Like much of the infrastructure in the real world, the sad fact of cybersecurity is that in many cases, attacks aren't known merely because someone semi-informed has not committed much effort to getting in, or more likely, has not yet triggered an event that would publicize their intrusion.
sillysaurus may be overgeneralizing a bit but he is correct about the vast majority of companies. To me, the key differentiator between companies with serious security projects v. companies with me-too, mantlepiece-style security projects is active, engaged technical leadership at the very top.
This is not to defend Equifax as much as it's to desecrate the widespread dogma of the managerial class that an MBA qualifies a person to lead any project. Time after time after time, most of us who've worked in corporate America have seen security pushed to the bottom of the stack, only becoming a consideration for about 18 months after the last close call or underpublicized breach. There is virtually no appreciation for the problem itself at high levels, or the complexity involved in reasonably subjugating it.
CISO is something of a nightmare job because you're essentially the company's designated patsy/lightning rod. Most of the time, CISOs and those in analogous roles get stuck with the blame for the company's security without ever really being given the authority to do anything about it.
I knew a CISO who set up camp, including prop tent, outside of the CIO's office until he finally agreed to get his guys to patch a server. The CISO took a picture of himself doing so, because he knows the game; if the intrusion occurred, he would have apparent visual proof that would allow him to deflect blame onto the CIO.
Reckless disregard like this is absolutely common and routine, and if you have any doubt about that, a cursory inspection of the sites of companies that are not tech pioneers will easily disabuse you of any contrary notion. Equifax is not alone here, not by a long shot. Not even among large companies dealing with sensitive financial data (don't ask how I know).
The only reason we haven't seen (or, more likely, haven't learned about) widespread cyber-intrusion-apocalypse is because semi-competent people just have other things to do, and there is substantial legal risk if caught. I fully believe that 95% of America's biggest companies have systems that are easily penetrable.
Again, let me reiterate that this is not making an excuse for Equifax. It's just acknowledging that the problem supersedes this single instance. We need a revolution in system admin and application security before we'll solve these issues, because the plain fact is that companies simply can't be trusted to do it under the current conditions.
sillysaurus may be overgeneralizing a bit but he is correct about the vast majority of companies. To me, the key differentiator between companies with serious security projects v. companies with me-too, mantlepiece-style security projects is active, engaged technical leadership at the very top.
This is not to defend Equifax as much as it's to desecrate the widespread dogma of the managerial class that an MBA qualifies a person to lead any project. Time after time after time, most of us who've worked in corporate America have seen security pushed to the bottom of the stack, only becoming a consideration for about 18 months after the last close call or underpublicized breach. There is virtually no appreciation for the problem itself at high levels, or the complexity involved in reasonably subjugating it.
CISO is something of a nightmare job because you're essentially the company's designated patsy/lightning rod. Most of the time, CISOs and those in analogous roles get stuck with the blame for the company's security without ever really being given the authority to do anything about it.
I knew a CISO who set up camp, including prop tent, outside of the CIO's office until he finally agreed to get his guys to patch a server. The CISO took a picture of himself doing so, because he knows the game; if the intrusion occurred, he would have apparent visual proof that would allow him to deflect blame onto the CIO.
Reckless disregard like this is absolutely common and routine, and if you have any doubt about that, a cursory inspection of the sites of companies that are not tech pioneers will easily disabuse you of any contrary notion. Equifax is not alone here, not by a long shot. Not even among large companies dealing with sensitive financial data (don't ask how I know).
The only reason we haven't seen (or, more likely, haven't learned about) widespread cyber-intrusion-apocalypse is because semi-competent people just have other things to do, and there is substantial legal risk if caught. I fully believe that 95% of America's biggest companies have systems that are easily penetrable.
Again, let me reiterate that this is not making an excuse for Equifax. It's just acknowledging that the problem supersedes this single instance. We need a revolution in system admin and application security before we'll solve these issues, because the plain fact is that companies simply can't be trusted to do it under the current conditions.