People

Equifax paints itself as a cybersecurity leader now

Nearly three years after its massive breach, Equifax says it has a lot to teach the industry. Will experts buy it?

Bryson Koehler, CTO of Equifax (left), and Jamil Farshchi, chief Information security officer at Equifax at the RSA Conference

Equifax is pitching itself as a bonafide leader in cybersecurity that others should follow.

Photo: Courtesy of Equifax

Yes, Equifax wants to talk about cybersecurity.

The credit reporting firm that suffered a colossal data breach in 2017 that exposed personal, sensitive data on 147 million people is making a deliberate effort to be front-and-center at this year's RSA conference in San Francisco. Executives from the company will be speaking on seven panels, and chief technology officer Bryson Koehler and chief information security officer Jamil Farshchi, delivered a joint keynote Monday afternoon.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

"We know we've been through something that few other organizations have, and we know we're taking a bold stand in our way of addressing it," Farshchi told Protocol in an interview before the event.

Unlike many of RSA's more than 40,000 attendees, Equifax isn't at the conference exclusively to learn. Instead, the company is pitching itself as a bonafide leader in cybersecurity that others should follow.

"Our goal is to say it's not just us, everyone is dealing with these threats, and the more we can share and the more we can teach you all, the better chance we have of being able to lift all boats in this space," Farshchi said.

Both Farshchi and Bryson Koehler said they're irked by the cybersecurity mistakes they see other companies make. One of them is "toolitis": the affliction of thinking that buying more tools will solve your problem," said Koehler.

"It happens all the time, it's so frustrating … people love the shiny toys and think whatever new tool is out there — artificial intelligence, blockchain applications — is going to solve all your problems," Farshchi said. "The solutions are staring you right in the face, and it's frustrating because we see so many folks in tech and security that aren't focused on what we think are the fundamentals."

Other common issues they see are companies that bolt cybersecurity solutions onto the organization instead of building them in from the beginning, and a lack of alignment between the cybersecurity team and the rest of the business.

"You'll find in every security organization out there the notion that it's two separate teams with different incentives marching towards different goals, but we ultimately should be striving toward the same thing," Farshchi said.

In addition to calling the company a leader in cybersecurity, the executives said Equifax has "best in class" patching practices and has a goal of making "the world a better, safer, more secure place"

This confidence may come off as puzzling to other professionals, said Ann Cleaveland, executive director of UC Berkeley's Center for Long-Term Cybersecurity. Companies rarely brag about being cybersecurity leaders because "it immediately paints a target on your back," she said.

Additionally, Cleaveland expects that many cybersecurity experts will be skeptical of the company's claims, given its history. "If their efforts now are genuinely about helping the industry learn from what they've learned, good for them," she said. "But a lot of people are going to see it as marketing."

In their Monday keynote, Koehler seemed to expect some doubt, inviting audience members' toughest assessments during a Q&A. But most of the questions were largely technical.

Farshchi and Koehler argue that there are plenty of reasons to take them seriously. Few security teams have dealt with an incident like the one they experienced, so there's a lot of lessons to be learned from the recovery efforts, they say.

Federal prosecutors said earlier this month that Chinese military hackers were behind the breach in 2017 that compromised personal data including names, birth dates and Social Security numbers of 145 million Americans. The hackers were also able to steal drivers license numbers for at least 10 million Americans, and credit card details for 200,000 Americans.

The attackers were able to access the data by exploiting a software vulnerability in Equifax's online dispute portal. A patch for the vulnerability had existed for months, but Equifax did not implement it. A 67-page investigation report from a Senate panel last March blamed the incident on Equifax's negligence.

The company has made huge cybersecurity investments and changes since the breach to reassure shareholders, customers and employees that it won't make the same mistakes twice.

The company has hired about 1,000 technology and cybersecurity specialists since the breach and committed $1.25 billion to security improvements, Farshchi said. The company's leadership has also changed. The company's CEO Richard Smith and several technology chiefs left the company in the weeks after the breach was announced. Both Farshchi and Koehler were hired in 2018, from Home Depot and IBM, respectively. Equifax changed its reporting line so that Farshchi and his team reports directly to CEO Mark Begor. They've also focused on making all employees feel responsible for cybersecurity by adding things like security measures that tie into employee bonuses.

Koehler said he's had to dismiss groups and replace about a quarter of his team for not taking security policies seriously. "We've had to break some glass to change and shift," he said.

Farshchi said he hopes that these efforts can serve as an example to the broader cybersecurity industry.

"I can't think of any other company that has been as forward-facing as Equifax has been. …" he said. "The ultimate goal [for us at RSA] isn't a self-serving one. It's really to try to help the security industry and all the companies trying to defend themselves against all the attackers hitting them every day."

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins