A different look at the Equifax fiasco – the human element behind it!

A different look at the ‘Equifax’ fiasco

I promise that I will not dog pile with my article to the long list of pseudo-experts who are arm chair quarterbacking and providing their ‘so-called’ incisive reasoning on why this happened and what could have been done to prevent it. #NoSir/Madam.

Rather, I will take on a somewhat contrarian approach and suggest that this issue – while deplorable and tragic – is not something that is that unusual at all. In fact, lots and lots of businesses in the US and abroad are in the exact same soup as Equifax – except they have not been breached yet.

What makes me assert that without any inside knowledge of what happened at Equifax (which I clearly do not!). Just the fact that the cause of the exploit being the unpatched vulnerability on their Apache servers for over two months is reason enough for my assertion. Let me explain. Let’s say you are on a critical assignment with a tight deadline (yes, I know that never happens) and you are researching, writing, Googling when suddenly, a pop-up appears that there is a critical vulnerability in your Operating System and the recommendation is that you save your work, install the patch which will take roughly ½ hour and then after a reboot you are good to go. What are the odds that you are going to go ahead with the patch? Even if you are a security guru, your deadline and needing to meet the commitment that you have trumps everything at that point. And you reason what chances are there that this CVE is going to ‘get you’ in the next day! So, you ignore and plough on. The nag continues and it becomes weeks before you finally find the time – and the courage really – to make the move.

Thinkstock

Well, if the above rings true, realize that this is not really that far-fetched from what happens in an enterprise today? Imagine you are the IT Director with hundreds of Apache servers under your belt serving up critical e-commerce applications for many your customers. Your security cohort – Jane Doe – comes and provides a vulnerability assessment to you indicating a large portion of your server base is unpatched with the latest critical fix. You look her in the eye and ask for a written guarantee that post patching, the systems will come back online within minutes and not consume any more CPU or memory resources (which you are renting from a CoLo). She balks. You refuse to patch. This is the reality in the enterprise today. Since the IT folks primary measure is availability and cost, the impact of a server not booting or consuming more resources is immediate and costly, whereas a CVE exploit by a miscreant is relatively far-fetched in their mind. And the security folks do a poor job of translating why the IT folks should care, what they can collectively do to share risk and what happens to both of their jobs if there is ever a breach! With the result, the systems stay unpatched for weeks or months (two in the case of Equifax) until there is a real lull and the risk is low to upgrade!

This is the unfortunate reality of any large enterprises today. There are at least three constituents in the CIO / CSO organization – Compliance, Security and IT – each with seemingly different – and sometimes conflicting – agendas, that result in an inefficient and insecure posture putting at risk the organization itself. If I am painting a bleak picture, let me also offer up some suggestions on how this can be tackled (and has already been by some organizations who have embraced this wholeheartedly). As a CIO or CISO of an organization here are some steps to drive empathy and understanding across these three stakeholders

Thinkstock

1.     Acknowledge that the 3 constituents are not vested in the same set of goals and write down what those – sometimes conflicted – goals are

2.     Start creating community awareness of what each constituency does and why that is important to the business

3.     Create small cross-functional teams with members from each group to go tackle one issue at a time

I will be exploring this in much greater detail in a free upcoming webinar hosted by ISACA titled – Cyber Security for the Cloud – at 11:25am CDT on Sep 21. Please feel free to join me there if you are interested.

Meanwhile, the after tremors of the Equifax debacle will continue to be felt far and wide. But don’t get caught up in the pseudo-expert narratives, rather reflect your energy on what this means to your organization and how to get better alignment, empathy and respect across the three constituencies of Compliance, Security and IT for a safer and secure enterprise.