Equifax Europe CISO: Notorious breach spurred cybersecurity transformation

The 2017 Equifax breach was one of biggest security incidents of the 21st century. A textbook data leak case, the breach impacted more than 147 million people, spawning a number of scandals and controversies, with the credit reporting agency being criticized for a range of issues, from a lax security posture to their botched response.

The high-profile incident has proved transformational for the company. In the wake of the breach, the multinational company has fortified itself and now even provides advanced solutions for risk management, fraud, and compliance.

Javier Checa, the current CISO of Equifax for Continental Europe, is a computer scientist with more than 20 years of experience in senior cybersecurity positions at various companies, including serving as information security director at El Corte Inglés. Checa wasn’t with Equifax when the data breach occurred; he joined three years later. But he did experience the incident, which he describes as “very significant,” from the outside.

As he recalls in an interview with CSO/Computerworld Spain, although “there had already been other similar incidents, for some reason, probably due to the type of customer and consumer information that Equifax handles, it did have a major impact on the industry at that time.” Furthermore, he adds: “While it’s true that in subsequent years there have been much more serious incidents, [the Equifax breach] was a watershed moment in everything related to cybersecurity.”

A quick learning curve

Checa praises the work done by Mark W. Begor, Equifax’s CEO since 2018, and Jamil Farshchi, Equifax’s global EVP, CISO, and CTO, who have led a complete transformation of the company at a time when it was still very badly affected both financially — it had to face $700 million in fines, compensation, and expenses to protect consumers after the data breach — and from a reputational point of view.

A path in which the CEO’s “personal” commitment to adopting the cloud IT delivery model and the strengthening of cybersecurity and trust to make the company a “security leader” have been vital.

“Equifax has invested nearly $3 billion in a complete overhaul of both our technology and security platforms,” ​​Checa says, adding that the change in the company’s IT strategy is “comprehensive”: “Before, the focus was more on technology, while now security is part of everything we do; it’s embedded in all our processes.”

The company’s CISO for Continental Europe explains that Equifax has built its strategy on the NIST Cybersecurity Framework and its Privacy Framework, which focuses more on the issue of privacy risks and the protection of personal information.

“Where are we now?” he asks. “We’re in a happy place because we’ve already completed the transformation of our infrastructure to the cloud model.”

Cloud as a new technological axis

Equifax’s $3 billion migration to the cloud, “which had been brewing for about seven years” and which the company says is the largest technological investment in its history, has involved moving more than 300 systems, over 30 product families, and thousands of customers to the company’s cloud platform, Equifax Cloud, in Spain alone.

“Now, in Spain, for several months now, all the applications and products we serve to our customers are delivered from the cloud,” Checa says. The project, carried out with Google Cloud, has not only consisted of migrating workloads, he adds, but “restructuring, reorganizing, and refactoring all our assets to truly become a cloud-native company.”

The impact of cloud adoption on the company’s security strategy has been clear: “My security philosophy isn’t just about defining a framework of controls; security must have a very important technological component directly related to simplicity. Migrating to the cloud has made it easier for us to simplify all the components and the way we develop,” Checa explains.

The European CISO adds that it has been positive for the company to “reduce legacy systems to zero,” one of the biggest problems for companies with a long market history.

“Now we have a live infrastructure whose systems we update and re-platform every month, something previously unthinkable,” he says.

The company has also seen its security processes simplified. “Aligning the cloud transformation with the security changes has allowed us to implement security controls, measures, and processes that are completely aligned with all the new technology we have,” he points out.

360-degree safety culture

“Now, a security culture is part of our DNA as a company,” says Checa, who works within the multinational’s team of 300 cybersecurity specialists.

But “security isn’t just the responsibility of the technology or security team, but of every employee in the company,” he adds. An example of this mindset is that, “as Jamil [Farshchi] often mentions, Equifax was the first publicly traded company whose employees could access a bonus that included security as one of its components; an initiative that other companies have since copied.” With this, Checa asserts, the company conveys the importance of cybersecurity to its entire workforce.

When asked about the foundations of the multinational’s information security strategy, Checa doesn’t hesitate: “Transparency and collaboration are our cybersecurity pillars.”

The first, “a commitment from the CEO himself,” has been key to regaining customer trust.

“In 2017, after the incident, we needed to win back our customers’ confidence. It’s important to remember that at that time the company’s stock price dropped significantly,” the CISO explains. “Having delivered on our promises is one of the reasons why the company’s stock price is now even higher than before the 2017 incident.”

But there’s another kind of transparency, “the kind we demand of ourselves,” Checa continues.

“Jamil always says it’s easy to be motivated [to be transparent] after a security incident, but the challenge is maintaining that focus over time.” That’s why, Checa adds, the company decided five years ago to launch an annual security report “where we truly open our doors and provide information that few companies had previously offered, from indicators of how long it takes us to respond to an incident to the click-through rate in our phishing simulations.”

Information, he says, that has helped Equifax gain in transparency and customer loyalty. Moreover, he acknowledges, “the biggest lesson learned from the incident is the need to be transparent to regain customer trust.”

Regarding the second pillar, collaboration, Checa is clear about its value: “In the new environment of escalating threats we live in, we understand that no one can win this battle alone.”

Therefore, in addition to sharing security information to be more transparent, Equifax publishes its list of controls so that any company can use them.

“We publish our core security not only for the sake of transparency, but so that all companies and governments worldwide can use it — information that has taken us a great deal of effort to develop,” Checa says.

Furthermore, he emphasizes that Equifax collaborates with security agencies such as the FBI and participates in more than 30 security forums. “We share knowledge, collaborate with states in developing their security awareness programs, and have even helped them resolve some security breaches,” he says.

Although the cyberattack on Equifax had an economic motive, the reasons driving cybercriminals today are highly diverse. “With the rise in geopolitical tension, new threats emerge and new actors enter the scene,” explains Checa. These threats, he acknowledges, are “more complex, persistent, and sophisticated,” and the actors “aren’t really seeking short-term financial gain, but rather accumulating resources that will later facilitate other practices related to espionage, influence, and even corruption.”

According to the company’s latest report, with data from 2024, Equifax neutralizes more than 15 million cyber threats every day, which represents 175 hostile attempts every second, a 25% increase compared to 2023. “We have seen a significant increase in attacks carried out with artificial intelligence,” Checa adds.

He reflects that AI “has democratized cyberattacks, and now people with less technical knowledge can carry out more complex attacks.”

Checa also mentions the rise of deepfakes, audiovisual content that appears real but has been manipulated with AI to deceive the audience. “To counter this, we have migrated to an authentication platform that allows employees accessing our services to use other authentication factors, both biometric and otherwise, instead of passwords.”

AI, on the other hand, is also already a defensive weapon, although Checa urges against using it for everything in cybersecurity, or certainly not as the sole option.

“Our strategy is hybrid. AI alone isn’t capable of defending everything, although it’s a great help. But you can’t base all your defenses on a single technology; the more controls you put in different places and the more different types of technologies you use, the better,” he says, explaining that Equifax leverages various signature protection technologies, among many others.

Challenges of a regional CISO

The CISO acknowledges that cybersecurity management at Equifax is an activity handled internally and globally, although supported by local teams.

“My responsibility as regional CISO is to ensure that the company’s security program is properly implemented at the European level and that we are able to adapt to our specific regulatory environment,” he says.

Checa welcomes the EU’s regulatory push in cybersecurity. “The main regulations that affect us are DORA, as financial service providers, and NIS2, and frankly, they haven’t required anything we weren’t already doing; we’ve simply had to adapt certain aspects.”

He acknowledges that the need to comply with regulations means that “many companies with our risk appetite can secure the necessary cybersecurity budgets,” and he points out that the NIS2 regulation has not yet been transposed into Spanish law. “But the delay also means that the transposition is being taken with the importance it deserves,” he adds.

He further argues that regulation has led to senior management now being directly responsible for company security, which has helped place it at the heart of corporate strategy in many companies. “The most important aspect of cybersecurity regulation, beyond the streamlining of processes and controls imposed by these regulations, is its strategic alignment with senior management.”

The executive is pleased that security, especially since the 2017 incident, has a high profile among Equifax’s senior management. “In fact, I, as Equifax’s CISO for Continental Europe, am part of the management committee, where the budget for this matter is decided,” he says.

Regarding the evolution of the CISO role in the market in general, Checa states: “I’ve been working in security since 2003, so yes, I’ve seen a clear change in this function.” First, he recalls, because “it’s a role that didn’t even exist before, and when it emerged, it had a primarily technical focus. Over the years, it has evolved into a more strategic company profile, more closely tied to the business. The CISO must be a communicator capable of explaining the implications of cybersecurity for the business.”

When asked about the relationship CISOs should have with their CIOs, to whom many CISOs report, Checa says: “In my opinion, there should be a certain degree of independence between the CIO and the CISO, but every company is different. In our case, our global CISO sits on the global management committee; we do as well at the local level.” He acknowledges, however, that from a tactical perspective, it’s beneficial to have close ties with the company’s IT department. “But, as I said, the important thing is to analyze each company’s specific circumstances, its risk appetite, and what works best for it.”

Looking ahead, Checa states that one of his biggest challenges as Equifax’s CISO for Continental Europe is “continuing to adapt to regulatory changes and being able to anticipate and adjust to all the new threats that emerge.” He adds, “My greatest commitment to the company is to be a security leader that delivers value and business. To be a differentiator. That’s what truly motivates and concerns me.”

Not forgetting all the work Equifax is already doing — which Checa says he can’t reveal — to be prepared for the post-quantum era: “We have very strong internal initiatives in this regard,” he says.

Checa works, as he explains, “to ensure that security truly becomes a differentiator from a business perspective, and this, of course, involves protecting all the highly sensitive information we have about our clients and consumers.”

He acknowledges that the role of CISO is “very stressful, but also very rewarding, requiring you to give your best, keep learning, and always be prepared for change.” He concludes that this role must be aware that “you can never reach the final state of security with all the evolving threats, technologies, and problems that exist today.”