Site navigation

Comment: Equifax Rebound Shows Why Culture Matters

Ian McGowan



The credit reporting agency demonstrates how both the right culture produces more secure software and happier developers, according to a survey by Sonatype.

It was interesting reading the recent DIGIT article stating the US state of Illinois had settled the data breach case with Equifax for $19.5 million.

“IT was critical from day one that we saw the world from the same approach, the same philosophy, so that we could change the tone from the top, and through the entire organisation,” said Bryson Koehler, CTO of Equifax at the RSA Conference in January.

In partnership with CISO Jamil Farshchi, Koehler described the path forward for the once-beleaguered credit reporting agency.

Equifax has shown exceptional leadership by publicly sharing lessons learned. Among the most impactful is the recognition that deliberate changes in company culture mitigate risk.

Cultural change also produces more secure software and, according to a new survey, happier developers.

A recent survey confirms the role culture plays in security and happiness. The seventh annual DevSecOps Community Survey is the first to demonstrate parallels between developer happiness, development tools and software security.

It was produced by Sonatype, the company Equifax enlisted to protect their open-source software supply chain.

Happy devs at the forefront of software supply chain security

The company surveyed 5,045 developers from 102 countries. The survey showed compelling evidence that happier developers work on teams with mature DevSecOps practices. DevSecOps culture emphasizes team learning through collaboration and transparency, all cultural adaptations that Equifax embraced post-breach.

Crucially, the survey found that teams that invest in open-source software (OSS) governance tools reduce developer strain and dramatically improve security outcomes at the same time.

For example, when asked what security tools their teams used, happier and more mature DevOps teams were more likely to use WAF (Web Application Firewall), OSS Governance (Open Source Software Governance) and IDS/IPS (Intrusion Detection/Intrusion Protection) tools.

This is especially relevant to Equifax because their troubles originated with a known vulnerable Apache Struts component on an external web server that had not been prioritized for a critical update.

Had there been better processes, OSS governance tooling, and stronger collaborative versus competitive culture, the company may have avoided the breach.

But, instead of looking back Equifax is looking forward and making investments that lead to the greatest positive impact.

Developers, who may or may not have specific security skills or interest, are central to the secure software development process. Enabling developers with open source governance tools makes their jobs easier and makes open source component monitoring more effective. This makes developers happy.

The happiness boost is available to all

The DevSecOps Community Survey results show the strong correlation between implementing open source software governance and increasing developer happiness.

For example, the survey revealed happy developers are nearly twice as likely to:

  • Say they like their job (1.5x more likely)
  • Get work done (1.3x more likely)
  • Encourage friends to come work with them (1.6x more likely)

An investment in automated software composition analysis tools, coupled with DevSecOps maturity, yields many beneficial outcomes. Developers can focus their talents on other, innovative pursuits. And workplace happiness? That’s an added bonus, too.

As Farshchi said at RSA Conference of the new leadership at Equifax: “As we kicked things off [after the breach] we were focused on the culture piece, and focused on culture throughout the organization.”

While investment in the right tools and practices is critical, culture is king when it comes to DevSecOps.

Ian McGowna, Barrier Networks, WAF, AppSec

Ian McGowan

Managing Consultant, Barrier Networks

Latest News

%d bloggers like this: