Q&A: Equifax CISO & CTO Shares Insights with Australian Cybersecurity Leaders
EQUIFAX IS COMMITTED TO TRANSPARENCY IN CYBERSECURITY, and we share this approach in forums across the globe. Equifax Chief Information Security Officer and Chief Technology Officer Jamil Farshchi recently spoke at the Security Edge conference in Sydney, Australia, hosted by ADAPT, a leading IT research and advisory firm.
There, he shared insights with more than 140 of the region’s leading Chief Information Security Officers (CISOs) from both the private sector and government organizations. Collectively, the leaders in attendance were responsible for protecting over 20% of Australia's GDP.
Watch the full interview or read the highlights below.
Q: As you know, we had two major cyber attacks here in 2022. Do you think Australian organizations are equipped at the level that is required to deal with cyber threats?
A: The root causes of those incidents are foundational. But here's the thing. We all consistently talk about how it's just the foundational stuff. “It's just certificate management; it's just patching; it's just identity and access management. Just do the right thing.”
The number of things that an organization has to do that fall under that “foundational” category are immense, though. And, to be able to do it on a consistent basis is extraordinarily difficult. We do a disservice by making it sound like it's just easy, basic stuff like, “oh, this is cyber 101.” If companies can avoid trivializing and underestimating the basics, they’ll end up in a much better place.
Q: You're advocating for CISOs and their teams to embrace transparency. Why is this necessary in today's global cyber landscape?
A: Because nobody can win on an island. Equifax alone can't stop entire nation states. But if we have all of you with us, if we get intelligence from the government, if we get best practices from your businesses’ cyber programs, we have a fair chance. So I think transparency and partnership are critical.
Q: Many CISOs fear discussing attacks and their learnings from them. They’re understandably concerned about attention from customers, competitors and the media. What advice do you have for CISOs grappling with this fear?
A: There's this notion that, “If I keep everything under lock and key, nobody's gonna know about it, and therefore I'm gonna reduce my risk.” But here's the news flash for you: Everyone probably knows anyway. It's not that difficult to get intel and understand what your architecture looks like, what your vulnerabilities are, what your gaps are, and who works for you. This stuff isn't a secret. So taking the “security by obscurity” approach inhibits your ability to take advantage of relationships.
At Equifax, for example, we've released our security annual report for four consecutive years. It has propelled many of you to share feedback on — and apply lessons from — strategic initiatives and progress around our technology stack, our migration to the cloud and the security controls we've put in place. We haven’t seen any negative repercussions of that transparency and partnership. But we’ve seen a lot of benefits.
Q: Have you ever faced repercussions due to your transparency being misinterpreted or taken out of context?
A: No. Across the board people recognize that we're putting our best foot forward. There's not that much downside to being transparent. Your biggest hurdle isn't external. It’s getting support from your general council, CEO and whomever else internally, because they're going to be naturally uncomfortable with it at first.
Q: You've expressed concerns about the risks posed by generative AI tools, particularly regarding social engineering. Can you elaborate on these risks?
A: First, let me say I believe the benefits of AI can outweigh the cyber risks it introduces. But here are the two main risks:
Deepfakes — an employee of a company in Hong Kong was recently duped into joining a meeting with other supposed executives from his own company. It looked like everyone on the call was a person he worked with. So he authorized the $25 million wire transfer to them. It turns out all three of those “people” were AI avatars fashioned by hackers.
Basic phishing — Right now, it takes an army of hackers and time to be able to profile out an entire workforce and then create targeted messages tricking them into downloading malware. AI speeds that up. Plus, it makes it easier for them to create the malware itself. And the campaigns will be more sophisticated and harder to spot.
Q: How are you adjusting your program to address new challenges posed by AI?
A: Training and awareness are important, but it’s not a holistic solution. Neither is “fighting fire with fire” through AI tools. Identities are going to be cloned with unprecedented accuracy. So we’re implementing technology that allows us to verify users directly. For example, we’ve eliminated knowledge based authentication for verifying helpdesk calls, replacing it with biometric verification.
Q: Now tell us about how you think AI will help improve cybersecurity.
A: AI has the potential to massively improve the alert fatigue security teams all deal with. Imagine the dream scenario of being able to tie together all the pieces and parts from all the data that we get — in a constructive, thoughtful way that lets us pinpoint and prioritize exactly where the risks are. Just imagine how powerful that will be for us.
For more information on how we approach cybersecurity at Equifax, check out our 2023 Security Annual Report.