The role of the CISO and the Equifax Breach

CISOs don’t eliminate risk- they help companies manage it. Equifax made poor choices as a company. The CISO was ineffective.

 

I do not know Susan Mauldin, the now-former Chief Security Officer of Equifax, nor can I even tell you what her job was.  That is because the role of Chief Information Security Officer (CISO) remains ill-defined: each company implements the role in different ways and has different expectations.  It may well be that this person did not have the authority to implement policies that would have prevented the breach that revealed records of over 143 million US consumers.

What I can say is this:

The only way you can entirely secure a computer is to destroy it and melt down its components beyond the point that any recovery tool can glean information.  Otherwise, there is always some security risk.  You might be able to sufficiently secure a system such that the risk is so low as to be almost negligible, but to do that usually requires more resources than it will cost to mitigate a breach.

The goal of a CISO is to reduce the expected loss of a security breach to a level acceptable to the management.  Expected loss has many components.  It can include direct financial losses, losses in sales, reputation loss (and thereby future sales losses), stolen IPR, thus impacting product differentiation, and liability associated with stolen customer and partner information.  In a world where information is worth its weight in gold, holding any information secret means that there is a risk it will be revealed.  The decisions of a CISO or her management do not amount to loss due to a single event, but may be recurring losses, either due to expenses to mitigate risk or due to losses from breaches.

Equifax’s business is information about consumers.  That means that they must retain the information necessary to report their findings to their customers, such as banks or employers who are assessing the trustworthiness of an individual.  That can be a lot of information, such as credit card, mortgage, and utility payment histories.  Equifax is a big fat target for information thieves, much the same way the US Office of Personnel Management is (they were breached in 2014).

It has been reported that the information thieves in this case made use of a vulnerability in Apache Struts that had been announced in March.  Equifax stated that they detected anomalous behavior on the 29th of July.  That left a period of roughly four months of exposure. In the grand scheme of things, this is not a long long time for an exposure.  However, because the value of information that was at risk was actually quite high, and because the vulnerability in question was exploitable on the open Internet, there should have been a process in place to rapidly close the bug.  There exist any number of patch management tools that spot open source software updates, and alert the customer.

Should Susan Mauldin have known all of this?  Yes.  Did she?  I don’t know.  Did she have the authority to effect change?  I don’t know, but to be sure she was ineffective because the necessary processes were not in place.  Will this sort of failure happen again?  You can bet on it, but when and how much the loss will be is where CISOs make their money.