Slashdot Mirror
Equifax CEO Hired a Music Major as the Company's Chief Security Officer
Susan Mauldin, the person in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security. If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Having a liberal arts degree doesn't disqualify you from working in IT. If you only have a liberal arts degree, no technical certifications and no previous IT experience for a high-level role as CSO, you must have really nice legs.
didn't like introverted males so she refused to interact with them.
Nepotism is rampant pretty much everywhere. I was talking with a coworker this morning how both of us have each given a "thumbs down" to every candidate we've ever interviewed here, yet the people always get hired because they're a friend or friend-of-a-friend.
A good share of this site's users do very important technical work--quite competently--without the educational credentials.
Let's judge people here by their actions, not their degrees.
she will play My Heart Bleeds For You while the other execs sit back and watch 140 million pee-ons "eat cake".
Nothing will happen to anyone involved. The politicians will make noise but do nothing. They are paid for.
Isn't there anyone else in the organization that knows the vpn user/pw is admin/admin that can blow the whistle before hackers dump your sack?
Organizationally it shows these companies have no blue teams looking for red teams. And they have your mortgage documents.
I myself am a music major and have since gone on to be a highly certified security individual. What a person takes as their post-secondary degree when they are 18-24 and starting life doesn't imply they haven't SINCE developed a full suite of skills and certifications making them perfectly suited to the job.
Hell Donald Trump is president of the USA, why can't a third rate musician with no valid understanding of technology or security be in charge of privacy at such a massive firm?
She's helping them sing the blues now.
... imo. Or at least, good programmers. There's a lot of metal overlap between the fields.
There was no such thing as a degree in IT security 10 years ago.
What exactly were you expecting?
Wouldn't you want someone who isn't an expert at singing when it comes time to testify?
You wanna bet the people that hacked Equifax didn't major in security too? Like she would have learned anything in college that would have prevented this. No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
Says Security Suzi
"Any high school dropout can be a tech billionaire!"
"Music majors can't do tech stuff!"
Which is it, you fuckheads?
This isn't her secondary degree tho. She's got a BS and masters in music. That is what she studied.
Also if she is self taught, post that in LinkedIn, along with some projects you've worked on that helped you along the way. Yet, all we get is crickets.
This explains the song and dance Equifax has been providing.
Perhaps soon, it will be singing a different tune.
They took it down, but of course the Wayback machine has it. https://web.archive.org/web/20...
No amount of nice legs would get you CSO of a security centered firm with no experience and an unrelated degree. The ruling class take care of their own. Always have. I sure wish the working class did the same...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
She looks like a troll to boot, so totally a feminist affirmative action hire. Fucking idiots.
For those saying having a liberal arts degree doesn't disqualify you from having tech skills, I will have to disagree.
IF YOU ARE DUMB ENOUGH TO GET A LIBERAL ARTS DEGREE IN THE FIRST PLACE.....YOU ARE A FUCKING MORON.
I've got grade 2 piano and no IT qualifications, and yet I'm working in IT instead of busking my way through chopsticks.
If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
I doubt it has anything to do with keeping her education background secret, and more to do with simply wanting to disappear until this particular shit storm blows over. Lot of (rightfully) angry people out there, some of whom might do (unrightfully) angry things.
systemd is Roko's Basilisk.
In my humble experience, musicians and mathematicians can converse very coherently upon the subject of algorithms. It's truly something to be a fly on the wall for one of those conversations.
However, back to the matter at hand. I suspect that we will learn that Equifax was a shell of a company that is still running XP or even NT and that the business people treated the tech side of the company as janitors who basically had to keep the place looking tidy and those credit card transactions coming in.
---- The above post was generated by the Turing Institute. Maybe.
The new rage is to hire people totally unqualified for their position, especially the top spot. Its rampant at the EPA, DOE, ...etc.
Unqualified people working in IT/software. There needs to be laws to set a bare minimum of qualified degrees or certifications to work above a certain level. Shit even plumbers must certified to fix your shitter.
Hard to even consider it a stretch a music degree vs IT security. I guess she figured IT security paid a lot more then music. Maybe she should consider going back to music?
We have our scapegoat to let the board members off the hook. Not that's she's qualified or anything... They just hired somebody that wouldn't demand a high salary. Sounds like a common practice to me.
Now then, as for the other two major consumer credit reporting agencies, when will they report the "breaches"* into their systems? You know it happened there too.
*euphemism for what really was a transfer to a buyer
“He’s not deformed, he’s just drunk!”
IMO this post shld be taken down. It is not a technology discussion and it's definitely not "stuff that matters". I personally know liberal arts majors, one of whom has degrees in music and nothing else who are likely more experienced and qualified in security than 99% of the security folks on /.
Good step onto the slippery slope of becoming yet-another-Reddit. But, if one needs clickbait for ad revenue, one will do just about anything.
Mind the gap...
This is an insult to anyone working hard to make the best of information security. Equifax deserved it!!
It doesn't have to be like this. All we need to do is make sure we keep talking.
It seems she's not a complete novice, she's uses some of the right words and is familiar with the idea of tokenization for securing PII in "the cloud" (which is f*cking stupid idea that adds complexity and increases the attack surface but all the rage with a lot of the security groups I've worked with). This statement also stood out for me "In today's environment, fully funded, well staffed adversaries can pretty much get to any asset that they decide to target." Oddly enough, I usually consider an attitude like that a sign of security staff who know what they're talking about. I've dealt with too many admins and CISO who think they are god's gift to security and no one can penetrate their environment. Generally their wrong... often in spectacular fashion (I was working with such a team this week that was insisting an XSS vulnerability in their custom IDP solution caused by a failure to sanitize inputs was really because it was being "called wrong"... and they just continued to double down when anyone tried to argue their logic... bad guys always follow the rules ya know).
it's exciting to see one of my favorite tv shows come to life.
... of formal vs informal education.
I am a retired IT guy. I never went to school for a goddam thing.
I started as a hobbyist in 1978 (TRS-80) and LIVED the digital revolution.
I have an aptitude for it that school would probably have fucked up.
Infosec and backup were my two nightmares.
I handled them both with best practices, limited only by management's lack of infinite resources, including common sense.
It little behooves the best of us to comment on the rest of us.
Taps at the next board meeting. Die and go down in flames you parasitic scum!
that sounds about right...
I suspect that this is an email interview (at best) with the sitting down part being introductions and pleasantries after which a list of questions was handed to Ms. Mauldin and answers were returned via "her" email.
Mimetics Inc. Twitter
Nothing sets Slashdot off like suggesting that programmers should be subject to certain qualifications (just look through the rest of the comments here). As far as Slashdot is concerned, everybody is a competent programmer except the ones who've ever actually studied it academically.
Proud neuron in the Slashdot hivemind since 2002.
There's lots of valid career paths that could lead to a job in IT, and I would normally accept any reasonable explanation for how she got the job
They tried to cover her academic qualifications up, though, which leads me to a slightly different conclusion...that she got the job by composing an original piece with a title something like, "Duet for Skin Flute and Tulips".
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Most people get their masters right after a bachelors. In fact you can get both in five years if you push it. So that's no proof of anything.
She probably just wanted some privacy since of course as we know the minute someone becomes famous or a meme they will be immediately doxxed and harassed by internet trolls who think it's their job to police things.
Certification won't help. We had a licensed plumber install our dishwasher - wrong. I only knew it because I happened to catch a TV show with Mike Holmes where he pointed out the very same mistake.
So many on here seem to think that a college degree is not required for certain IS/IT related positions. They taut how college degrees are useless.
Well, here you go - she had a BA and MFA. She is obviously intelligent and capable of learning. Her work background had her working in at least two tech related positions given the companies for which she worked.
The comments made by former coworkers indicate she is organized and able to lead her teams. Ultimately, that's what get you an executive job.
However, the details of the role as "Professional" in those organizations leaves much to be desired (ie. as no details). And, it's frightening to think that someone unwilling (or unable) to disclose their achievements AND rise to the the level of CSO at a major organization..hell...what is this what I have I been doing wrong? I am infinitely more qualified.
I look forward to the investigative reports that will come from this. But, while I would like to see them responsible for providing the ability to lock/unlock our profiles at will, the reality is that many more companies are accumulating and tracking us. I read the other day that there are upwards of 4500 credit agencies that, while on a smaller scale than Equifax, are selling and using our credit histories.
As a person who's information was leaked by the OPM and, supposedly, being monitored and protected by Equifax, I am very concerned. Something has to be done. I just don't know what that something is.
What does being at the wheel when infosec Chernobyl happens imply?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Agreed - too bad she didn't have her LinkedIn profile sufficiently updated to reflect her current skillset BEFORE the big breach happened.
Given my exposure to struts 2, it is only used by truly hapless organizations at the moment, front ends evolve and once you are re-skinning you probably are moving to a new framework as well. It wasn't as widely adopted as Struts 1 and by the time it was stable and released it was already eclipsed by other software. In 2017 only systems that are outdated and outmoded are still using struts, then to not patch zero day vulnerabilities and to have a struts web tier unsecured to the point where sensitive data could be accessed and then transferred out really confirms the incompetence of the security personnel at equifax. Breeches happen, but should be contained so that entire databases aren't transferred out.
I hope they end up in Chapter 7 liquidation as soon as possible. It's the only thing that will change any corporate behavior. They need to know that this level of incompetence can result in the death of the business.
So is there a chance that some nepotism was involved?
This guy got millions in bonuses, the term the stock holders need to use is CLAWBACK!
Then maybe JAIL TIME.
Certification is utterly worthless. In fact, certification makes things worse. When actual IT security experts work with people that just have "certifications", we not only have to explain how things actually work, we have to overcome all those wrong ideas first. It is utterly pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
But she did have the most important qualification: Not a cis gendered white male. Welcome to the new normal. Thanks to insanity like affirmative action it's all about who you are, not the skills you bring to the table.
'scuse me while I go watch "Idiocracy" again.
What a person takes as their post-secondary degree when they are 18-24 and starting life doesn't imply they haven't SINCE developed a full suite of skills and certifications making them perfectly suited to the job.
No, but being the Chief Security Officer presiding over the worst data breach in history because of a simple failure to patch critical systems, DOES imply that.
I fully agree. It is pathetic. I just recently had to explain to some 5-year web application developers at a really large company where they write mission-critical software, what an HTTP-header looks like. These people have zero understanding what they do. They can use some frameworks for implementing simple business logic, but ask them whether a variable is actually stored on client or server side and they just look at you without any understanding at all.
What we need in software creation is _engineers_. You know, people that have a clue how things work and how to build things so that they work and can be maintained. All those unqualified cretins that cannot even use a different text-editor or are clueless when asked how the things they build actually works need to go. They would have more worth for society if they were retired at full wages immediately. Then they would at least stop doing massive damage.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, a lot of people here have a lot to lose. But the abysmally bad state that most current software is in is due to the abysmally bad skills of most coders. And this cannot continue.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This isn't her secondary degree tho. She's got a BS and masters in music. That is what she studied.
Also if she is self taught, post that in LinkedIn, along with some projects you've worked on that helped you along the way. Yet, all we get is crickets.
Given the absurd lack of security at Equifax that has come to light in recent days, I don't care what color is her skin or what's between her legs. The CSO was grossly incompetent and she and anyone involved in hiring her should be fired immediately with cause. Its likely the entire security team needs to be replaced and a large amount of the IT infrastructure. It might be easier to just bankrupt them as I have my doubts that an organization that is so clearly rotten from the top down could ever fix itself.
"Those that start by burning books, will end by burning men."
Do share...
Obligatory XKCD. There really is one for everything.
Oh wait... its used for something else?
There is actually quite a bit that comes with obtaining a music degree that is applicable in IT. I'm not supporting this specific decision or Equifax in general, but determining someone's qualifications specifically by degree is not only short sighted but is the type,of thinking that can actually lead to scenarios like this.
This. While there are definitely prodigies without degrees who know their stuff, this is not the majority. I've worked with many self-described developers without degrees and most of them are very slow to complete their assignments. Too busy trying to understand basic crap like 2-dimensional arrays. You know things are messed up when you operate at a normal level and get praised for excellence because everyone else just sucks.
It's very annoying when productivity suffers because being a developer is a hot trend that supposedly anyone can do.
The "CIO" who hired a musician majored in Russian and had a Master in Business.
On even more news, they've both "retired"....
http://money.cnn.com/2017/09/1...
There is no OMG to do with her gender (and why do you imply a vagina means that, sexist much? You can stage her physical gender must now easily than that you know, why teller to her sexual organs?)
There is an OMG about her being at the top of the chain for required Equifax security, and having some possible holes in her background.
Get that?
This person is directly responsible for the largest personal information leave in history.
And their credentials are being questioned.
As they damn will should be.
Because this is a screwup of monumental proportions.
Stop trying to use her sexual organs as a defense.
At least a couple of the funny mods were slightly merited, but I'm pretty baffled by the "insightful" on this one. Something about the financial model of Slashdot? What's to say beyond "It's broken"? Maybe some deeper insightful suggestion on how to improve it?
So after scanning all of the "funny" and "insightful" comments, I did another round of searches for relevance and eventually wound up back at your post for the "personal" embedded in "personally". As of now, it's the only match in the visible part of the largish discussion. Not impressive. Especially since I think you're wrong about the 'not "stuff that matters"' part of it. How would you know? Which leads to my personal involvement...
I actually decided to take action on this fiasco. I decided to try to find out if Equifax has a file on me and if so, was my file leaked. If those questions get positive answers, then I might need to do something. Spent a long time searching, mostly on the Equifax website. Got NOTHING. It's almost like the Equifax people want to pretend there's no problem here.
What's bugging me more and more about this abuse of personal information stuff is that I don't get to join in. Let's take the case of you, hrbmstr. Should I pay any attention to your comments? What is your reputation really like? Companies like Equifax have assembled comprehensive dossiers on you, but I can't even get a short summary for preemptive filtering. Hey, if a troll has no credit history at all, then why should I pretend the troll exists and why should my time be wasted?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
We hired the cheapest idiot that can at least say they have some kind of degree for the ejector seat.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I, myself, hold a music degree and am working my way up an IT career. While I am not currently qualified to be the Chief Security Officer of a major company, it is a distinct possibility that in the future I will be. I don't like how the article and at least some of the comments are blasting her just because of her educational background.
Maybe she did something wrong in her position at Equifax. Maybe not. It's entirely possible that she was doing her job in the best way possible but was stonewalled by the business people out of properly implementing security. Either is possible. It's possible we'll find out as investigations are performed, but it's also possible that we'll never know. Her music degree has nothing to do with it.
For what it's worth, many of the musicians I know are very intelligent people who have been successful in IT or other technical fields.
(Honestly, I don't think I would want to be a Chief Security Officer. Even if you do your job perfectly, a breach is possible, and when it does happen you're the one to take the fall)
Intelligent responses welcome, flames will be met with marshmallows.
But I implemented fizzbuzz on a whiteboard! I'm a Senior Technologist!
But I thought we were supposed to have more women tech executives...
"...5-year web application developers...ask them whether a variable is actually stored on client or server side and they just look at you without any understanding at all."
Bullshit.
Found the person who failed the CISSP!
While certificates are certainly not everything, they are pretty much the only thing you can use to tell a con artist from a security researcher when you yourself don't know jack shit about it. There are different certifications that reflect different skill sets, and it's likely that someone with a security management certification won't necessarily be a good penetration tester, so checking what kind of certification someone has is crucial, security certifications are not all the same.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ironically, 4 stories earlier, slashdot mentions Alan Kay:
https://tech.slashdot.org/story/17/09/15/1645211/the-father-of-mobile-computing-is-not-impressed
"Kay is also a former professional jazz guitarist, composer, and theatrical designer, and an amateur classical pipe organist." - Wikipedia
Your mom is an infinite recursion.
Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer.
It's not impossible but it is implausible, especially for a major company where security is essential to the core business and her degree is not in any technical/scientific field at all. Besides, there is now ample evidence that she is an utterly incompetent security officer: 10 weeks to identify the breach, 6 weeks to notify, sequential PIN numbers, UK data exported to the US (which is probably illegal) due to an error etc. plus of course the breach itself.
Still when Equifax collapses and she gets fired at least she will be able to sing for her supper.
There is now an updated story that says Chief Security Officer Susan Mauldin has quit (retired from) her position.
http://www.marketwatch.com/story/2-top-equifax-execs-retire-in-wake-of-massive-data-breach-2017-09-15
Hello,
I took relatively little computer science, even though I program a great deal. See, computers and computer science are largely human creations. Computers and programming languages are *engineered*. *Designed by people*. Designed to make sense. Very different from chemistry, biology, physics or math, where you have to understand the truths that exist, not something that's been designed to make sense.
This being the case, I've always found it easy to just pick up a book and learn technology or programming languages. The hard bits of computer science, for me, were the mathematical bits, and for those I took the classes.
From my perspective, an intelligent person can self-train on programming and computer science pretty effectively.
So I can believe that someone who was educated otherwise can self-educated into an effective "computer technologist".
For the record I've worked for some really excellent women managers in my IT career, but hands down the 2 worst managers I've ever worked for were both women and one of them was moved into management by the company because it had no female managers in any IT office and somehow she got the break of a lifetime and got picked out of the ranks and trained for management simply to show that women could make it. Her lack of solid IT experience eventually became too big a problem to ignore and she was given a golden parachute to leave and is no longer in the industry. I sure wouldn't rule out a very similar thing going on with Equifax here.
But even more, I strongly suspect it's going to come out that Equifax has outsourced its IT to India and probably only has minimal US based IT staff, the vast majority of whom will be on H1-B visas. That doesn't in and of itself mean that they're incompetent, but I've seen this kind of thing before. What happens is that the company outsources or essentially only hires H1-Bs because it doesn't respect the job and while the workers end up being competent, they do only what they are told and no more. So they don't keep up with security patches because nobody told them to do that and they're too overworked to have spare time to look into it. And it could also be that Equifax's management insists that they can't have any downtime at all - ever. It's not common, but I've seen companies insist that they can't ever have any downtime so they don't ever patch anything.
by Anonymous Coward on Friday September 15, 2017 @11:23PM
I saw her full bio before they took it down. NOTHING in her professional education, IT development courses etc, qualified her for that position. She was an affirmative action hire period. As a result of her leadership failure, our entire credit system is on the brink of collapse.
Thank you feminist.
if you suck and fuck your way to the top...
how white privilege and nepotism is alien to Tech's meritocratic utopia in USA
It is a common stereotype that music majors that have not had formal training in network security are not fit to administer network security.
I identify as cyber security expert. Why can't that be enough?
Yea. I don't buy it either.
I know one place I worked, and infosec vendor - one client was a regional bank in the mid Atlantic region. The banks infosec guy didn't know boolean logic.
Then one place I'd worked - when I left the guy who was there before me came back. This is after he went to work as an infosec guy for a local bank. He calls me one days and asks what a piece of hardware is, and then proves he doesn't know jack about the IPv4 dot notation limits of 255.
Doesn't inspire great confidence.
Credit reporting is an essential service made possible with IT infrastructure. IT infrastructure is like roads and bridges and buildings, we depend on it; we depend on the credit system. The question is: "what qualifies a person to be in control of infrastructure that we depend on?" In other critical technologies, e.g. airplanes, liability attaches to those in control and when failure occurs. There are two problems here: 1) liability needs to attach to Equifax and its officers and 2) we need to provide for professional licensing in IT security. The root cause was Equifax's failure to employ timely patches to their computer system, a practice well-known and commonly practiced. Equifax should not be allowed liability protection on the consequences arising from their gross negligence. Otherwise, innocent people will bear the consequences of the negligence of unanswerable corporate officers.
Your name wouldn't be Susan Mauldin, would it?
I worked at Equifax as a security analyst on a 6 month contract. Their security was a joke. They has thousands of security vulnerabilities and systems that were unpatched for years. They had regular PCI audits and I was shocked they even passed! When I asked how they could possibly pass the audit with the myriad of vulnerabilities and security holes that were present in the environment a manager remarked "we show the auditors what we want them to see". There was a culture of sticking your head in the sand and hoping it woul all go away, rather than doing the hard work to fix the problems. The staff-level people seemed afraid to report the bad news up the food chain and if they did there were ramifications. I knew it would be a matter of time before they got hacked. Shortly thereafter a breach occurred during my tenure that affected Kroger employees. They had another breach last year due to weak security. Hence my subject line.
Or so I keep hearing. And I'll sometimes retort, "No, programmers make the best musicians."
Boardrooms don't want to deal with geeks, and that the C-suite loves more than anything are achieving status as a company! In terms of security this means becoming PCI certified, ISO 2700X certified, or HITRUST certified. They don't care about security until there's a breach!!! Even they don't want to put someone in charge they have an MBA and have executive presence. It will always be that be way and it is extremely rare to find an executive who is geeky technical but also business savvy...
In the late 1990's unemployment was so low, it was actually TOO low. It was possible to walk into a fast food restaurant and get actively ignored by the employees, with the manager seeing what was happening but being unable to fire them.
During that time, I was a part owner of an IT consulting firm. Seriously, we were hiring HR people, credit clerks, salespeople, customer service reps, and graphic designers all TO WRITE SQL and use Crystal Reports, and paying them $70K+ to start.
These people were almost useless. But they were all we could get.
Fascinating. No, I did a CISSP and 5 days preparation (not full time, more like 50%). Finished the exam in 2h and passed (would not have wasted time on a 2nd try). I do _not_ list it on my CV, because a CISSP does not even remotely make you a security expert. It is far, far too shallow for that. Somebody that lists a CISSP as security qualification is somebody to be wary of.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, fizzbuzz gives you a rating of "not fully incompetent", but nothing more.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
... why the company's response to the incident was such a song and dance.
I started programming in 1968 (recently retired). I have a formal education in CS (all the way to a Ph.D. -- from a real non-correspondence school). I've seen legacy code that has been written by folks that were not formally trained. More than once I've had the opportunity to refactor 1000's LOC down to 10's LOC -- the original author was surprised to learn about loops. SMILE ON.
I prefer to work with fellow engineers who have had some formal CS or SE training. The resulting code IMHO generally has much lower lifecycle costs and safer. Most of the software that I've worked on was life-critical, like implantable medical devices, flight control computers, etc.
the abysmally bad state that most current software is in is due to the abysmally bad skills of most coders
Is there any evidence whatsoever that formal education would improve that situation?
Without further info, I'll. bet:
1) She is good looking and
2) Good in bed.
Any takers?
Like I said, it depends on what he is applying for. As a penetration tester? Probably not the most valuable certificate he could have (there's plenty of good material from SANS for that venue). As a CISO? Probably more suitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So, I'm curious about the liability of banks, car dealers, collection agencies etc. These companies pass our information to the credit bureaus without our direct permission on a monthly basis. As we are all aware, the information is quite often incorrect and it's up to us to protest. Don't they all have a responsibility to ensure that our data is properly secured? I know lots of people who work at banks that work their tails off to keep things secure. So just throwing the information at the credit bureaus without ensuring that they are secure after all of that work seems insane. It's appears to be the abyss. Additionally, If there is a law in place stating that these banks, car dealers etc. must report this monthly, I'll argue that congress is directly responsible for not supplementing the law with proper controls that carry heavy fines for non compliance. Not just for patching but for the entire network, right down to the routers switches and cables. We all have to have a conversation on what exactly is private vs public too . Drivers Licenses and DOB are no brainers, but what else? I ask because, this information sharing has gotten way out of hand.
I see what you're saying. She just doesn't pass the sniff test. I have to admit I'm wrong about people from time to time but by my sniff test she's the pointy haired boss from dilbert.
I'd have this opinion of her if she were a man and heck maybe it's wrong. But she was CSO during probably the worst private sector infosec disaster of the year, she 'retired' and for some reason has made some attempt to obscure her past but didn't bother simply making her entire account private? Why would someone go to all the trouble of contacting all the media she's interviewed with in the past to get her stuff taken down?
Despite these efforts.. half-locking down her linkedin.. scrubbing of old interviews and lectures from the net.... it's not hard to find her work history and it's a long list of stuffy compliance gigs. Why is she so bad at using the internet?
I'm not buying that she's so cutting edge that school doesn't work. I'm not buying the argument that she only needs to know how to lead. She smells like the sort of auditing and compliance drones that have been failing to secure computers since the dawn of the rainbow books. Which sounds about right for a credit reporting agency.