Was the Equifax CSO to Blame?

Written by

According to recent article by CSO Online, the CSO will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. The candidate's direct reports will include the chief information security officer and the director of corporate security and safety.

With the recent departure of the Equifax CSO and CIO, many are wondering if these two individuals are the only ones to blame for the breach of over 143 million records of PII. With this breach, like many high profile breaches before, there seems to have been an issue with the entire cybersecurity program, with the biggest being resources available to efficiently monitor and mitigate risks to the company and to protect the PII of those involved.

While the CSO is ultimately responsible for ensuring that they have the right people in the right places, that can sometimes be hard to do when you have a board that doesn’t fully understand cybersecurity, and the consequences should proper security controls not be in place.

What’s interesting, but not so alarming, is the number of open security related jobs currently at Equifax, not including the C-level folks. Right now, there are about 12 positions available down from 16. Depending on the location, most of which are in Georgia, the salary requirements for the more skilled cyber professionals may be too high. There also could just be a limited number of skilled folks willing to jump from their current place of employment. 

Many organizations struggle with implementing a successful patch management and continuous monitoring program no matter how educated or talented the CSO or CISO is. With antiquated technology and no true process or timeline for implementing patches, things get missed. This is not to say that Equifax is off the hook, by no means are they.  

But to say that Equifax failed because they hired in a CSO with a music degree, probably from 15 to 20 years ago, before computer science degrees included security and before cybersecurity was even a thing is not fair. Cybersecurity is in the current form is new.

Programs are still being actively developed by seasoned professionals every day. Having a fine arts or liberal arts degree isn’t a bad thing; it helps you think differently. You aren’t focused on 1’s and 0’s but on the whole picture. Companies should want well-rounded individuals that can manage people, understand the risks for the company, can communicate with the board, and understand legal ramifications.  

This does not mean that these people should not seek out continuous education through training, conferences, networking events, etc. In addition to all those things above, they should understand how security works and what resources they need to make it work. Having the right technical people under you makes you a strong CSO. This same training needs to be passed down to employees of the company to make sure they stay up-to-date on the latest trends and techniques that potential attackers will use.

As seasoned professionals start to leave the workforce, the gap in skills and professionals will continue to grow. According to ISACA, it is expected be a shortage of two million cyber professionals by 2019. This is alarming especially when there is a multitude of capable individuals that can be trained to enter the cyber industry. As IT and security professionals it is imperative that we encourage none traditional IT and security professionals to move forward with learning and understanding this changing landscape.

Based on a recent Tripwire study, 72% of respondents believe it is more difficult to hire skilled security staff to defend against today’s complex cyber-attacks compared to two years ago. Having a diverse set of ideas and thinking allow companies to grow and develop cutting edge technology. 

All in all, there are so many unknowns that surround this breach that the public may never know about. Blaming someone’s type of degree or lack thereof does not do the situation any justice. It builds speculation and doubt in all the wrong places. The focus here should be on the resources available to the CSO, training programs within the company and the buy-in from the board to get things fixed.

What’s hot on Infosecurity Magazine?