Equifax Exec Departures Raise Questions About Responsibility for BreachDisclosed details suggest a failure by the technology team but senior executives and the board are not above responsibility as well, experts say.
With two senior technology officials stepping down from Equifax late last week, experts say the question now is whether responsibility for the recently disclosed data breach at the company should in fact go all the way to the top.
Equifax on Friday announced that chief security officer Susan Mauldin and CIO David Webb were "retiring" from the company effectively immediately. Two other executives have been appointed to their roles in an interim capacity, Equifax said in an update.
The announcement was careful to avoid all suggestion that either Mauldin or Webb were being fired over the breach, although it was clear their departures were directly related to the incident, which exposed personally identity information on 143 million US consumers.
In a separate development, BloombergMarkets on Monday reported that the US Department of Justice has opened a criminal investigation into whether three top Equifax executives broke insider-trading laws when they sold company stock in the days immediately following the breach. Equifax CFO John Gamble, the company's president of workforce solutions Rodolfo Ploder, and president of U.S. information solutions Joseph Loughran together sold nearly $2 million in stock in early August, a few days after the breach discovery. Equifax has said the executives did not know of the massive data compromise at the time.
The company has admitted the breach resulted from its failure to address a previously disclosed Apache Struts vulnerability (CVE-2017-5638) that let intruders gain an initial foothold on its systems. In its Friday update, Equifax said its security organization had been aware of the vulnerability and took efforts to address it. "While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing," and more information will be released as it becomes available.
Equifax discovered the intrusion on July 29, more than one-and-a-half months after the intruders first broke in via the Apache Struts flaw. It hired security vendor Mandiant to investigate the break-in, which some have speculated might have been perpetrated by a nation-state actor.
John Pescatore, director of emerging security threats at the SANS Institute, says given the details so far, it is little surprise that Mauldin and Webb are no longer at Equifax. Unlike some breaches that have resulted from systemic top-down inattention to security practices, in this case, the intrusion stemmed from Equifax's failure to address a known security issue that was being actively exploited. So there is little reason to believe that Mauldin and Webb are merely being made scapegoats, as is sometimes the case with major breaches, he says.
"For something where it is one of these failures of basic security hygiene, it is very rarely you would say 'we need support from upper management to patch,'" Pescatore says. "For something like this, it is appropriate to say it falls squarely on the security team" to have prevented the breach, Pescatore says.
"When basic security hygiene doesn't happen, security people with C's in front of their names bear the brunt of the responsibility," he notes.
But the Equifax board cannot be absolved from responsibility, says Todd Thibodeaux, CEO of CompTIA.
"Should the internal team at Equifax have implemented the patch, enforced stricter passwords policies and any number of other things? Absolutely," Thibodeaux says. "Should their board of directors have some responsibility for not ensuring a proper adherence to best practices and a verifiable audit trail? The answer is also, absolutely."
Boards of directors tend to scapegoat their CISOs and IT teams when avoidable breaches such as this occur. But if this had been a financial issue, the board would have been held accountable because they hire and fire the auditors, Thibodeaux says.
The reality is that corporate boards have been less than proactive in engaging in, and understanding, cybersecurity matters. While most board members can decipher a balance sheet, few are likely to know what a penetration test is, how their corporate intellectual property is being safeguarded, or if their company is following NIST's best practices, Thibodeaux says.
"It's time for directors to step up and take the same fiduciary oversight role and responsibility for cyber protection, just as they do in looking out for shareholder interests on the financial side," he says.
CISO's can play a big role in making this happen by being better advocates for cybersecurity, says Christopher Pierson, chief security officer and general counsel at Viewpost.
Instead of being all about technology all the time, CISOs need to focus on making cybersecurity more about business enablement, customer trust, and risk reduction. In addition to security skills, it is increasingly vital for the CISO to have business, legal, and communications expertise, Pierson says.
"Unless your company understands and agrees that cybersecurity is a top-level board issue it is impossible [for the CISO] to escape being a scapegoat," when breaches such as the one at Equifax happen, he says. "We do not know what this looked like at Equifax, but most publicly traded companies focus on cyber as a tech issue when it should not be," Pierson notes.
Importantly, informed boards and executives understand that data breaches are a reality of doing business and if they are properly aligned with the CISO, when a breach occurs they will look to the CISO for guidance on how best to navigate the waters ahead, not as someone to blame for what has already occurred, says Michael Sutton, CISO at Zscaler.
A CISO cannot be effective without support from the board and the executive team, he says. But it is up to the CISO to build that support.
"CISOs who approach security as a necessity, regardless of business needs, will never succeed," Sutton says. "It is critical that a CISO invest time to fully understand and appreciate business processes and find ways to adapt their security model to the needs of the business, not the other way around."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio