Five years ago, Equifax Inc., a global credit-reporting agency, was the victim of a 2017 data breach, exposing the personal information of 147 million people. As the crisis unfolded, Julia Houston, the company’s chief strategy and marketing officer, was part of the team managing the fallout.
Her takeaway: “Every executive really needs to be a student of crisis.”
Houston discussed the need for resilience with Ida Kristensen, a senior partner with McKinsey’s Risk & Resilience Practice, during the company’s Thrive 2022 leadership event. The virtual summit brings together C-suite, risk leaders, and others to share their experience in planning, managing, and building to cope and thrive in a continuously changing risk environment.
Equifax has transformed nearly every aspect of its business since 2017, emerging as a company with a strong culture of security and risk management. Houston has been an integral part of the transformation, using her legal and compliance background to reshape practices.
Many of the lessons learned from the breach were lessons that Houston believes other companies can learn from. As Houston noted, the best time to begin telling a company’s “corporate story” is not in a time of crisis. The breach highlighted that Equifax had not spent enough time prior to the incident telling that story—the basics of what Equifax was or did—and that led to reputational risk concerns, including misunderstanding and public opinion in the wake of the breach.
But the company moved quickly to invest in building an industry-leading cybersecurity program—and to rethink its approach to risk, change, and leadership. It spent $1.5 billion in the ensuing years to completely transform its technology and security infrastructure.
That was the obvious move. A bigger one, Houston said, was a cultural shift around risk.
It started at the top. These days, the audit and technology committees on Equifax’s board of directors meet jointly to review outstanding security- and technology-related compliance and audit findings. The security team reports quarterly on the status of each key project. Equifax’s employees, including the CEO and board, receive customized mandatory security training at least annually. Employees are given a monthly security report card.
“Once you’ve been through a crisis of the magnitude that we experienced, it fortunately doesn’t take a lot of convincing to make an investment in resilience,” Houston said, adding, “I like to say that we followed Winston Churchill’s admonitions to never let a good crisis go to waste.”
Read excerpts of the interview with Houston, or watch the video recording to hear how Equifax used this crisis to build stronger organizational resilience.
Lessons from the data breach. How Equifax learned on the fly about managing the event.
“When a crisis occurs, I think you have to decide who’s in charge and then empower that person to make decisions,” Houston said. “You know, I found it almost impossible for us to try to make decisions by committee. You simply don’t have time.”
Why it’s important to tell your corporate story in advance of a potential crisis.
“We really hadn’t spent enough time investing in positive PR and in telling the Equifax story and ensuring that people understand the reason we exist,” Houston said. “And … the role that we play in the financial ecosystem.”
“Never underestimate the speed of the news cycle”
“You want to communicate transparently and accurately, but your facts are still evolving.”
Equifax changes its approach to become “best in class”
“More important than the financial investments, and the hiring we’ve done, (is that) we’ve put a lot of time and effort and thought and energy into building the right culture,” Houston said. “I’ve heard our CISO say a lot of times that culture is the thing that separates good security from great security, and so the way we approached it was to say that: make sure that everyone sees security as their own responsibility.”
A willingness to change, even for a 120-year-old company
“Effective change management is one of the most underrated tools in corporate America,” Houston said. “You’ve got to set the tone at the top, but executives can’t just decide they’re going to change and expect everybody in the organization to adapt. You’ve got to get all your thousands of employees on board and manage that change all the way down through the organization.”
The post "Managing a cyber risk event: ‘Be a student of a crisis’" appeared first on McKinsey Insights