People

Equifax paints itself as a cybersecurity leader now

Nearly three years after its massive breach, Equifax says it has a lot to teach the industry. Will experts buy it?

Bryson Koehler, CTO of Equifax (left), and Jamil Farshchi, chief Information security officer at Equifax at the RSA Conference

Equifax is pitching itself as a bonafide leader in cybersecurity that others should follow.

Photo: Courtesy of Equifax

Yes, Equifax wants to talk about cybersecurity.

The credit reporting firm that suffered a colossal data breach in 2017 that exposed personal, sensitive data on 147 million people is making a deliberate effort to be front-and-center at this year's RSA conference in San Francisco. Executives from the company will be speaking on seven panels, and chief technology officer Bryson Koehler and chief information security officer Jamil Farshchi, delivered a joint keynote Monday afternoon.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

"We know we've been through something that few other organizations have, and we know we're taking a bold stand in our way of addressing it," Farshchi told Protocol in an interview before the event.

Unlike many of RSA's more than 40,000 attendees, Equifax isn't at the conference exclusively to learn. Instead, the company is pitching itself as a bonafide leader in cybersecurity that others should follow.

"Our goal is to say it's not just us, everyone is dealing with these threats, and the more we can share and the more we can teach you all, the better chance we have of being able to lift all boats in this space," Farshchi said.

Both Farshchi and Bryson Koehler said they're irked by the cybersecurity mistakes they see other companies make. One of them is "toolitis": the affliction of thinking that buying more tools will solve your problem," said Koehler.

"It happens all the time, it's so frustrating … people love the shiny toys and think whatever new tool is out there — artificial intelligence, blockchain applications — is going to solve all your problems," Farshchi said. "The solutions are staring you right in the face, and it's frustrating because we see so many folks in tech and security that aren't focused on what we think are the fundamentals."

Other common issues they see are companies that bolt cybersecurity solutions onto the organization instead of building them in from the beginning, and a lack of alignment between the cybersecurity team and the rest of the business.

"You'll find in every security organization out there the notion that it's two separate teams with different incentives marching towards different goals, but we ultimately should be striving toward the same thing," Farshchi said.

In addition to calling the company a leader in cybersecurity, the executives said Equifax has "best in class" patching practices and has a goal of making "the world a better, safer, more secure place"

This confidence may come off as puzzling to other professionals, said Ann Cleaveland, executive director of UC Berkeley's Center for Long-Term Cybersecurity. Companies rarely brag about being cybersecurity leaders because "it immediately paints a target on your back," she said.

Additionally, Cleaveland expects that many cybersecurity experts will be skeptical of the company's claims, given its history. "If their efforts now are genuinely about helping the industry learn from what they've learned, good for them," she said. "But a lot of people are going to see it as marketing."

In their Monday keynote, Koehler seemed to expect some doubt, inviting audience members' toughest assessments during a Q&A. But most of the questions were largely technical.

Farshchi and Koehler argue that there are plenty of reasons to take them seriously. Few security teams have dealt with an incident like the one they experienced, so there's a lot of lessons to be learned from the recovery efforts, they say.

Federal prosecutors said earlier this month that Chinese military hackers were behind the breach in 2017 that compromised personal data including names, birth dates and Social Security numbers of 145 million Americans. The hackers were also able to steal drivers license numbers for at least 10 million Americans, and credit card details for 200,000 Americans.

The attackers were able to access the data by exploiting a software vulnerability in Equifax's online dispute portal. A patch for the vulnerability had existed for months, but Equifax did not implement it. A 67-page investigation report from a Senate panel last March blamed the incident on Equifax's negligence.

The company has made huge cybersecurity investments and changes since the breach to reassure shareholders, customers and employees that it won't make the same mistakes twice.

The company has hired about 1,000 technology and cybersecurity specialists since the breach and committed $1.25 billion to security improvements, Farshchi said. The company's leadership has also changed. The company's CEO Richard Smith and several technology chiefs left the company in the weeks after the breach was announced. Both Farshchi and Koehler were hired in 2018, from Home Depot and IBM, respectively. Equifax changed its reporting line so that Farshchi and his team reports directly to CEO Mark Begor. They've also focused on making all employees feel responsible for cybersecurity by adding things like security measures that tie into employee bonuses.

Koehler said he's had to dismiss groups and replace about a quarter of his team for not taking security policies seriously. "We've had to break some glass to change and shift," he said.

Farshchi said he hopes that these efforts can serve as an example to the broader cybersecurity industry.

"I can't think of any other company that has been as forward-facing as Equifax has been. …" he said. "The ultimate goal [for us at RSA] isn't a self-serving one. It's really to try to help the security industry and all the companies trying to defend themselves against all the attackers hitting them every day."

Enterprise

SaaS valuations cratered in early 2022. But these startups thrived.

VCs were still bullish on supply chain, recruiting and data startups despite the economic environment that chopped the valuations of newly public companies and late-stage enterprise startups.

While private equity has been investing in enterprise tech for decades, the confluence of several trends in the sector is making it more competitive than ever before.
Image: Getty Images; Protocol

Despite a volatile tech stock market so far this year that has included delayed IPOs, lowered valuations and declining investor sentiment, a few enterprise tech categories managed to keep getting funding. Data platforms, supply chain management tech, workplace software and cybersecurity startups all dominated the funding cycle over the past quarter.

When it comes to enterprise SaaS, the number of mega-deals — VC funding rounds over $100 million — spiked last year, according to data from Pitchbook. Partially driven by the onset of a pandemic that accelerated the need for everything from contact centers to supply chains to move into the cloud, the number of large VC deals tripled between 2020 and 2021. That growth has extended into this year, where the number of mega-deals has already outpaced all of 2020.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less
Fintech

Plaid is striking back after Stripe entered its core business

Onboarding customers through identity verification and ACH transfers is a hot sector in fintech, and the two fast-growing fintechs are set to battle it out.

Plaid is looking to help banks and fintech companies with anything related to the onboarding of a customer onto a financial product, said Plaid CTO Jean-Denis Greze.

Photo: Plaid

Plaid is moving into identity verification in a crucial expansion beyond its roots connecting banks and fintechs — a move that could put it in more direct competition with Stripe, another company known for its financial software tools.

In conjunction with its Plaid Forum customer conference this week, the company is also announcing two products focused on ACH transfers as it moves into payments.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Workplace

Getting reproductive benefits at work could be a privacy nightmare

A growing number of tech companies are extending abortion-related travel benefits. Given privacy and legal fears, will employees be too scared to use them?

How employers can implement and discuss reproductive benefits in a way that puts employees at ease.

Photo: Sigrid Gombert via Getty Images

It’s about to be a lot harder to get an abortion in the United States. For many, it’s already hard. The result is that employers, including large companies, are being called upon to fill the abortion care gap. The likelihood of a Roe v. Wade reversal was the push some needed to extend benefits, with Microsoft and Tesla announcing abortion-related travel reimbursements in recent weeks. But the privacy and legal risks facing people in need of abortions loom large. If people have reason to fear texting friends for abortion resources, will they really want to confide in their company?

An employee doesn’t have “much to worry about” when it comes to health privacy, said employee benefits consultant Jessica Du Bois. “The HR director or whoever's in charge of the benefits program is not going to be sharing that information.” Employers have a duty to protect employee health data under HIPAA and a variety of state laws. Companies with self-funded health plans — in other words, most large companies — can see every prescription and service an employee receives. But the data is deidentified.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Enterprise

VMware CEO Raghu Raghuram: Edge is growing faster than cloud

The now-standalone company is staking its immediate future on the multicloud era of IT and hybrid work, while anticipating increased demand for edge-computing software.

VMware CEO Raghu Raghuram spoke with Protocol about the company's future.

Photo: VMware

Nearly a year into his tenure as CEO, Raghu Raghuram believes VMware is well-positioned for the third phase of its evolution, but acknowledges its product transformation still needs some work.

The company, which pioneered the hypervisor and expanded to virtualized networking and storage with its vSphere operating environment, now is helping customers navigate a distributed, multicloud world and hybrid work with newfound freedom as an independent company after being spun off from Dell Technologies last November.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Latest Stories
Bulletins