Episode 220 Deep Dive: Jamil Farshchi | Going Back to Basics, Breaking Barriers, and Nurturing Partnerships: A Discussion on Effective Leadership with Cyber in Focus

[00:00:00] Speaker A: There's certainly risk that the more these kind of things happen, that people will sort of lose sight of it and think, well, it's just another day. But I think for those who have to deal with it, it sticks with you. And I can attest firsthand, many of the organizations that I've worked with that have dealt with these things, the executive teams, they take it as a religion because they've been through it. And once you have, trust me, you never want to have to go through that situation again. [00:00:24] Speaker B: You. This is KDC as a primary target for ransomware campaigns, security and testing and performance and scalability, risk and compliance. We can actually automate that, take that data and use it. Joining me today in person is Jamil Farshi, EVP and Chief information security officer from Equifax. And today we're discussing your view, Jamil, on the cybersecurity landscape. Lovely to meet you, and welcome to Sydney. [00:00:54] Speaker A: Thank you for having me. I appreciate the opportunity. [00:00:56] Speaker B: So I want to start with your view on the cyber landscape now. How do you see it currently? So maybe let's sort of start globally. And now that you've been in Australia for a few days, if you want to focus on that, however you interpret. [00:01:06] Speaker A: The question globally, it is, I think, actually more broadly, across all regions, it's improved dramatically. I mean, back when I started in this space, security was, we were like in the boiler room. We were an afterthought, and we did our technical stuff and tried to do what we could with the limited resources that we had. But since that time, it's really elevated to the point where it's genuinely a boardroom topic, where it's consistently one of the top three to five predominant risks that organizations and governments face. It's really captured sort of the public consciousness. And so I think with that has come a lot of additional responsibilities that we never had before, but also with more support and more opportunity. So I think we're on a good path and a strong trajectory. But I think there's still quite a ways to go. There's still a lot of organizations and a lot of countries that need to uplift their security, that need to prioritize it more. And so there's still a ways to go. [00:02:06] Speaker B: So when you say quite a way to go, what does that look like? Where do we go from here? What's your view? [00:02:11] Speaker A: I think, of the future. It'd be fantastic. First, if every company had a chief information security officer. Many today still do not, certainly. I think as you look to this region of the world, but beyond that, it's making sure that the security teams have the right level of resources. They're not scraping and clawing for every dollar to be able to implement what amount to pretty foundational basic controls that CISOs have a seat at the executive table so their voice can be heard. And the risks that we articulate are weighted appropriately relative to the other risks that any organization might be facing. So I think there's a lot of areas in terms of mind share that we could probably went over and would benefit us from a risk perspective. And we're not there yet, but there has again been quite a bit of improvement over the last several years. [00:03:03] Speaker B: So you said you made a great comment, seat at the executive table. Now, we obviously had our breakfast today. There was a few comments of people sort of saying that is emerging. Do you see from your point of view in the US, you do have that seat at the executive table as opposed to Australia? And then if so, why are we so far behind here in Australia? [00:03:24] Speaker A: So for me, yes, without a doubt. And I think for a lot of my counterparts in the US, it's becoming far more common. I think the last stat I saw was that roughly ten to 12% of CISOs in the US reported directly to the CEO that a decade ago would have probably been zero. So I think there's been great improvement. There still needs to be a way to go though, as it relates to Australia specifically. I think it's just a matter of human nature in many respects, whereby the threats and the implications therein didn't really hit home in Australia until more recently. And as countries modernize, as countries take advantage of technology, as society does, the threats become more and more poignant. And I think we're seeing that now in Australia. Certainly in the wake of like let's look at last year, for example, last September, there was just this series of major public breaches, and I think it shook the public conscience and as a result of that, it gets escalated in terms of its priority. And so I think we're on the path here in Australia as well. We're just farther behind some of the other countries like the US that have had that watershed moment years prior. [00:04:39] Speaker B: I want to just question that a little bit more because I'm curious to hear your thoughts because obviously you weren't there when Equifax breach happened, but you made a great point around being in the wake of some of these major breaches we've had in Australia. Do you think, and I've asked this question before, but I'm curious to get your view on it, because you have gone through a breach that unfortunately, companies having to take a fall, take one for the team, in order for the rest of our industry to actually take it seriously. I know it sounds bad, but do you think it's the reality of the situation? [00:05:07] Speaker A: Yeah, it goes back to human nature. When I was a kid, my mom kept telling me, hey, don't run so fast on this gravel road. I grew up in a small town in Iowa, and I was like, whatever, mom. And I did it until I tripped and skinned the heck out of my legs and my knees. And that's when I got religion and I chose not to do it anymore. I think in many respects, and obviously a far more serious way, it's not until organizations face the struggles and the dire consequences of these major breaches that they truly realize that, oh, my gosh, all this stuff I've been hearing and reading, it's for real. Like, it does really impact your reputation. It does potentially take you offline and affect your operations. It does make it far more difficult to be able to work with your customers and then the regulatory scrutiny and all the other things that come along with it. So I think that without a doubt that there are a lot of companies out there that until they see it firsthand, they don't get religion. And one of the reasons I'm here today, and one of my predominant motives of going around the world and talking to as many people as I do, is to try to change that perspective, is to try to preempt organizations from getting compromised so they make the right investments early on on a proactive basis, so they don't have to go through what we did at Equifax, so they don't have to go through what I did previously when I was at Home Depot coming in after another major breach and so many other companies that have gone through this, I think the more aware and the more we accept the fact that this is the new reality, that I think the better off we'll all be, society and companies in particular. [00:06:41] Speaker B: So I just want to flip that comment now on its head. Would you envision that if there's so many breaches happening, which you make a good point about the awareness, do you think people will start to become desensitized? Oh, it's another breach. Who cares? Do you think that will become the attitude if like 50 more companies get breached? Do you think people won't care over time? [00:06:57] Speaker A: Well, in some respects, it is the reality today, especially in the US, where you see the number of breaches hit the headlines all the time. And you do, you somewhat become ambivalent to it all. And I think as society, in some respects, you become apathetic to the threats. That is, until it actually happens to you. And when you feel it firsthand, when your identity gets compromised, or if it's your company that's in the crosshairs of a bad actor, and you're sitting there at the table trying to decide whether you should pay that ransom or not and how to manage the fallout from the loss of a huge, sensitive data set, that's when it really matters. And so, yes, there's certainly risk that the more these kind of things happen, that people will sort of lose sight of it and think, well, it's just another day, this is just another Tuesday. But I think for those who have to deal with it, it sticks with you. And I can attest firsthand, many of the organizations that I've worked with that have dealt with these things. The executive teams, they do, they take it as a religion because they've been through it. And once you have, trust me, you never want to have to go through that situation again. [00:08:09] Speaker B: Okay, so I want to switch gears now. I want to talk about you, your Linkedin. We're both LinkedIn influencers or top voices with the Blue badge for people who are not familiar. You've got a big presence on social media. It's interesting, and it's kind of rare to see people in your position, Jamil, that are senior, but maybe not as active. So I really appreciate that someone know does a lot of stuff on social media. You made a post, though, and I'm really curious to just know what it means to sort of unravel a little bit more. But it was. If cybersecurity was a sport, Vegas would never bet on us. So I'm curious to understand, what does that mean? [00:08:44] Speaker A: Out of all my content, that's the one you pull out. No, I'm just kidding. I was wondering which one you were going to reference. I was worried there for a second. No, I think it's. Look, when you look at the challenges that we face in security, the number of attacks that we face every single day, and you look at the complexity of the environments that we're entrusted to protect, it's a tough challenge. I reference it as the problem of one, the bad guys can do whatever they want all day long. They just have to be right once. On the other hand, us as defenders, we have to be right every single time. And just statistically, the odds are not going to be in your favor with that kind of dynamic going on. And so that's the basis for that comment. It is very tough to be in our space, which is why I think we need more support, more resources, more mind share to be able to do our jobs effectively because the cards are stacked against us from the start. [00:09:44] Speaker B: You said we have to be right every single time. That's a lot of pressure, don't you think? To be right every single time. [00:09:51] Speaker A: That's why I have no hair. No, it is, it's all seriousness. It is very much. It's a ton of pressure. And the crazy thing is that those threats, they change all the time. And so you never really know what's going to hit you. We know what's happened in the past, but the threat actors, any of these bad guys, look, they're going to change their ways. They're going to find, hey, you put in a control, they're going to find some way around. It's an arms race in many respects. And so without a doubt, it causes you to lose sleep and it causes all of us in this profession, I think, to keep on our toes. And it's stressful. But part of the reason we get into this field is because it is good versus evil. It is a fight for what's right and trying to do the right thing and help the broader community. And dealing with these bad actors and all the new fangled approaches that they bring to the table in many ways is also fun. You're fighting those bad guys and you're doing the right thing. And so we can rest our heads on our pillows at night knowing that we did everything we could to try to try to fight for our way of life and protect all of the consumers and organizations that we work with. [00:10:51] Speaker B: Yeah, I agree with you. And look, I think because it is so dynamic and it does change, does keep it interesting. How do you sort of keep up with everything? I mean, you probably got like 50 vendors knocking on your door daily. You've got people in your face. How do you sort of delineate between, how do I know what's coming out? Because there is stuff coming out all of the time. I mean, I'm at the coalface of this and I don't know everything in this space at all. So someone like you, you got team, you've got your boards, you've got customers to take care of. So how do you start learning other stuff? [00:11:19] Speaker A: Well, first off, I'll correct you. It's not 50, it's more like 5000. Yeah. Oh, my Gosh 50 would be fantastic. Look, the only way you can do it is by partnering and building up a strong community of experts, both within the government as well as amongst your peer group and your industry and things like that. I've always been of the fundamental belief that none of us can do this by ourselves. Like Equifax, we invested a billion and a half dollars to transform our company, our program, and to be a leader in security. But even despite that, look, if a major nation state turns its cannon toward us, I can't stop them. I will not win by myself. I need the power of the expertise from all of the other players within my industry. I need the help from the government. And that's the only way, I think, that any of us can realistically expect to be able to win this fight. And by the same token, that's the only way we can keep up to speed with all of the stuff that's going on. And it's not just our. I made fun of the vendors a minute ago, but it's not just our customers in the government. It's also our technology partners, the vendors and stuff that are out there. They're the ones who are on the front lines. And we rely on to develop the latest and greatest innovative technologies to be able to help us defend those latest threats. So it's a broad based community, and I think if we want to win, we've got to engage and we've got to share information, and we've got to view everyone as equal. Because without them, without their assistance, without their help, then God be with you. [00:12:48] Speaker B: So we say transform. What does that look like? [00:12:50] Speaker A: Top to bottom? Every single thing. I mean, I look at the organization now and it's night and day. There's very few things I can actually cite that are the same as they were when I first started this job. Our technology stack, our number of top tier security professionals that we have in place, the training regimen, again, the partnerships, you name it, that investment has gone toward building out the entire infrastructure and technologies that we need to be a leader in the space. [00:13:20] Speaker B: You raise an interesting point before. I agree with you. In building partnerships, whether it's public, private, vendors, et cetera, do you think that people aren't doing enough of that in the space, from your point of view? [00:13:31] Speaker A: Yeah, I do. I think that generally we want to, and we go to a lot of meetings and tag ups and things like that. I think the challenge is, though, the quality of the information and what we're actually sharing, the government is a good example. And while they've made a lot of improvements, I think, in terms of providing contextualized threat intelligence and best practices, and they've helped to drive sort of change within the vendor community and things like that. There's still a long way to go. It's still fairly rare that as an organization, you're going to get real time, preemptive, contextualized threat information that you can actively use and apply to your defenses to be able to stop whatever the threat may be. I think there are a lot of great relationships and a good information exchange on an individual basis. At the aggregate level, though, it's not where it needs to be. And that is particularly as it relates to the small to medium sized businesses. And I don't know what it's like here in Australia. I'm sure it's probably very similar to the US, but those small to medium sized businesses make up roughly 90% of the economy. And those folks, they're already underfunded. They already typically don't have a tremendous number of support, amount of support from the leadership teams and stuff that they have. But then, to add insult to injury, they also typically don't have the same level of access and connections and ability to be able to join forums and so forth, to be able to build up a decent cadre of information and best practices. And so I think we need to do a lot more to be able to sort of rise the tide, to lift all boats versus just the major players within any given economy. [00:15:19] Speaker B: You speak a lot about fundamentals in cybersecurity, but fundamentals has proven to be difficult over the last 20 years, like patch management. And I've gone on about this like so many interviews, but still hard to do. It's still complex. So we talk about fundamentals a lot in cybersecurity, but people find that hard. What's your view? [00:15:38] Speaker A: I'm glad you bring this up. It is a misconception, and I feel like I personally am a contributor to that, where I always harp on, hey, just focus on the fundamentals. 99% of the threats and stuff that you have to deal with, you're going to be able to absolve them. But doing the fundamentals is really freaking hard. Like, it's really, really hard. So it seems simple, oh, just patch your stuff on time, or just configure your assets correctly or whatever it might be, but those things are difficult. And when you really look at it, the number of fundamentals that are out there are legion. There's so many of them because you could just go down the list of certificate management, my data loss prevention rules. You just go down, and there's so many of them that it quickly becomes very difficult to be able to do all of them effectively. Add to that the fact that there's a business to run, there's an organization behind all of this, and they need to be able to innovate. They need to be able to get products out to market. They need to be able to make changes, serve whatever the customer needs are and things like that. And it just becomes extraordinarily complex in a very, very short amount of time. And so, yes, I do believe that the fundamentals are the key. And I think that we tend to, as a community, spend more time than we should on trying to invest in these latest next gen technologies and stopping this random esoteric threat that's out there that's hitting all the headlines at the expense of doing the basics. But the basics are hard, period. And I think that's one of the major reasons, because it's so difficult that we are in the place where we are today. [00:17:14] Speaker B: The operative word that you used there was hard. And that's the thing that a lot of people have interviewed over my time, is like, oh, sue, the basics, KB. It's about the basics. But it's like, yeah, but you're saying it's hard. SO how do we make it not hard? [00:17:25] Speaker A: Build it in from the get go. So you heard this today during our talk from our CTO here in Australia, and I think he put it perfectly in that quote that he gave. I think it was one of his bosses or whatever told him at one point in the past where, hey, if it's hard, let's do it as often as we can so that it becomes easy and so we can do it better. And I think that's the key. It's, first, getting that partnership with the technology teams and the other stakeholders that you need to get the job done. And then secondly, it's just doing a lot. When you start off on a brand new diet, it's pretty damn hard when you start to not eat that cookie or go out for the 06:00 a.m. Run or whatever it might be. But you know what? Once you start doing it on a routine basis and you build up the discipline around it, it's actually not hard. It's not hard at all. And in fact, it becomes pretty easy. And I think we need to do that same thing and take that same mindset and apply it to security across the board. [00:18:21] Speaker B: So, like doing the reps. Yeah, over. [00:18:23] Speaker A: And over again and you build up the discipline and it just becomes easier because you know what you're doing and you've built it into your standard operating model. [00:18:31] Speaker B: But how do you get the mindset of, we've got to do the reps. How does someone understand that, okay, all these things are hard, but how do you get that journey there of, well, we got to keep doing this thing over and over again. [00:18:40] Speaker A: That's leadership. Honestly, it's squarely leadership, and it's incumbent upon us as leaders to make sure that we're driving those right behaviors and we're reinforcing them and we're prioritizing them again. It's too easy to be able to look at that next shiny object and go chasing it, whatever that random thing might be, at the expense of doubling down on the basics. And as leaders, if we do that, if we find ourselves doing it certainly on a consistent basis, then what do you think the rest of the team is going to do? They're not going to focus in on it yet. If we do focus on it and we create meaningful measures to be able to drive accountability and the visibility therein, pretty likely that you're going to get your team, if they know that this is what they're being held to, to do the job and do the job correctly. [00:19:24] Speaker B: So I want to focus now a little bit more on your involvement as an FBI advisor. What is that? What does it mean? And probably dovetails nicely into the partnerships that we've just discussed earlier today. [00:19:39] Speaker A: Yeah, it is. It's completely part and parcel to that. Look, when they reached out to me about being a strategic advisor, first, I was all in on that because I think that there's a lot of benefit to being able to share the private sector's perspective on security and how things can be done more effectively. But I also think there's a ton that the government can do to be able to help us in a meaningful way as well. And so the genesis and the basis of the partnership is to be able to drive better and more broadly effective public private partnership amongst the FBI and the corporate community. And it spans everything to discussions around policy decisions, to what are the mechanisms by which to be able to reach out to and engage with organizations, what organizations need and want from the government, how they can provide that more effectively. And so at the end of the day, my hope and my dream here is that we can build more trust between the FBI and the private sector to be able to generate more information sharing, which the FBI can then synthesize and disseminate back out to that same partnership group so that everyone can be better armed to defend against the latest threats. [00:20:59] Speaker B: You said build more trust. Is there no trust? [00:21:02] Speaker A: More suggests that there is some, but there needs to be more. There is, and it depends on the organization. It depends on the relationships there. Depending on the organization. Yeah, there's a fair amount of trust, but I think there's a lot of organizations out there that view the government in general as, hey, I'd rather not get involved. I'm worried about the liability. I'm worried about the transparency. I'm worried about them coming after me with more findings or whatever. More regulatory scrutiny, you name it. And we need to break down that barrier, especially with the legal teams. I think for the most part, when I talk to security practitioners, we generally want to do the right thing and we generally want to share that information. Oftentimes we get held back from other parts of the business. And so I think part of this is around solving that trust challenge by virtue of demonstrating the benefits on a consistent basis and ensuring that the organizations that do partner don't fall prey to any of those fallacies around. Hey, you're going to get bitten if you share too much information or if you engage with the FBI in the wake of a breach or whatever it might be. And I think we've made some progress there. There's just still a long ways to go. And these things are rooted in, I think, misinformation and a lot of assumptions that don't really have a great basis. But it's our job, I think if we want to be able to win this fight, to be able to dispel them to the best degree possible. [00:22:21] Speaker B: So a couple of things in there that I just want to ask a few more questions on is when you said the government, would you say that there's a dissonance between what the government thinks that the private sector want in terms of assistance, assurance, help, support? [00:22:36] Speaker A: No, I don't. I think generally there is a pretty strong understanding of what at a high level needs to happen. I think the question and the challenge comes into the mechanics of how it actually occurs. So if you talk to, I don't know if you talk to any agency, but let's just take CISA as an example. Over in the US, they know, Director Easterly knows that as a recipient of intelligence, as a CISO myself, I would like to have contextualized, real time, actionable information. They know that. So there's no issue there. The question just becomes, how do we do it in an effective way, how does it scale? And how can they best position themselves to be able to provide that across the broader community? And so I think that's where the work needs to be done. And I think they've made a lot of progress. I mean, if you look at their ransomware initiative they put in place, if you look at some of the stuff they've done around supply chain, even the broader cyber strategy for the US government, they're all steps in the right direction. We're not at the finish line on that stuff yet. There's still a ways to go. [00:23:41] Speaker B: So trust. People talk a lot about that. What does that mean to you specifically, trust? [00:23:49] Speaker A: I mean, I guess it depends on the context, but generally speaking, it's that there is confidence that we are going to do the right thing. That's it. It really boils down just to that. And if I have a counterparty who believes that, then we're going to work well together because they're going to share information with me, they're going to be transparent, and they're going to be open to listening and working with us to solve whatever problems we may have. And I think we just need collectively to be able to work more on that one. And I think it's hard for us as security professionals in many respects. We've come up through the ranks. On the technical side, we're always the secret squirrel stuff. We're almost self selected to this space because we're a little bit paranoid and things like that. Sometimes it's tough to build that trust, but I don't see how we can solve many of the sort of meteoric challenges that we have in many respects without building that trust across the community, both companies to companies as well as with the government. [00:24:46] Speaker B: So, question on the trust, how do you build that back post breach, how do you do that? I know it sounds like an airy fairy question, but I don't know if I could even answer that. [00:24:56] Speaker A: You know, what we did, and I can't tell you now that at the time I was assured that this was going to happen, but our North Star was doing the right thing, and our North Star and the basis for it was transparency. So we leaned in hard on customer communications, talking about exactly what happened to the nth level of detail about the breach, who did it. I mean, I literally remember we were going customer to customer and we had these forums set up, so we did them every, I think it was every two weeks, but we talked about all the projects I felt like I was presenting to our executive team and like my boss around, hey, here's our project initiatives and here's what's behind and here's what's on target and stuff like that. With every one of our customers in the wake of this thing, we went globally, whether it's customers or governments across the globe. We leaned in hard and spent a ton of time to try to be as open and honest about what had happened. Not just to share that information, to make know, make people feel better that, hey, things were going to be right sized on the Equifax side, but also as a partner, to be able to share that information so that they could learn from us and not go through the same thing themselves. Right. If people could absorb what we did and learn from it and apply some defenses or protections or processes that would save the day for them, then that's also a win. So we really leaned in on that notion and we continue to do it today. I mean, look, a few years ago, we released our security annual report. I think it was a first of its kind. Now there's several other companies, big name companies, who are following suit and doing the same thing. But it's top to bottom, an overview of our security progress and status. Every single year we release that. We built out a capability to expose all of our cloud control effectiveness to all of our customers who are leveraging our services in the cloud so they can see in real time exactly what I see when I look at our dashboards and stuff. Here's the security of the assets that I'm consuming from Equifax. Again, first of its kind. And later on this year, we'll be releasing our board audit framework, which is the exact framework that we use to present our program, that I use to present our program to our board of directors. We released our control framework earlier this year. Our specific controls that we have put in place, and we even built on it. So it's dynamic, which allows small to be medium sized businesses to actually leverage it. These businesses that we talked about earlier that are underresourced and probably don't have the same manpower that we do at Equifax to build out their controls and do the framework and stuff, we gave it to them. We open sourced it for everybody. So we've tried to not just be super transparent about our posture, but we've tried to give back by providing out to the community a lot of these things that, A, weren't available before, or B, have the potential to potentially change how we do things in security on a community wide basis in a better way. [00:27:48] Speaker B: Would you say from your point of view, companies that have been breached don't demonstrate being genuine? It's like, oh, you're trying to build your trust back, but it's not genuine. Have you seen a bit of that? [00:27:58] Speaker A: Sometimes? Yeah, I do. I call it duck and cover. When you get these companies that get popped and their strategy is to hope that everyone forgets about it and there's some other news cycle that's going to allow people to move on to the next story. It happens far too often. I will say, though, that there have been several examples since our breach where there have been companies who have really stood up and done the right thing and taken it super seriously. I won't name them to throw out, even to regurgitate old stuff, but there are some organizations that have done a fantastic job, I think, about being transparent, and I know for a fact that in many respects they used Equifax and what we did as the basis for their approach to responding to their own breach. [00:28:43] Speaker B: So you guys were the poster child in many. [00:28:45] Speaker A: Yes. Yeah. Which is. I think it's a good thing there. [00:28:48] Speaker B: Was a company, you probably know this, Jamil Norse Hydro, when they got in your term popped, their share price actually went up on how they handled the Breach. Are you following that? [00:28:56] Speaker A: Yeah, I know their CIO or CTO, whatever he is very well. Yeah. In fact, he and I were on a panel together talking about that. I think it's a great story. They did a fantastic job in a very tough situation. And I guess my only hope would be that more companies take a look at situations and examples like that and emulate it to the best degree possible. [00:29:18] Speaker B: So I sort of want to just now conclude our interview with talking about your thoughts around shaping the future. As I said, I follow you on LinkedIn. We're connected. I follow your stuff. What does that sort of mean, though? Like, everyone talks about the future state. What does this mean for you? [00:29:31] Speaker A: The more people that follow this kind of information and the more people that are engaged in this topic, the better off we all are. But here's the basis for it. You'll notice this from the stuff that I put out. It's not about me, and oftentimes it's not even about Equifax. My Mo is to try to build up a dialogue amongst us as practitioners, the community at large, so that we can talk about some of these tough topics, these challenges know, many of which you just highlighted throughout this interview. Because I fundamentally believe the more dialogue and the more attention we have on these topics the better shot we have at being able to solve for them. But I think the more important part of it is that it puts it on the table and it allows people to have an open, honest dialogue about it from all kinds of viewpoints. Because it's not like security practitioners are somehow this monolithic group that all think the exact same thing. I think it's good for the community, and I think that the more we can do that kind of stuff, the better we'll perform. And the less obstacles that we're going to face, or the more obstacles that we face, the more we'll be able to solve for them. [00:30:35] Speaker B: Do you think from your perspective, people like sizzos or whoever they are? I've just heard a lot from people saying, like, I don't like getting out there and talking and saying things. I feel afraid. I'm an introvert. I feel weird that if I'm out there on my own, this is why people like the interview, because it doesn't feel like it's all about them, because I'm asking the questions. Do you think it's just maybe we haven't had enough of the information sharing just due to the nature of the people in our space who are predominantly introverted? [00:31:00] Speaker A: It's a fair point. I'm sure it's part of it. I think the other part of it, though, is that many of us, many of our organizations, security is a taboo thing to talk about. There's oftentimes this notion in our space that security by obscurity is a good thing. I don't want to talk about security because if I do, it's somehow going to attract the bad guys. [00:31:20] Speaker B: Does it? [00:31:21] Speaker A: No, it doesn't. It just fundamentally doesn't. It's this weird thing that I have no evidence to support or have ever heard of before from anybody. Yet it's something that proliferates the dialogue everywhere. [00:31:32] Speaker B: Is it then obfuscating of being questioned? [00:31:35] Speaker A: Look, I'll tell you for my we have been super public at Equifax and I have said a lot of things that no CISO would ever in their right mind talk about. Why? Because I think that we need to have a dialogue about. I think hiding under the covers and not discussing this stuff doesn't help advance the field at know. The other day, a few months ago, I wrote a post and talked about the intel we got from CISA, about an impending threat that was getting ready to hit us at Equifax, and talked about the great intel and how we were able to put it in place. And be able to stop the threat actor and all this other stuff. You don't read about that kind of stuff. People don't talk about that kind of stuff. And so what happens in the absence of that is you get this information vacuum, and then everyone is allowed to be able to perpetuate these falsities, such as, oh, the government never provides anything useful. It's always a dollar late and whatever short. Being able to speak about this stuff allows the community to see examples of that's just not true. The government can help. There are good things in this particular space, or this person isn't always right or whatever it is. And so, yeah, do I take on some risk? Does Equifax take on some risk by virtue of me being as open and transparent about stuff? Sure. But it's something that I think if you want to be a leader in the space, it's going to come with some risk, and you've got to be bold in certain cases, and you got to stick your neck out there, because I think fundamentally, that sort of is the definition of a leader, someone who's willing to take a stand on stuff. And this just happens to be one form for which I think that LinkedIn. That I try to do that. [00:33:08] Speaker B: When you say everyone. Who's everyone? People on LinkedIn. [00:33:11] Speaker A: No, it's a broad swath of the community. [00:33:15] Speaker B: So, Jamil, do you have any sort of final thoughts or any closing comments you'd like to leave our audience with today? [00:33:20] Speaker A: Sure. I think that we have our work cut out for us in this space. It's only going to become more challenging. And as I was saying earlier, as society becomes more and more reliant on technology, it just becomes a more and more attractive target for the bad guys. And there's a lot of money to be made just economically. It's going to be attractive for the foreseeable future, even more so than it is now. And then if you throw over the top the geopolitical implications and the power that cyber affords to be able to even the playing field for many countries that couldn't otherwise do it, they don't have any other sticks to potentially use. It can get scary pretty fast. But I think the ray of light that I see is that across the globe, more and more countries and more and more companies are taking this area seriously. And so it's evolved dramatically, and the rate of change has increased even more so, quite frankly. And so I feel like we're all rallying together, and I think there's a lot of good things happening. So even in the face of all of the downside risks and challenges that we face today, it is in many ways easier to be a CISO today because of the level of support that I think companies are providing and visibility and resources than they have before. In other ways, it's more difficult. The responsibilities, the accountability, the seat at the table, the spotlight that you're under, the implications, those are all harder. But in some ways, because of the uplift in this area, things are better. And so I think to leave it on a positive note, I feel pretty encouraged about where we are, certainly given where we were before, and I'm excited to see everything to come together, and it's just fun working with this community. It's a great group of people. [00:35:04] Speaker B: Well, thank you for your time and thank you for your honest responses. You've been very transparent. You've gone into detail again. You didn't sort of just gloss over things. I genuinely really appreciate that. And I really appreciate you just rolling with the punches on my questions. So thank you so much. [00:35:20] Speaker A: Thank you for the opportunity. Maybe next year when I come out here, we could do it again. [00:35:26] Speaker C: This is KBCast, the voice of cyber. [00:35:30] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:35:38] Speaker C: This episode is brought to you by MercSec, your smarter route to security talent. MercSec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their ondemand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.