Equifax a study in recovery.

In 2017 Equifax experienced one of the largest breaches in history – it was one of those events that even your parents and non-IT friends called you about.

The cost to Equifax was enormous – (upgrading and transforming their technology infrastructure and improve the application, network, [and] data security was around 1.4 Billion USD.

This is not considering the impact of reputation and customer losses..  however, it didn’t stop there in July 2019 the company reached a record-breaking settlement with the FTC, which wrapped up an ongoing class-action lawsuit and will require Equifax to spend at least $1.38 billion to resolve consumer claims.

The Equifax breach has become the benchmark most technology vendors use as part of their ROI (Return on Investment) when proposing new solutions to businesses.

4 years on and Equifax announced the Highest ever quarterly revenue of $1.2 billion, up a record 27%; the fifth consecutive quarter of double-digit revenue growth in Q1 of 2021.

How does a company that got a lot of things wrong turn this around to get so many things right?

In a recent interview with Jamil Farshchi  (https://www.computerweekly.com/news/252480263/Interview-Jamil-Farshchi-CISO-Equifax )

Jamil at a high level focused on changing the culture of Equifax;  Jamil mentions “The number one focus that we have had since day one of the transformations is rebuilding the culture and focus on tying security into the DNA of the organization,”.

“If you look at the majority of security breaches and the issues organisations have today, organisations focus on the security technologies and things like that, but the reality is if you are able to get the culture piece right then you will put yourself in the best possible position.”

But investment in the latest technology infrastructure alongside security is vital for the simple reason that “you can’t have good security if you don’t have good technology”, he says.

“Our view is that the cloud offers the opportunity to be more secure if it is done correctly”

“If you look at security breaches historically, 99% of them are due to a combination of factors. This includes things like asset management, certificate management, and configuration challenges, as well as patching,” adds Farshchi.

“In the modern-day, these things are shared responsibilities across organisations. Unless you have a strong infrastructure with great people in the technology and security teams, then you just won’t be successful. This is one of the things we identified early on so we had a large investment in both sides.”

So what does the future look like for Equifax – the direction continues to build customer confidence; the new direction is to be able to present Equifax clients with their own digital cyber posture regarding their instance with Equifax.

This is where cloud computing came in. One of the key parts of its technology transformation is the plan to become a cloud-first company. “We are migrating a vast amount of our infrastructure to the public cloud,” says Farshchi.

This is breaking the mold for many big businesses and might be considered a surprising move for a company that suffered a huge breach. “We find that a lot of organisations are quite reticent to adopt the cloud, in some cases because of security concerns,” says Farshchi.

Equifax is investing over $1.25 billion in a bid to transform itself into a leader in data security, roping in cloud control, compliance, and management player C3M to drive its strategy.

“Security is of paramount importance to us,” said Jamil Farshchi, Chief Information Security Officer at Equifax. A key part of Equifax’s transformation is to be cloud-first. “While some organisations are concerned about the risks the cloud presents, we believe that the cloud provides an opportunity to be even more secure than legacy on-premises environments,” Farshchi told BusinessLine (https://www.thehindubusinessline.com/info-tech/credit-bureau-firm-equifax-invests-125-billion-in-cloud-first-strategy)

The C3M product provides Equifax with the ability in the cloud to have real-time monitoring of security assets.

“I can have continuous monitoring and validation of over 100 different security controls in the cloud,” says Farshchi. “This means I do not have to rely on one data point, such as an asset management system or a vulnerability management system, I can use these data points and overlay them with the level of assurance I get from a tool which gives us visibility across our entire control estate to ensure we are operating effectively and within the bounds of our requirements.”

Equifax’s work with C3M is not the only example of how it works closely with suppliers to collaborate through a co-innovation approach. “We do this with a variety of suppliers,” says Farshchi.

This approach helps Equifax develop functionality that meets its requirements and helps the supplier add to its product portfolio. “For example, we told C3M that having real-time visibility of our tools is great, but if we want to go to the next level we need to do things like being able to tell our customers of the status of the security assets protecting all the products and services they buy from us.

“This gives us the ability to give them instantaneous insight into the security of the assets they leverage and makes it extraordinarily easy, via one click, to provide insight. This builds confidence on their side and helps us manage resources,” he says.