Slashdot Mirror
Equifax CEO Hired a Music Major as the Company's Chief Security Officer
Susan Mauldin, the person in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security. If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Having a liberal arts degree doesn't disqualify you from working in IT. If you only have a liberal arts degree, no technical certifications and no previous IT experience for a high-level role as CSO, you must have really nice legs.
didn't like introverted males so she refused to interact with them.
A good share of this site's users do very important technical work--quite competently--without the educational credentials.
Let's judge people here by their actions, not their degrees.
Isn't there anyone else in the organization that knows the vpn user/pw is admin/admin that can blow the whistle before hackers dump your sack?
Organizationally it shows these companies have no blue teams looking for red teams. And they have your mortgage documents.
I myself am a music major and have since gone on to be a highly certified security individual. What a person takes as their post-secondary degree when they are 18-24 and starting life doesn't imply they haven't SINCE developed a full suite of skills and certifications making them perfectly suited to the job.
Hell Donald Trump is president of the USA, why can't a third rate musician with no valid understanding of technology or security be in charge of privacy at such a massive firm?
She's helping them sing the blues now.
... imo. Or at least, good programmers. There's a lot of metal overlap between the fields.
Wouldn't you want someone who isn't an expert at singing when it comes time to testify?
You wanna bet the people that hacked Equifax didn't major in security too? Like she would have learned anything in college that would have prevented this. No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
"Any high school dropout can be a tech billionaire!"
"Music majors can't do tech stuff!"
Which is it, you fuckheads?
This isn't her secondary degree tho. She's got a BS and masters in music. That is what she studied.
Also if she is self taught, post that in LinkedIn, along with some projects you've worked on that helped you along the way. Yet, all we get is crickets.
They took it down, but of course the Wayback machine has it. https://web.archive.org/web/20...
No amount of nice legs would get you CSO of a security centered firm with no experience and an unrelated degree. The ruling class take care of their own. Always have. I sure wish the working class did the same...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I've got grade 2 piano and no IT qualifications, and yet I'm working in IT instead of busking my way through chopsticks.
If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
I doubt it has anything to do with keeping her education background secret, and more to do with simply wanting to disappear until this particular shit storm blows over. Lot of (rightfully) angry people out there, some of whom might do (unrightfully) angry things.
systemd is Roko's Basilisk.
In my humble experience, musicians and mathematicians can converse very coherently upon the subject of algorithms. It's truly something to be a fly on the wall for one of those conversations.
However, back to the matter at hand. I suspect that we will learn that Equifax was a shell of a company that is still running XP or even NT and that the business people treated the tech side of the company as janitors who basically had to keep the place looking tidy and those credit card transactions coming in.
---- The above post was generated by the Turing Institute. Maybe.
Unqualified people working in IT/software. There needs to be laws to set a bare minimum of qualified degrees or certifications to work above a certain level. Shit even plumbers must certified to fix your shitter.
We have our scapegoat to let the board members off the hook. Not that's she's qualified or anything... They just hired somebody that wouldn't demand a high salary. Sounds like a common practice to me.
Now then, as for the other two major consumer credit reporting agencies, when will they report the "breaches"* into their systems? You know it happened there too.
*euphemism for what really was a transfer to a buyer
“He’s not deformed, he’s just drunk!”
IMO this post shld be taken down. It is not a technology discussion and it's definitely not "stuff that matters". I personally know liberal arts majors, one of whom has degrees in music and nothing else who are likely more experienced and qualified in security than 99% of the security folks on /.
Good step onto the slippery slope of becoming yet-another-Reddit. But, if one needs clickbait for ad revenue, one will do just about anything.
Mind the gap...
This is an insult to anyone working hard to make the best of information security. Equifax deserved it!!
It doesn't have to be like this. All we need to do is make sure we keep talking.
It seems she's not a complete novice, she's uses some of the right words and is familiar with the idea of tokenization for securing PII in "the cloud" (which is f*cking stupid idea that adds complexity and increases the attack surface but all the rage with a lot of the security groups I've worked with). This statement also stood out for me "In today's environment, fully funded, well staffed adversaries can pretty much get to any asset that they decide to target." Oddly enough, I usually consider an attitude like that a sign of security staff who know what they're talking about. I've dealt with too many admins and CISO who think they are god's gift to security and no one can penetrate their environment. Generally their wrong... often in spectacular fashion (I was working with such a team this week that was insisting an XSS vulnerability in their custom IDP solution caused by a failure to sanitize inputs was really because it was being "called wrong"... and they just continued to double down when anyone tried to argue their logic... bad guys always follow the rules ya know).
it's exciting to see one of my favorite tv shows come to life.
... of formal vs informal education.
I am a retired IT guy. I never went to school for a goddam thing.
I started as a hobbyist in 1978 (TRS-80) and LIVED the digital revolution.
I have an aptitude for it that school would probably have fucked up.
Infosec and backup were my two nightmares.
I handled them both with best practices, limited only by management's lack of infinite resources, including common sense.
It little behooves the best of us to comment on the rest of us.
that sounds about right...
Nothing sets Slashdot off like suggesting that programmers should be subject to certain qualifications (just look through the rest of the comments here). As far as Slashdot is concerned, everybody is a competent programmer except the ones who've ever actually studied it academically.
Proud neuron in the Slashdot hivemind since 2002.
There's lots of valid career paths that could lead to a job in IT, and I would normally accept any reasonable explanation for how she got the job
They tried to cover her academic qualifications up, though, which leads me to a slightly different conclusion...that she got the job by composing an original piece with a title something like, "Duet for Skin Flute and Tulips".
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Could be useless feedback, could be broken hiring process. Not enough information.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
So many on here seem to think that a college degree is not required for certain IS/IT related positions. They taut how college degrees are useless.
Well, here you go - she had a BA and MFA. She is obviously intelligent and capable of learning. Her work background had her working in at least two tech related positions given the companies for which she worked.
The comments made by former coworkers indicate she is organized and able to lead her teams. Ultimately, that's what get you an executive job.
However, the details of the role as "Professional" in those organizations leaves much to be desired (ie. as no details). And, it's frightening to think that someone unwilling (or unable) to disclose their achievements AND rise to the the level of CSO at a major organization..hell...what is this what I have I been doing wrong? I am infinitely more qualified.
I look forward to the investigative reports that will come from this. But, while I would like to see them responsible for providing the ability to lock/unlock our profiles at will, the reality is that many more companies are accumulating and tracking us. I read the other day that there are upwards of 4500 credit agencies that, while on a smaller scale than Equifax, are selling and using our credit histories.
As a person who's information was leaked by the OPM and, supposedly, being monitored and protected by Equifax, I am very concerned. Something has to be done. I just don't know what that something is.
What does being at the wheel when infosec Chernobyl happens imply?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Agreed - too bad she didn't have her LinkedIn profile sufficiently updated to reflect her current skillset BEFORE the big breach happened.
Certification is utterly worthless. In fact, certification makes things worse. When actual IT security experts work with people that just have "certifications", we not only have to explain how things actually work, we have to overcome all those wrong ideas first. It is utterly pathetic.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I fully agree. It is pathetic. I just recently had to explain to some 5-year web application developers at a really large company where they write mission-critical software, what an HTTP-header looks like. These people have zero understanding what they do. They can use some frameworks for implementing simple business logic, but ask them whether a variable is actually stored on client or server side and they just look at you without any understanding at all.
What we need in software creation is _engineers_. You know, people that have a clue how things work and how to build things so that they work and can be maintained. All those unqualified cretins that cannot even use a different text-editor or are clueless when asked how the things they build actually works need to go. They would have more worth for society if they were retired at full wages immediately. Then they would at least stop doing massive damage.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, a lot of people here have a lot to lose. But the abysmally bad state that most current software is in is due to the abysmally bad skills of most coders. And this cannot continue.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This isn't her secondary degree tho. She's got a BS and masters in music. That is what she studied.
Also if she is self taught, post that in LinkedIn, along with some projects you've worked on that helped you along the way. Yet, all we get is crickets.
Given the absurd lack of security at Equifax that has come to light in recent days, I don't care what color is her skin or what's between her legs. The CSO was grossly incompetent and she and anyone involved in hiring her should be fired immediately with cause. Its likely the entire security team needs to be replaced and a large amount of the IT infrastructure. It might be easier to just bankrupt them as I have my doubts that an organization that is so clearly rotten from the top down could ever fix itself.
"Those that start by burning books, will end by burning men."
Ahem. "Our [Information Security] MSc programme was the first of its kind in the world, running for the first time in 1992." Source: https://www.royalholloway.ac.u...
Do share...
Obligatory XKCD. There really is one for everything.
There is actually quite a bit that comes with obtaining a music degree that is applicable in IT. I'm not supporting this specific decision or Equifax in general, but determining someone's qualifications specifically by degree is not only short sighted but is the type,of thinking that can actually lead to scenarios like this.
The "CIO" who hired a musician majored in Russian and had a Master in Business.
On even more news, they've both "retired"....
http://money.cnn.com/2017/09/1...
There is no OMG to do with her gender (and why do you imply a vagina means that, sexist much? You can stage her physical gender must now easily than that you know, why teller to her sexual organs?)
There is an OMG about her being at the top of the chain for required Equifax security, and having some possible holes in her background.
Get that?
This person is directly responsible for the largest personal information leave in history.
And their credentials are being questioned.
As they damn will should be.
Because this is a screwup of monumental proportions.
Stop trying to use her sexual organs as a defense.
At least a couple of the funny mods were slightly merited, but I'm pretty baffled by the "insightful" on this one. Something about the financial model of Slashdot? What's to say beyond "It's broken"? Maybe some deeper insightful suggestion on how to improve it?
So after scanning all of the "funny" and "insightful" comments, I did another round of searches for relevance and eventually wound up back at your post for the "personal" embedded in "personally". As of now, it's the only match in the visible part of the largish discussion. Not impressive. Especially since I think you're wrong about the 'not "stuff that matters"' part of it. How would you know? Which leads to my personal involvement...
I actually decided to take action on this fiasco. I decided to try to find out if Equifax has a file on me and if so, was my file leaked. If those questions get positive answers, then I might need to do something. Spent a long time searching, mostly on the Equifax website. Got NOTHING. It's almost like the Equifax people want to pretend there's no problem here.
What's bugging me more and more about this abuse of personal information stuff is that I don't get to join in. Let's take the case of you, hrbmstr. Should I pay any attention to your comments? What is your reputation really like? Companies like Equifax have assembled comprehensive dossiers on you, but I can't even get a short summary for preemptive filtering. Hey, if a troll has no credit history at all, then why should I pretend the troll exists and why should my time be wasted?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
We hired the cheapest idiot that can at least say they have some kind of degree for the ejector seat.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I, myself, hold a music degree and am working my way up an IT career. While I am not currently qualified to be the Chief Security Officer of a major company, it is a distinct possibility that in the future I will be. I don't like how the article and at least some of the comments are blasting her just because of her educational background.
Maybe she did something wrong in her position at Equifax. Maybe not. It's entirely possible that she was doing her job in the best way possible but was stonewalled by the business people out of properly implementing security. Either is possible. It's possible we'll find out as investigations are performed, but it's also possible that we'll never know. Her music degree has nothing to do with it.
For what it's worth, many of the musicians I know are very intelligent people who have been successful in IT or other technical fields.
(Honestly, I don't think I would want to be a Chief Security Officer. Even if you do your job perfectly, a breach is possible, and when it does happen you're the one to take the fall)
Intelligent responses welcome, flames will be met with marshmallows.
Found the person who failed the CISSP!
While certificates are certainly not everything, they are pretty much the only thing you can use to tell a con artist from a security researcher when you yourself don't know jack shit about it. There are different certifications that reflect different skill sets, and it's likely that someone with a security management certification won't necessarily be a good penetration tester, so checking what kind of certification someone has is crucial, security certifications are not all the same.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer.
It's not impossible but it is implausible, especially for a major company where security is essential to the core business and her degree is not in any technical/scientific field at all. Besides, there is now ample evidence that she is an utterly incompetent security officer: 10 weeks to identify the breach, 6 weeks to notify, sequential PIN numbers, UK data exported to the US (which is probably illegal) due to an error etc. plus of course the breach itself.
Still when Equifax collapses and she gets fired at least she will be able to sing for her supper.
There is now an updated story that says Chief Security Officer Susan Mauldin has quit (retired from) her position.
http://www.marketwatch.com/story/2-top-equifax-execs-retire-in-wake-of-massive-data-breach-2017-09-15
For the record I've worked for some really excellent women managers in my IT career, but hands down the 2 worst managers I've ever worked for were both women and one of them was moved into management by the company because it had no female managers in any IT office and somehow she got the break of a lifetime and got picked out of the ranks and trained for management simply to show that women could make it. Her lack of solid IT experience eventually became too big a problem to ignore and she was given a golden parachute to leave and is no longer in the industry. I sure wouldn't rule out a very similar thing going on with Equifax here.
But even more, I strongly suspect it's going to come out that Equifax has outsourced its IT to India and probably only has minimal US based IT staff, the vast majority of whom will be on H1-B visas. That doesn't in and of itself mean that they're incompetent, but I've seen this kind of thing before. What happens is that the company outsources or essentially only hires H1-Bs because it doesn't respect the job and while the workers end up being competent, they do only what they are told and no more. So they don't keep up with security patches because nobody told them to do that and they're too overworked to have spare time to look into it. And it could also be that Equifax's management insists that they can't have any downtime at all - ever. It's not common, but I've seen companies insist that they can't ever have any downtime so they don't ever patch anything.
I know one place I worked, and infosec vendor - one client was a regional bank in the mid Atlantic region. The banks infosec guy didn't know boolean logic.
Then one place I'd worked - when I left the guy who was there before me came back. This is after he went to work as an infosec guy for a local bank. He calls me one days and asks what a piece of hardware is, and then proves he doesn't know jack about the IPv4 dot notation limits of 255.
Doesn't inspire great confidence.
Your name wouldn't be Susan Mauldin, would it?
Fascinating. No, I did a CISSP and 5 days preparation (not full time, more like 50%). Finished the exam in 2h and passed (would not have wasted time on a 2nd try). I do _not_ list it on my CV, because a CISSP does not even remotely make you a security expert. It is far, far too shallow for that. Somebody that lists a CISSP as security qualification is somebody to be wary of.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, fizzbuzz gives you a rating of "not fully incompetent", but nothing more.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Like I said, it depends on what he is applying for. As a penetration tester? Probably not the most valuable certificate he could have (there's plenty of good material from SANS for that venue). As a CISO? Probably more suitable.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So, I'm curious about the liability of banks, car dealers, collection agencies etc. These companies pass our information to the credit bureaus without our direct permission on a monthly basis. As we are all aware, the information is quite often incorrect and it's up to us to protest. Don't they all have a responsibility to ensure that our data is properly secured? I know lots of people who work at banks that work their tails off to keep things secure. So just throwing the information at the credit bureaus without ensuring that they are secure after all of that work seems insane. It's appears to be the abyss. Additionally, If there is a law in place stating that these banks, car dealers etc. must report this monthly, I'll argue that congress is directly responsible for not supplementing the law with proper controls that carry heavy fines for non compliance. Not just for patching but for the entire network, right down to the routers switches and cables. We all have to have a conversation on what exactly is private vs public too . Drivers Licenses and DOB are no brainers, but what else? I ask because, this information sharing has gotten way out of hand.
I see what you're saying. She just doesn't pass the sniff test. I have to admit I'm wrong about people from time to time but by my sniff test she's the pointy haired boss from dilbert.
I'd have this opinion of her if she were a man and heck maybe it's wrong. But she was CSO during probably the worst private sector infosec disaster of the year, she 'retired' and for some reason has made some attempt to obscure her past but didn't bother simply making her entire account private? Why would someone go to all the trouble of contacting all the media she's interviewed with in the past to get her stuff taken down?
Despite these efforts.. half-locking down her linkedin.. scrubbing of old interviews and lectures from the net.... it's not hard to find her work history and it's a long list of stuffy compliance gigs. Why is she so bad at using the internet?
I'm not buying that she's so cutting edge that school doesn't work. I'm not buying the argument that she only needs to know how to lead. She smells like the sort of auditing and compliance drones that have been failing to secure computers since the dawn of the rainbow books. Which sounds about right for a credit reporting agency.