Equifax CEO Richard Smith has become the latest executive to abruptly retire from the company following a massive breach that exposed the data of 143 million US consumers and thousands in Canada and the UK, and cast the company's security practices into question.
“The Board will undertake a search for a new permanent chief executive officer, considering candidates both from within and outside the company,” the credit reporting firm said in a statement, which named board member Mark Feidler as non-executive chairman and Equifax's president, Asia Pacific, Paulino do Rego Barros, Jr., as interim CEO. “Mr Smith has agreed to serve as an unpaid adviser to Equifax to assist in the transition.”
Apologising for the breach and its impact, Feidler noted that “the Board remains deeply concerned about and totally focused on the cyber-security incident” and is “working intensely” to provide consumer support and make the changes “to minimise the risk” of a future incident. “We have formed a Special Committee of the Board to focus on the issues arising from the incident and to ensure that all appropriate actions are taken,” Feidler said.
Equifax's CSO and CIO retired earlier in the month after the company disclosed that hackers exploited a vulnerability in Apache Struts.
At the time Sen. Chuck Schumer, D-N.Y., suggested that Smith and the company's board should resign if they don't quickly take the initiative - including notifying customers and allowing credit freezes for 10 years - to protect consumers.
"We need to get to the bottom of this - the very bottom, the murky bottom, the dirty bottom," the senator was quoted as saying. The Federal Trade Commission, the Securities Exchange Commission and a pair of congressional committees, including the House Energy and Commerce Committee, where Smith will testify on 3 October, intend to do just that.
Saying he has “been completely dedicated to making this right,” Smith contended in a statement that “at this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”
Equifax and its leadership have been roundly skewered for both sub-par security practices and delays in discovering and disclosing breaches. Viewpost CSO and general counsel Chris Pierson noted that while hackers could penetrate any company and exfiltrate data, it "appears" that Equifax "had their head in the sand from a cyber-security perspective, but also from a governance and breach response perspective as well."
That's why Smith "had to go," Pierson said. "Sometimes you must play the cards you are dealt and what you do with them is what matters."
Smith and both external and internal members of his team "bungled every step of the response: messaging, PR, consumer protection communications and offers, and everything else imaginable," he said. "The breach is a shining example of what happens when you do not prepare for data breach response ahead of time, do not adequately table top your responses, and do not have that single incident commander leading the charge."
Calling cyber-security "a board-level matter" dependent "upon a strong cyber-security culture" that starts at the top, Pierson advised, "If the current technology professionals are unable to have a seat at the business table, then companies must find the business and risk person who is a cyber-security expert and give them the seat at the table."
While most commentators focused on what boards need to do to keep their jobs in the event of a breach - especially once GDPR starts inflicting company-destroying fines, Lev Lesokhin, EVP of strategy at software quality measuring company Cast Software, emailed SC Media UK to take a different tack.
While agreeing that cyber-risk management should run throughout the organisation he went on to suggest the problem is that developers today have too narrow a focus and do not consider the business implications of what they create. He commented: “What Equifax brings to light is that we are under a shortage of talented developers and cannot keep up with business demand and tech complexity at the same time, creating further software risk. The solution is NOT to rely on the ability to hire good developers so they write good software – there just aren't enough skilled developers with whole-system vision to go around. We need to take our most senior developers, have them design the architectures for data protection, and then ensure these architectural constructs are followed by the developer plebiscite with every build." He also cited a recent Cast survey of developers noting that only about half (54 percent) of developers understand the architecture of their overall application.