Equifax’s security chief had some problems, but being a music major wasn’t one (opens in new tab)

(washingtonpost.com)

20 pointskonceptz8y ago10 comments

10 comments

9 comments · 4 top-level

dingo_bat8y ago· 4 in thread

These articles are misguided. Nobody's saying music majors are idiots and unqualified to be in-charge of security at a web company because of the degree itself. If you're hearing that maybe it's your own thoughts bubbling up on you.

What people want to highlight is that this woman's only qualification is being a music major. She has literally no experience in managing the security of hundreds of millions of people's private information. For a company handling such huge amounts of such sensitive data, the CSO should possess exceptional credentials in the security community. She clearly does not.

Combine this with the facts that we know are correct (Equifax has terrible data security and response), and the music major qualification becomes a big red flag.

When sexual harassment allegations against Uber executives surfaced, didn't we put a lot of blame on the CEO for letting such a work-culture thrive? The same is applicable here on the CSO, and the CEO for hiring a woman whose sole achievement is a music degree.

detaro8y ago

Take a look at the links to the articles this article criticizes. They do not highlight general lack of qualifications, they focus almost entirely on the music education angle when talking about her.

E.g. http://www.marketwatch.com/story/equifax-ceo-hired-a-music-m... talks about her non-degree experience with one sentence:

> To play devil’s advocate, Mauldin does at least have 14 years’ private-sector experience since getting her degrees.[...] The question is how far any of this can take you in this field if you don’t have a formal education in technology.

Pointing out to the general public that this alone is not unusual in the field is IMHO important context. And it's not like the article is trying to argue that she was good at her job, just that you can't derive much information from the pure fact what degree someone has.

jancsika8y ago

So if Signal turns out to have a critical bug will it become relevant that Moxie is a boating enthusiast?

Daviey8y ago

The Linkedin profile is now gone.. but the employment history was listed as "Professional" for the CSO's previous positions - rather than showing a graceful rise to a C-level position.

C-Level is amongst other things, a strategic and political position.

After an incident like this, it is understandable that people look at the profile of those entrusted with this responsibility.

If we look at Moxie's OSINT, we'd quickly see that he was perfectly qualified based on his presence in the ecosystem (conference talks etc).

A more suitable comparison would be the CSO of Equifax's competitor - which is Experian.

Do the same comparison with their CSO:

  - Director of Security / Compliance,Capital One
  - VP of Information Security, Citi Group
  - Director Information Security and Risk Management, Thomson Reuters
  - Director / CSO, Experian

Oh, this candidate also has relevant publications, certifications and a PhD in Computer Science..

Whilst I think the education is relevant, I don't think it is the defining factor... But.. We should be careful to jump to "education doesn't matter".

Was this the right person to be entrusted with the strategy for OUR data security? We simply don't know... but what we have seen has caused concern.

1 more reply

synicalx8y ago

Boating enthusiast isn't a qualification?

rgbrenner8y ago· 1 in thread

The edited title here ("Equifax’s security chief had some big problems") doesnt match the article. There's no discussion about Mauldin's problems.

The full title is "Equifax’s security chief had some big problems. Being a music major wasn’t one of them."

And the article is entirely about that 2nd part... that her degree in music shouldn't be an issue.

micah948y ago

I noticed this too. Was waiting for the big problems and they never surfaced. I expected him to talk about ignoring warnings from low-level people or disregarding PCI-compliance reports... It's easy to dismiss the music major thing as "fake news" or whatever you want to call it. What did this multi-million dollar organization miss? Surely they have outside PCI checks for common security issues, right? Maybe she ignored middle managers. Did they fail to renew some contract (like the NHS did to pay for extended Windows XP support) and updates stopped? What was it?

downrightmike8y ago

Do C-level exec have performance reviews? That'd be more telling than the degree etc etc

purplezooey8y ago

Let's face it, security is a tough, technical challenge. The friendly slide decks with clip art of people shaking hands and "consultants" that make us feel good can only get you so far.

j / k navigate · click thread line to collapse