CISO Conversations

Conversation with Jamil Farshchi, Chief Information Security Officer, Equifax

Back to list
Jamil Farshchi, Equifax

Jamil Farshchi

Equifax

Chief Information Security Officer

In this CISO Conversation, the National Technology Security Coalition (NTSC) chats with Jamil Farshchi, Chief Information Security Officer for Equifax. Farshchi talks about the need to combine security and privacy functions under one umbrella, ways to expedite cyber threat intelligence sharing, and why we need a multi-pronged approach to creating more diversity within the cybersecurity industry.


What do you see as the most significant positive steps that government, business, and the security industry have recently made to improve national cybersecurity standards?

While our industry has dramatically evolved over the past 10 years, this past year has accelerated new efforts in cybersecurity. One of the most important efforts of 2020 was the release of the Cyberspace Solarium Commission (CSC) report which included more than 70 recommendations that are mission critical to creating a whole-of-nation approach to cybersecurity. This month, 26 of the recommendations—including establishing a National Cyber Director, mandating continuity of the economy planning, and creating a Biennial National Cyber Exercise—were included in the 2021 National Defense Authorization Act (NDAA) that was recently passed.

At Equifax, we've had direct discussions with Members of Congress, and it’s encouraging and impressive to see the level of depth in their understanding of cyber issues. It gives me hope that this NDAA is just the first step in making some much-needed change.


Privacy has become more of a concern in the U.S. in the wake of various widely publicized data breaches and scandals. How do you think a shift in thinking about national data privacy policy may impact CISOs moving forward?

It's absolutely critical that we pass a federal data privacy law to establish a harmonized set of privacy requirements. Right now, data privacy regulations are still the “Wild West.” We have CCPA, GDPR, and other laws and regulations from specific regions, states, and countries. The status quo is a patchwork of standards that are all over the place. We need a common set of standards at the federal level.

At Equifax, we brought together our privacy and security programs. The Chief Privacy Officer is part of the security team, and we view privacy and security as one and the same. Many of the controls applied from a privacy perspective are the exact same controls applied on the security side. For example, if you compare the NIST Privacy Framework and the NIST Cyber Security Framework, the overlap in the controls is incredible.

As these privacy regulations are put into place over time, we will see a greater and greater convergence of those two functions. This convergence will help us operate more effectively and ultimately do a better job protecting consumer privacy and security.


What are some ways you believe public-private sector cyber threat intelligence sharing can be improved, and what are the obstacles?

At Equifax, we spend a tremendous amount of time building strong relationships with a variety of federal agencies. For example, the FBI has been an outstanding partner. In February 2020, FBI investigators were able to identify the Chinese PLA members who attacked Equifax, and the Department of Justice announced charges against those hackers shortly thereafter. That partnership has continued to evolve. Today, we consistently receive information about threats and they provide us meaningful intelligence.

Congress should establish a Joint Collaborative Environment (JCE) to build on the work that the FBI and other agencies are doing. Right now, there isn’t a mechanism through which those federal agencies can expedite sharing classified and unclassified cyber threat information and other data with the private sector. We know that to stay ahead of our adversaries, we have to collaborate effectively and act quickly. Establishing a JCE is a key step in building a coordinated public-private approach to cybersecurity.


How has the role of the CISO changed over the last 3-5 years? How do you see it changing over the next five years? What do these changes mean for the needed skill sets of a CISO?

Ten years ago, CISOs were still mostly network security engineers or working in related technical areas. Today, the role has evolved to become far more strategic. Security impacts every line of a company’s P&L. We defend the business’s data and IP from bad actors, we implement new technologies to accelerate growth, we advise on risk during M&A, we build stronger ESG (environment, social, and governance) practices, we instill confidence in shareholder investments, and the list goes on and on. Good security is good for the bottom line and that requires a strategic, whole-of-business focused CISO.

The biggest challenge with the role of the CISO changing so fast is that many people in the CISO role came up the ranks as technical security professionals. Now, those people are asked to do things they've never been asked to do before like articulating security risks to the board and driving strategies.

CISOs aren't going to succeed until they equip themselves with the right communication skills and ability to navigate among C-level executives and board members. It’s a challenge for CISOs, but it’s also a great opportunity from a career growth standpoint.


As the security industry wrestles with a worldwide talent shortfall, diversity has emerged as a serious problem for CISOs to address as women and minorities either quickly leave the industry or never become interested in it. What are some ways you believe we can address diversity issues within the security industry?

This question hits close to home because I have a three-year-old daughter. Unfortunately, no simple single-prong solution exists. Looking more broadly than just security, the number of women in STEM is abysmal. We can work toward solving this problem by addressing dynamics related to gender, race, and other types of diversity.

From day one, my team has focused on diversity, and we measure it as one of our core metrics. The benchmark for black men and women in our industry is around 3 percent. On our team, black men and women make up about five times more than that percentage. The benchmark for women is around 24 percent, and we exceed that percentage, too. But even though we exceed the benchmarks, we’re not satisfied. We still need to do more.

For our industry to build stronger, more diverse talent, we need to develop nontraditional paths into cybersecurity. We know that the traditional talent pipelines don’t have the diversity we need. Working with Year Up helps us identify talented young adults and develop them into cybersecurity professionals. We also created an apprenticeship program to attract college students to security and help them develop skills and experience while they’re still in school.

All of our efforts start with making sure that we are setting the right expectations before job descriptions are written and interviews are held. This is exactly how we begin to welcome candidates with nontraditional academic and professional backgrounds into our ranks at every level: entry, mid, and senior. Once they join, coach ‘em up!