Equifax: They Shoot CISOs – Don’t They?
Here we are. The leadership of information security at Equifax has unceremoniously been cashiered. Walked out the door. Banned to the hinterlands. That takes care of that, right?
Not in the least. Equifax has lost several billion dollars in market value in the last week. Some suggest that Equifax will have to enter bankruptcy and could disappear as a company. How could the company think firing a couple of people is even the first step to solving the problem? While there is plenty of time for the chopping block discussion, I’d like to examine what in the world happened and how might it have been prevented.
We haven’t learned from other business failures
There is no comparison of this total failure in the cyber world, yet there are many other equally significant business disasters from which we can learn. The strongest comparison is manufacturing quality. More than one company has failed because of faulty products due to quality breakdowns. The recent Takata air bag debacle is a shining example of manufacturing failures. What did we learn? There was a breakdown in quality that could have been prevented by a top-down culture of quality. Perhaps the most significant quality proponent of U.S. business was W. Edward Deming, who became the world’s leader for advocating that companies build quality into products. Deming put forth one of the most significant propositions in business in the last century that still stands today – Total Quality Management.
Deming’s teachings (The New Economics, The 14 Points for Management) led to the development of a quality management movement in manufacturing that we still see today. His primary lesson is to not rely on inspection at the endpoint or criticisms of the end product, but rather manufacturers need to create a culture of quality within the organization that begins at the beginning of production. Design for quality, then build a culture that insists every person in the enterprise should be conscious of and responsible for quality.
The factory worker on the Takata production line not only had the right to halt the entire line, but also had the responsibility to halt production, and to bring the issue to the attention of management. Every employee was responsible for the quality of the product from the inception and design to the delivery. The Japanese automobile industry might be one of the best examples of the embodiment of this phenomenon. The rapid growth in worldwide market share of its auto industry is an example of the power of a quality culture. Their understanding of quality is that quality is not a part of the company culture it is the company culture. The Takata disaster is proof of how a lapse in this culture can bring a company down.
Equifax wasn’t a cultural lapse – there was no cyber culture
How does Takata compare to the Equifax breach and the firing of two employees? There had to be scores of Equifax employees who were aware that there was a serious cyber flaw in the Apache web platform. The flaw was known—the patch for that flaw had been available for months—yet no one took action. In fact, we now know there was not one, but two breaches by the same group who took advantage of Equifax’s lack of good procedures and processes. This begins to resemble the Target breach and their failure to patch, doesn’t it? How is it possible that a fatal flaw existed and yet no one “stopped the production line”?
This happened because there is a lack of cyber conscious culture at Equifax. Yes, it’s cultural. This isn’t a discussion on page 23 of the employee handbook, but a top-down, highly functioning awareness of the need to protect precious data, the personal information of about almost every adult and every household in the United States. This moral and ethical breach is so great that it defies the imagination, and yet, culturally there was no imperative to “stop production.”
It seems a catastrophic event must occur to gain the attention of company leaders. Something with unthinkable consequences must happen to get action from the top. The military has learned its lesson: If you walk the halls of any military facility, you will be assaulted with messaging on every wall and door about security. “Loose lips sink ships.” “Lock your files.” Security breaches of critical information—not the things of spies, but rather garden-variety security lapses—created substantial threats to our national security. So national leaders began to develop a security awareness, or a security culture, amongst all members of their teams. In the manufacturing business, every shop floor has constant reminders about safety. “Walk between the lines.” “Use eye protection.” What is this, if not a safety culture? Each time culture becomes the focus, risks are averted and behavior changes for the better.
What’s the solution?
The NIST CSF (National Institute of Science and Technology Cybersecurity Framework) recognizes a nation-wide lack of cyber conscious culture and they’re attempting to stem cyber breaches and to protect people, our economy, and even our country. The NIST CSF has three primary foci: the technology of protection, the risk associated with third parties and vendors, and the RISK CULTURE of the company. Yes, that’s right, three years ago, the NIST CSF began to emphasize culture as one of the three most significant assessments in the Cyber Security Framework. Today, many organizations have implemented cyber cultures into their organizations and are using the NIST CSF to understand and manage their cyber risk.
Every company has to come to grips with and embrace a cyber risk culture in today’s world. Every CEO and board member should immediately begin to think about the ‘totally quality’ comparison to his or her company’s cyber risk culture. No reasonable leader can avoid the discussion of a cyber conscious culture. Every leader needs to believe and know exactly what their policy, procedure and people rules are for cyber risk. Every employee, vendor and contractor must be responsible for cyber security. Management, beginning with the board and CEO, must begin to build an environment that gives cyber risk proper attention, and they must support the team members who take the protection of cyber risk seriously.
So how can companies achieve a cyber conscious culture? The CEO and board must lead the cultural shift through the entire organization that cyber security is everyone’s responsibility. The strongest cybersecurity methods include programs around three things: people, process and policy. Implementing the training of all employees, formalization and consistency of policy and practice, and requiring vendors and service companies to adhere to your cyber policy is key. Addressing cybersecurity in a structured way mitigates cyber risk. By increasing risk management effectiveness, creating a broader cyber-conscious culture, and managing partner and vendor risk, organizations will improve not only security, but operational excellence as well. Finally, use the NIST CSF methodology, as it is the compendium of best practices and the gold standard for cyber resiliency.
Its time CEOs and board members woke up to the fact that it is a new world. Every company in America is at cyber risk. Every executive and board member is at personal risk for not taking cyber risk governance seriously. The release of personal information is only the tip of the iceberg. Cyber crime and ransomware attacks can affect every business. Every business must deploy perimeter defenses, virus screens and other technologies, but if we fail to build a top-down cyber conscious culture inside the company we won’t be able to defend our companies.