00:09:38.720 position. 176 00:09:39.020 --> 00:09:42.350 Tom Field: Talking about the next generation of cybersecurity 177 00:09:42.350 --> 00:09:44.780 leaders, the people that are going to succeed you. What do 178 00:09:44.780 --> 00:09:47.300 they need to do differently and bring to the table differently 179 00:09:47.300 --> 00:09:48.230 even than what you've done? 180 00:09:48.780 --> 00:09:50.940 Jamil Farshchi: Well, I hope it just continues down the path. I 181 00:09:50.940 --> 00:09:54.360 don't see some major left-hand or right-hand turn in terms of 182 00:09:54.360 --> 00:09:56.610 what their skill sets are and what they need to bring to the 183 00:09:56.610 --> 00:09:59.760 table. What I hope is that they can watch what we're doing 184 00:09:59.760 --> 00:10:02.400 today. and some of the hurdles that we're jumping over and some 185 00:10:02.400 --> 00:10:04.590 of the things that are tripping us up, and they're able to 186 00:10:04.590 --> 00:10:09.030 consistently evolve. I continue to believe that adaptability is 187 00:10:09.030 --> 00:10:11.430 the number one skill, like, you know, even outside of 188 00:10:11.430 --> 00:10:15.090 communication for our role, things are changing at lightning 189 00:10:15.090 --> 00:10:17.400 pace. If I look at the field today and what we're doing 190 00:10:17.400 --> 00:10:20.310 today, in my role today, compared to what it was back 191 00:10:20.820 --> 00:10:22.980 when I was at Visa or whatever, when I started, it's 192 00:10:22.980 --> 00:10:26.070 monumentally different and so I think just continuing to evolve 193 00:10:26.280 --> 00:10:29.340 and do the best they can to fight the good fight. 194 00:10:29.760 --> 00:10:31.470 Tom Field: Glad we had the opportunity to sit down and talk 195 00:10:31.470 --> 00:10:32.370 to you man. Thank you very much. 196 00:10:32.400 --> 00:10:33.360 Jamil Farshchi: Thank you. I appreciate it. 197 00:10:33.750 --> 00:10:36.060 Tom Field: We were talking with Jamil Farshchi, he is the EVP 198 00:10:36.060 --> 00:10:39.060 and CISO with Equifax. For Information Security Media 199 00:10:39.060 --> 00:10:41.940 Group, I'm Tom Field. Thank you for giving us your time and your 200 00:10:41.940 --> 00:10:42.420 attention.