Seemingly overnight, the world of security was turned on its head. Hackers created computer viruses that tore across unprotected networks, wreaking havoc. The threat to global industry was immediate and existential, and an entirely new sector sprung up to meet it: information security. In 1995, Citibank hired Steve Katz as chief information security officer, believed to be the first CISO— pronounced SEE-so—in history.
Graeme saw potential in the chaos. This new information security Wild West needed tools, and he had ideas. During a stint in Auckland, Graeme built a product called "Advisor" that could flexibly analyze different types of computer systems. At a meeting in Singapore, a like-minded US partner quickly grasped the product's value and invited Graeme to the United States to work on it. Curious, open-minded, and hungry, Graeme moved eight thousand miles first to Cleveland and then to Atlanta, to open Ernst and Young's inaugural security consulting practice. He was not yet an expert in the field—but then, no one was. The tides were shifting too quickly, the problems too new for old wisdom. A wave of opportunity was cresting. Graeme grabbed his surfboard and rode.
Today the CISO is a standard position at any major corporation. Forty-one percent of corporate boards see cybersecurity experience as a key qualification for overall directorship. By 2024, the cybersecurity market will reach $300 billion. A worldwide shortage of cybersecurity professionals means 2.9 million positions sit unfilled, while financial losses due to cyberattacks are growing 62% annually, a loss of $1 trillion in 2020 alone
* * *
By 2011, Graeme was ready for a new kind of change.
Now he was an expert in his field. He'd been traveling the world as a security consultant for fifteen years, and life as a road warrior was beginning to grind him down. His two boys at home in Atlanta needed more guidance in their many (structured, skill-based) activities.
When the offer came to join Equifax as vice president for IT risk and compliance, he jumped. Here was exactly the type of stable, in-house role he was craving. Though the firm was mature, there was still plenty of building and fixing to be done. By 2017, Equifax held records of one billion consumers, one hundred million small and medium businesses, one hundred million employees, $20 trillion in property data, and $20 trillion in wealth data. That August, during an address at the University of Georgia, CEO Richard Smith put it this way: "If you think of the largest library in the world—the Library of Congress—well, Equifax handles twelve hundred times that amount of data every day."
With numbers that large, things went wrong. Often.
In March 2015, for example, Katie Manning, a resident of Portland, Maine, arrived home from work to find her mailbox bursting with letters from Equifax—three hundred in all. Each was addressed personally to her but contained the complete credit history, social security number, and bank account information of a stranger.
Equifax asked Graeme to investigate. He soon learned that Katie wasn't the only one; other people had received hundreds or even thousands of letters containing strangers' private data. Because the reports were on paper, Equifax dispatched teams to retrieve them in person. One recipient in Washington, DC, became paranoid and refused to answer the door. Instead he had the team meet him at night on a public street. At the appointed hour, the Equifax agents had to
flash their headlights three times, like spies in a thriller. Only then did the man hand over the reports.
Vulnerabilities and bad actors were always changing, and breaches were more common than Graeme would have liked. With each incident, Graeme's team's goal was to understand, correct, and learn. No one, to his recollection, was laid off.
* * *
In July 2017, Graeme spent the weekend of his fifty-fourth birthday with his wife and boys, outdoors in the scorching Georgia sun. That Sunday he came home to a series of missed calls from his own CISO, Susan Mauldin.
The news was not good. A security breach had targeted a piece of software Graeme managed. The full extent of the breach was as yet unknown, but it was all-hands-on-deck.
Graeme's title at this time was chief information officer for Global Corporate Platforms. Under his purview was the ACIS Portal, a software system used to log records of consumers who wanted to dispute credit reports, report identify theft, initiate a security freeze, or request a copy of their records. A piece of software known as Apache Struts connected ACIS to the database.
Four months before the breach was discovered, 429 Equifax employees, including Graeme, had received email notice of a vulnerability in Apache Struts. The appropriate teams had investigated and applied a patch they believed would suffice.
They were wrong. Hackers broke in and stole data for 148 million US consumers and fifteen million British consumers, including names, social security numbers, home addresses, and driver's license numbers. It has been called the most expensive data breach in history.
Amid the public fallout, several senior employees were let go or sent out for early retirement.