A different look at the \u2018Equifax\u2019 fiascoI promise that I will not dog pile with my article to the long list of pseudo-experts who are arm chair quarterbacking and providing their \u2018so-called\u2019 incisive reasoning on why this happened and what could have been done to prevent it. #NoSir\/Madam.Rather, I will take on a somewhat contrarian approach and suggest that this issue \u2013 while deplorable and tragic \u2013 is not something that is that unusual at all. In fact, lots and lots of businesses in the US and abroad are in the exact same soup as Equifax \u2013 except they have not been breached yet.What makes me assert that without any inside knowledge of what happened at Equifax (which I clearly do not!). Just the fact that the cause of the exploit being the unpatched vulnerability on their Apache servers for over two months is reason enough for my assertion. Let me explain. Let\u2019s say you are on a critical assignment with a tight deadline (yes, I know that never happens) and you are researching, writing, Googling when suddenly, a pop-up appears that there is a critical vulnerability in your Operating System and the recommendation is that you save your work, install the patch which will take roughly \u00bd hour and then after a reboot you are good to go. What are the odds that you are going to go ahead with the patch? Even if you are a security guru, your deadline and needing to meet the commitment that you have trumps everything at that point. And you reason what chances are there that this CVE is going to \u2018get you\u2019 in the next day! So, you ignore and plough on. The nag continues and it becomes weeks before you finally find the time \u2013 and the courage really \u2013 to make the move. ThinkstockWell, if the above rings true, realize that this is not really that far-fetched from what happens in an enterprise today? Imagine you are the IT Director with hundreds of Apache servers under your belt serving up critical e-commerce applications for many your customers. Your security cohort \u2013 Jane Doe \u2013 comes and provides a vulnerability assessment to you indicating a large portion of your server base is unpatched with the latest critical fix. You look her in the eye and ask for a written guarantee that post patching, the systems will come back online within minutes and not consume any more CPU or memory resources (which you are renting from a CoLo). She balks. You refuse to patch. This is the reality in the enterprise today. Since the IT folks primary measure is availability and cost, the impact of a server not booting or consuming more resources is immediate and costly, whereas a CVE exploit by a miscreant is relatively far-fetched in their mind. And the security folks do a poor job of translating why the IT folks should care, what they can collectively do to share risk and what happens to both of their jobs if there is ever a breach! With the result, the systems stay unpatched for weeks or months (two in the case of Equifax) until there is a real lull and the risk is low to upgrade!This is the unfortunate reality of any large enterprises today. There are at least three constituents in the CIO \/ CSO organization \u2013 Compliance, Security and IT - each with seemingly different \u2013 and sometimes conflicting \u2013 agendas, that result in an inefficient and insecure posture putting at risk the organization itself. If I am painting a bleak picture, let me also offer up some suggestions on how this can be tackled (and has already been by some organizations who have embraced this wholeheartedly). As a CIO or CISO of an organization here are some steps to drive empathy and understanding across these three stakeholders Thinkstock\u00a0 1.\u00a0\u00a0\u00a0\u00a0 Acknowledge that the 3 constituents are not vested in the same set of goals and write down what those \u2013 sometimes conflicted \u2013 goals are2.\u00a0\u00a0\u00a0\u00a0 Start creating community awareness of what each constituency does and why that is important to the business3.\u00a0\u00a0\u00a0\u00a0 Create small cross-functional teams with members from each group to go tackle one issue at a timeI will be exploring this in much greater detail in a free upcoming webinar hosted by ISACA titled \u2013 Cyber Security for the Cloud \u2013 at 11:25am CDT on Sep 21. Please feel free to join me there if you are interested.Meanwhile, the after tremors of the Equifax debacle will continue to be felt far and wide. But don\u2019t get caught up in the pseudo-expert narratives, rather reflect your energy on what this means to your organization and how to get better alignment, empathy and respect across the three constituencies of Compliance, Security and IT for a safer and secure enterprise.