Jamil Farshchi – Evolving Expectations: Lessons from a Post-Breach CISO
Jamil Farshchi is the Chief Information Security Officer (CISO) at Equifax. Named CISO of the Year by CIO Dive during the 2018 Dive Awards, he has a history of successfully helping rebuild brands for companies that have been affected by security breaches.
Farshchi said that CISO roles have changed. “Technology, compliance and operations which were the key skills that made CISOs back then have evolved into people and processes, business alignment, and value and risk.
“Many companies are one decision away from dealing with breaches.” Farshchi gave tips on signs of breaches and how to avoid them. When talking about culture, he said, “Breaches can be caused when security lacks efficient influence within the reporting structure and incentives are not aligned to create a sense of shared fate.
“Everyone needs to focus on helping CISOs to do what needs to be done.” He said, “HR can help identify the latest and greatest talent and accelerate their hiring, while Legal Department can help from a compliance perspective.”
Farshchi cautioned management against focusing on incremental revenue at the expense of risk. He said nothing is funded at Equifax unless it goes through a security review and “risk governance is attained by having a mechanism in place where risk decisions are elevated to higher levels for someone who understands and has accountability for the broad base of the business as a whole.”
He said that the greatest challenge facing security programmes is that they don’t adequately measure success. “We have to be careful about how we measure success so that everyone in the organization can drive towards that measure. Make it an organic process and keep building on it.”
Farshchi stressed on having the right talent mix. “When you have a talent mix that is 70 percent administrative skills and 30 percent technological, then you have a problem. You have to have technologists to be able to fight breaches.”
He warned security against seeking silver bullet solutions rather than fundamental controls. “Focus on what you know works and apply it to your environment before you start searching for those silver bullets because most of them typically don’t work.”
He challenged the cybersecurity leaders to, “Prioritise ruthlessly by thinking through the variables to the best degree possible and force yourself to do less to do more, while sourcing for the best talent to back your strategy.”
“Be careful not to overhire or make enemies. Don’t generate a culture of ‘No’ as a security organization.” Farshchi advised post-breach CISOs to always be respectful. “Think about the long-term needs and what’s best for the organization as a whole.” He said, “Focus on hiring the key people that you know are going to help you build both your brand and the message you want.”
“Embody transparency with your team and leverage your strategy as a mechanism to minimize uncertainty and accelerate culture change.” He advised the delegates to build and lean on their teams, always viewing them in the macro sense. “View them not as people, but as individuals that you interface with on various roles.”
Farshchi said, “If you look at every single unusual thing as an alert, then it’s going to position your people to continually be vigilant about finding the flaws and fully doing the investigations all the way through. It is a great way to keep people on their toes and ensure that you’re doing the right thing every time.”
- Build a vision. It is going to help rally your team.
- To win, make sure that talent mix favours the technical folks.
- Focusing on the process is critical.
- The board should be your biggest supporter.
- Practice realistic optimism.