Walking on eggshells, us and Equifax
For the ostensibly mature environments, the casual and rather arrogant outcry is, “Equifax are a bunch of dummies. The CISO was a music major without a clue. They hid like rats for months.” For those with more sensible and tempered views, it is “There but for the grace of God go I.”
A lot went wrong in deed and in response for the credit agency, spanning IT, Communications, Legal and the senior leadership team, charged with protecting the – no, not just the company, but rather their customer’s lives and livelihoods! In the rock’ em sock’em world of open competition, Equifax got sucker punched because of their own failures to raise their guard. Worse, their own failures to dress their wounds and stop the bleeding became catastrophic.
The story has morphed only after a couple weeks and everyone has chimed in on the hubris, the operational failings, the governance blunders, lack of enterprise controls, poor risk mitigation, processes and patches. The hardy-hars even include the ridiculous -- taunting the much maligned, former CISO’s college degree. If we haven’t gauged the realities of cyber wars, then we are doomed to flaunt the feathers of a peacock whose every move is eyed by the hunter’s scope. If we’re on high horses, time to get off and understand It’s just a matter of time. Our challenge is to make the rifle shot veer off the target so we can regroup again.
Do we really think that Equifax didn’t have a control structure?
Do we really believe that I.T. just hadn’t realized that vulnerability management and its patch management dependencies required vigilance?
Do we really imagine they simply discarded the latest audit of their underwriters and the countless corporations who see them as vendor, as business process partner?
A storied and crack engineer I know answers, “I imagine they must have had sophisticated governance.”
I wanted to exclaim, “But of course they did! They spend tens, hundreds of millions on risk mitigation.” Equifax’s governance processes, standards, SOP’s, P&Ps, process frameworks, audit logs, testing evidence are as deep as the day is long. They’re probably more thorough than our own! The paper generated by their audit committees, IT partners, Legal department could fill a Renaissance monastery. So did they happen to forget that patches are the woven fabric of their armor when they created their Control framework?
Of course not.
As the tale unfolded we learned that the Apache Struts development framework had a vulnerability, which was exploited. Seems straightforward. A patch for this framework was issued and, notwithstanding that the Apache Foundation argued that the issue is not so cut and dry, the sharks smelled the blood in the water and now the credit giant is persona non grata. If the facts are maintained, and if patching failure, cracking the door open for bad guys, was truly the culprit (which seems the case), then we return to our earlier considerations. Does Equifax simply skip patching its environment when it feels like it? Therein lies the absurdity. Of course not.
No matter what the level of automation, the human factor remains. A control environment at the enterprise level, interdependent with the I.T. environment, will capture the risk and identify the mitigation. In the case of application integrity, the governance mandate is currency with latest early warning detection providers and vendor updates. The operation implementation is the patch itself, in pre-prod, prod and DR environments. Equifax knows this, plans for this, and executes this. As business and Technology leaders, we all know this.
And yet, they missed one.
Within every process, the level of automation is considered one mitigation for human error, for constancy in vigilance, in confidence that the company’s data, and assets are protected by way of proactive defenses. No matter how advanced our AI becomes, or how streamlined our automated technology evolves, a company employee, coached by managers, and directed by executives, will always be the god of the machine.
There is no doubt that Equifax had governance, processes, standards, vulnerability management. Somehow entwined in the human factor dependency, there was, somewhere, someplace among the corridors of servers and blades and monitors, a cultural fault, an absence of recognition. One or more engineers, managers, executives overlooked a responsibility that is daunting: we are all accountable for security. Just as we are for customer service and the core values that are written and placed atop each employee’s desk.
What is our company about? Who trusts us? What information of theirs do we preciously hold as fellow travelers in their personal pursuits and day to day dreams? Sounds over the top? Far from it. We must embrace a culture of accountability and an understanding that all employee contributions and missteps can have ramifications for hundreds of millions of individuals.
It’s a startling responsibility. Defending the wall requires every employee’s focus on the company’s vulnerability. It’s everybody’s business and, while this mantra is preached in the corporate halls, it shall not resonate until executives demonstrate and demand that we all connect our technology and processes and day-to-day tasks with a resultant impact on the human beings who depend on us. Feel it in the gut, and embrace it.
Do our associates, peers, contributors, really sense this. Really? I mean beyond a hallway poster that blandly says, “Do the right thing.”