Equifax CEO Hired a Music Major as the Company's Chief Security Officer

← Back to Stories (view on slashdot.org)

Equifax CEO Hired a Music Major as the Company's Chief Security Officer

Posted by msmash on Friday September 15, 2017 @07:25AM from the caught-red-handed dept.

Susan Mauldin, the person in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security. If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.

Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.

UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.

50 of 430 comments (clear)

Min score:

Reason:

Sort:

Yes and no... by cdreimer · 2017-09-15 07:30 · Score: 5, Insightful

Having a liberal arts degree doesn't disqualify you from working in IT. If you only have a liberal arts degree, no technical certifications and no previous IT experience for a high-level role as CSO, you must have really nice legs.
1. Re:Yes and no... by UnknowingFool · 2017-09-15 07:34 · Score: 5, Insightful
  
  Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:Yes and no... by Anonymous Coward · 2017-09-15 07:40 · Score: 5, Insightful
  
  I've worked with some brilliant software engineers and engineering managers at my current job, and here is a list of the non-IT degrees they have:
  B.S. in Political Science
  B.A. in Media Design
  B.A. in English
  These are guys that are designing and implementing financial software for a Fortune 500. Sometimes what your degree is in has the square root of jack shit to do with what you are currently doing, and how well you do it.
3. Re:Yes and no... by Anonymous Coward · 2017-09-15 07:43 · Score: 3, Interesting
  
  but what in her profile would suggest that she would be even remotely qualified to have an entry level IT position? she's barely qualified to to pour coffee.
  equifax fucked up. the pitchforks are totally justified.
4. Re:Yes and no... by Anonymous Coward · 2017-09-15 07:45 · Score: 5, Informative
  
  She was previously Senior Vice President and Chief Security Officer at First Data Corporation for four years
5. Re:Yes and no... by pr0t0 · 2017-09-15 07:47 · Score: 5, Insightful
  
  Unless you are getting hired directly out of school for a tech job, whether or not you have a degree in tech means almost nothing. It's your experience that counts. If Mrs. Mauldin majored in music, graduated, found that was a dumb idea and worked her way up through the ranks over 20 years before landing the Chief Security role at Equifax, I have no problem with that.
  This woman may have to take the fall, but often, even senior security staff don't get to dictate everything you think they should. Cost considerations can override their wishes, inconvenience can override it. They can often set guidelines for IT staff that do not report to them and feel no obligation to do what they say.
  I wouldn't skewer this woman just yet.
  
  --
  I'm sorry, but your opinion seems to be wrong.
6. Re: Yes and no... by Anonymous Coward · 2017-09-15 07:49 · Score: 2, Insightful
  
  That's the problem with Affirmative Action and Diversity hiring. You're affirming the suspicion that these people are not qualified by merit, and get jobs because of their sex or skin color.
  You can't even dispute it, because you don't actually know for sure, and it's not even unlikely.
7. Re:Yes and no... by HornWumpus · 2017-09-15 07:55 · Score: 2
  
  Next target hackers! We now know the former CSO wasn't the sharpest tool in the box. Rot is almost certainly there too.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
8. Re:Yes and no... by Delta2.0 · 2017-09-15 07:57 · Score: 2
  
  Having a liberal arts degree doesn't disqualify you from working in IT. If you only have a liberal arts degree, no technical certifications and no previous IT experience for a high-level role as CSO, you must have really nice legs.
  Or, you know, she worked for 4 years as a Chief Security Officer for First Data Corporation just prior to this job and has a 15 year history in tech related industries, including HP. Perhaps you should read the article before spouting off sexist crap like that.
9. Re: Yes and no... by dyeazel · 2017-09-15 07:58 · Score: 2
  
  It seems you think that "Affirmative Action and Diversity hiring" means that any minority or female that applies for a job will get the job, regardless of their qualifications. In reality, it's usually used to help minorities/females get an interview and may be used as a tie breaker amongst similarly qualified candidates.
  In this case, it is much more likely that if she's drastically under-qualified it was more of a political decision.
10. Re: Yes and no... by computational+super · 2017-09-15 08:13 · Score: 4, Insightful
  
  Well, that's some grade-A lack of reading comprehension you have going there. What OP said was that, if you have affirmative action hiring policies in place - hiring less qualified people to artificially inflate diversity on any metric - then EVERYBODY who fits that diversity metric carries the suspicion of being a "diversity" (i.e. otherwise unqualified) hire. Even if they actually weren't.
  
  --
  Proud neuron in the Slashdot hivemind since 2002.
11. Re: Yes and no... by wizkid · 2017-09-15 08:23 · Score: 3, Insightful
  
  It depends on the kind of work.
  Does she have a CISSP, or similar.
  How many years in security?
  Or maybe the experience is in the office back room, or CEO's office with the doors closed.
  Either way, with Insider Trading allegations, info coming out 4 or months out, bonehead releases and f**ked up websites, poor patching policies, etc. He's going to have to kiss a lot of politicians butts to get out of this one.
  
  --
  I take no responsibility for what I say. Even though I'm never wrong :)
12. Re:Yes and no... by Penguinisto · 2017-09-15 08:30 · Score: 2
  
  Agreed, but she'd damned well better have at least one email in her possession showing that she (or one of her subordinates) had previously tried to warn the company to update their version of Struts...
  (...and if she does, then the devs will be in the hot seat for ignoring that one.)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
13. Re: Yes and no... by Penguinisto · 2017-09-15 08:33 · Score: 5, Funny
  
  Either way, she's in real deep Treble right about now...
  (...I kid! I kid!)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
14. Re:Yes and no... by HornWumpus · 2017-09-15 08:45 · Score: 4, Informative
  
  Devs don't patch live systems at a company that size. Devs shouldn't touch live systems at a company that size.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
15. Re:Yes and no... by Anonymous Coward · 2017-09-15 08:45 · Score: 2, Insightful
  
  Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
  Nah waht's suspicious is that it's now hidden badly.
  If she was able to hide her education history from the prying eyes of the Internet that's be a practical demonstration of her relevant skills. Failing to do so, not as much.
16. Re: Yes and no... by Hognoxious · 2017-09-15 08:47 · Score: 5, Funny
  
  That was very clefer.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
17. Re:Yes and no... by Theaetetus · 2017-09-15 09:04 · Score: 2
  
  Unless you are getting hired directly out of school for a tech job, whether or not you have a degree in tech means almost nothing. It's your experience that counts. If Mrs. Mauldin majored in music, graduated, found that was a dumb idea and worked her way up through the ranks over 20 years before landing the Chief Security role at Equifax, I have no problem with that.
  This... I, too, majored in music, but focused on audio engineering. I ended up building and maintaining radio stations, including repairing solid state and analog transmitters and rewiring audio consoles, building multi-site audio and data links, building automation computers and maintaining data networks, etc. In the course of doing that, I studied electrical engineering and programming, passed the FE, and eventually become a patent attorney specializing in communications and security.
  If she had no experience, that'd be one thing, but from her resume, it looks like she's spent at least 15 years in the industry.
18. Re:Yes and no... by gweihir · 2017-09-15 09:10 · Score: 2
  
  The same is true for brain-surgery. Sure, there may be the one exceptional talent that can do it without a specific degree and years of training, but does that claim make sense? No, it does not.
  Down here in actual reality, you need that degree and that decade or two of on-topic training and experience to be any good in that role.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
19. Re:Yes and no... by superwiz · 2017-09-15 09:24 · Score: 2
  
  The best development manager I've ever seen had a philosophy degree and no formal technical training. He was a very talented programmer and the kind of manager who knew how to nurture people into life-long successful careers.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
20. Re:Yes and no... by thomn8r · 2017-09-15 09:26 · Score: 4, Funny
  
  but thought she was the cat's meow when it came to managing high-tech companies
  To be fair, slaying 30,000 serfs is pretty much the same in the 2000's as it was in the 1400's
21. Re:Yes and no... by computational+super · 2017-09-15 09:28 · Score: 5, Insightful
  
  There are no doctors without medical degrees. There are no lawyers without law degrees. Yet somehow, tech seems to be the one place where a degree is considered near irrelevant (in fact, according to Slashdot, having a degree in computer science may very well disqualify you from professional programming). The reason most often suggested for this difference is that technology isn't as important as medicine or law. Yet this line of thinking has apparently led to the collapse of the US consumer credit system.
  
  --
  Proud neuron in the Slashdot hivemind since 2002.
22. Re:Yes and no... by hey! · 2017-09-15 09:33 · Score: 3, Informative
  
  Judging from her profile, she had 11 years working in IT positions starting at HP in 2002 and including two banks and a major credit card processing company.
  It is not inconceivable that a person with such a background would acquire the necessary skills on the job; back in 2002 there weren't many (if any) degree programs in IT security, and to be frank a CS degree doesn't really prepare you to do security work much better than a music degree. So would you rather hire a recent grad with the right degree for this position, or someone who'd been working in the field since before the degree was commonly offered?
  On the other hand, Equifax just had a major security screw-up and did not handle it very professionally. So while nothing in her background precludes her being qualified for the job, her actual job performance calls her competence into question.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
23. Re: Yes and no... by rholtzjr · 2017-09-15 09:39 · Score: 4, Funny
  
  She fell sharply flat with her security approach. Anymore to keep it going?
24. Re: Yes and no... by xevioso · 2017-09-15 09:46 · Score: 3, Funny
  
  bassed on what, exactly?
25. Re:Yes and no... by HiThere · 2017-09-15 10:17 · Score: 2
  
  Sorry, but the degree is almost irrelevant. It's the experience that counts. Of course, you shouldn't be able to get the degree without some experience in the process...
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
26. Re:Yes and no... by swillden · 2017-09-15 10:49 · Score: 4, Informative
  
  Next target hackers! We now know the former CSO wasn't the sharpest tool in the box. Rot is almost certainly there too.
  Hackers don't need some additional notice or incentive to go after First Data. First Data is one of the biggest, tastiest and most potentially lucrative targets in the world. But you haven't heard that, because they do a very good job on security.
  I worked several security projects at First Data when I was doing security consulting, and I was consistently impressed with quality of their people, systems and processes. I was also a little appalled at how many eggs are in the First Data basket. They issue and manage a large majority of the credit and debit cards in the United States. You almost certainly have a card they issued in your wallet, and they also generate your statements, process your payments and potentially even operate your bank's web site.
  The largest project I worked for First Data was directly supervised by the NSA (in their role of protecting the nation's data infrastructure, not their role of spying on everyone -- two very different organizations within the NSA) because the security of First Data systems is essential to national security. They're that big and that important to the country's credit and banking infrastructure. More important than Equifax, I'd say.
  The fact that she was CSO for First Data changes my perception of the headline considerably. I can't see First Data hiring someone unqualified for a role like CSO. Security is way, way too important there, and they have a lot of people who know how to do security.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
27. Re:Yes and no... by slew · 2017-09-15 11:52 · Score: 5, Informative
  
  Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
  Well, as it turns out, her "resume" prior to Equifax lists
  * Senior Director of Information Security, Audit and Compliance at HP
  * Senior Vice President and Chief Security Officer and First Data Corporation
  * Group Vice President Sun Trust Bank
  Sounds to me that she worked up the "vice-president" track (easy to do in a bank as everyone is a VP) and stumbled on to security from the audit/compliance side of the house. This is like a VP of engineering coming up from the marketing/product specification side of the house. All most of these folks know how to do is check the boxes... They might have learned some buzzwords along the way, but you would never trust them to actually *do* anything...
28. Re:Yes and no... by Ol+Olsoc · 2017-09-15 14:42 · Score: 2
  
  Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
  And the extra really super suspicious thing is that she oversaw the biggest data breach we know of.
  If you are going to be a CSO, you really need to be a little paranoid, and you need to run a hellava lot of penetration testing, install some honeypots, and know some stuff. I'd wager that most music majors will not have the mental outlook to do that.
  But Equifax promises that their next CSO will be a Women's study major, which should fix everything
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
29. Re: Yes and no... by Ol+Olsoc · 2017-09-15 14:50 · Score: 2
  
  You do know that diversity hiring doesn't mean we just hire anybody? The qualifications for the job don't just become "A woman" or "A person of color". That is not how it works in the real world, even if you for a second honestly naively believe that devoid of diversity hiring policies, employers hire the person with the best qualifications or most experience in the first place.
  Actually, there is a whole real world that does not conform to yours. We went far out of our way to hire women who were qualified, but not remotely the best candidates for the job. Entry level qualifications were beatng out 15 year veterans. I lost out on several promotions because we had to promote the women as fast as possible, including one promotion where the woman did not meet the minimum qualifications of time in grade.
  Sorry, but in academia at least, men are being marginalized in favor of women. But don't worry, it will work out just fine.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
30. Re:Yes and no... by wonkavader · 2017-09-15 16:47 · Score: 2
  
  Agreed. A music major could be a great security officer. She clearly wasn't. They're trying to hide it.
  The conclusion here should not be you need a technical degree to fill a technical role. It should either be
  1. that the idiots at Equifax are also sleezebags.
  Or 2. that the sleezebags at Equifax are also idiots.
  Clearly both are logically true, but which states the case with the proper emphasis?
31. Re: Yes and no... by Jon+Abbott · 2017-09-15 17:14 · Score: 4, Funny
  
  I don't want to string anyone along here, but let's not harp on her minor credentials. While they struck a chord in some people, joining the chorus of citizens at fever pitch won't fix Equifax's systems that are baroque and in need of fiddling on a scale we haven't seen B4. It's important to note that the movement of filing key lawsuits will work in unison and reach a crescendo at some point. The drum beat of progress will necessitate major reforms that will even the score and serve as the prelude for improved security. The measure of any company in a situation like this is whether they change their tune and raise the bar, or have their finale.
  
  --
  Slashdot's first reaction to VMware
32. Re: Yes and no... by Hognoxious · 2017-09-16 10:43 · Score: 2
  
  I don't know, but he probably had to take a rest afterwards.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
33. Re: Yes and no... by Pete+(big-pete) · 2017-09-16 18:27 · Score: 2
  
  You didn't answer the question: what CSO training programs exist out there? None.
  Well I'd start by expecting professional qualifications such as CISSP or at least one or more GIAC certifications...
  Particularly GIAC Security Leadership or GIAC Strategic Planning, Policy, and Leadership.
  -- Pete
  
  --
  Monochrome - Probably the UK's largest internet BBS
Let's not be hypocritical by Anonymous Coward · 2017-09-15 07:31 · Score: 5, Insightful

A good share of this site's users do very important technical work--quite competently--without the educational credentials.
Let's judge people here by their actions, not their degrees.
1. Re:Let's not be hypocritical by HornWumpus · 2017-09-15 07:36 · Score: 5, Insightful
  
  How quickly you forget.
  Why are they in the news again? Incompetent administration, unpatched systems, no emphasis on security?
  Her results are on the record.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Yeah but by Anonymous Coward · 2017-09-15 07:33 · Score: 2, Insightful

Isn't there anyone else in the organization that knows the vpn user/pw is admin/admin that can blow the whistle before hackers dump your sack?
Organizationally it shows these companies have no blue teams looking for red teams. And they have your mortgage documents.
Having a degree in a different field isn't wrong by Anonymous Coward · 2017-09-15 07:33 · Score: 5, Insightful

I myself am a music major and have since gone on to be a highly certified security individual. What a person takes as their post-secondary degree when they are 18-24 and starting life doesn't imply they haven't SINCE developed a full suite of skills and certifications making them perfectly suited to the job.
I suppose but by burtosis · 2017-09-15 07:36 · Score: 4, Funny

Wouldn't you want someone who isn't an expert at singing when it comes time to testify?
Majors don't mean shit by Anonymous Coward · 2017-09-15 07:37 · Score: 2, Insightful

You wanna bet the people that hacked Equifax didn't major in security too? Like she would have learned anything in college that would have prevented this. No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
1. Re:Majors don't mean shit by eth1 · 2017-09-15 08:17 · Score: 2
  
  No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
  Probably not...
  I'm in InfoSec as well, and it almost always goes like this:
  1. InfoSec - we need to do X, Y and Z to address these weak points. It will cost $A. (or potentially involve B amount of dealing with user gripes)
  2. Upper management - no, that's too expensive (or to much trouble, or whatever)
  3. InfoSec - well, ok, we have enough resources to partially address the worst offenders X and Y...
  4. Attackers - Z is weak! All your bytes are belong to us!
  5. Upper management - !?! Here's a stack of money, and you users shut up
  6. InfoSec - Ok, barn door is shut, but the horse is long gone...
  Security issues, in my experience, are almost always due to lack of funding/manpower rather than engineering incompetence.
Found this interview by Dan667 · 2017-09-15 07:44 · Score: 4, Informative

They took it down, but of course the Wayback machine has it. https://web.archive.org/web/20...
Re:Musicians can make good computer scientists by Anonymous Coward · 2017-09-15 07:46 · Score: 2, Informative

One of the early pioneers in Tech, the man that interviewed Bill Gate and was given the infamous "64K" quote, is a world class composer. (yes Dennis I'm referring to you!).
So? Also better reasons for hiding profile by wonkey_monkey · 2017-09-15 07:47 · Score: 5, Insightful

I've got grade 2 piano and no IT qualifications, and yet I'm working in IT instead of busking my way through chopsticks.

If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
I doubt it has anything to do with keeping her education background secret, and more to do with simply wanting to disappear until this particular shit storm blows over. Lot of (rightfully) angry people out there, some of whom might do (unrightfully) angry things.

--
systemd is Roko's Basilisk.
Musicians and algorithms. by sandbagger · 2017-09-15 07:51 · Score: 2

In my humble experience, musicians and mathematicians can converse very coherently upon the subject of algorithms. It's truly something to be a fly on the wall for one of those conversations.
However, back to the matter at hand. I suspect that we will learn that Equifax was a shell of a company that is still running XP or even NT and that the business people treated the tech side of the company as janitors who basically had to keep the place looking tidy and those credit card transactions coming in.

--
---- The above post was generated by the Turing Institute. Maybe.
Keep it classy, /. by hrbrmstr · 2017-09-15 08:07 · Score: 4, Insightful

IMO this post shld be taken down. It is not a technology discussion and it's definitely not "stuff that matters". I personally know liberal arts majors, one of whom has degrees in music and nothing else who are likely more experienced and qualified in security than 99% of the security folks on /. Good step onto the slippery slope of becoming yet-another-Reddit. But, if one needs clickbait for ad revenue, one will do just about anything.

--
Mind the gap...
Well, she at least knows the right words... by Anonymous Coward · 2017-09-15 08:09 · Score: 2, Interesting

It seems she's not a complete novice, she's uses some of the right words and is familiar with the idea of tokenization for securing PII in "the cloud" (which is f*cking stupid idea that adds complexity and increases the attack surface but all the rage with a lot of the security groups I've worked with). This statement also stood out for me "In today's environment, fully funded, well staffed adversaries can pretty much get to any asset that they decide to target." Oddly enough, I usually consider an attitude like that a sign of security staff who know what they're talking about. I've dealt with too many admins and CISO who think they are god's gift to security and no one can penetrate their environment. Generally their wrong... often in spectacular fashion (I was working with such a team this week that was insisting an XSS vulnerability in their custom IDP solution caused by a failure to sanitize inputs was really because it was being "called wrong"... and they just continued to double down when anyone tried to argue their logic... bad guys always follow the rules ya know).
Obligatory XKCD by next_ghost · 2017-09-15 10:25 · Score: 2

Obligatory XKCD. There really is one for everything.
Personal experience with Equifax by shanen · 2017-09-15 11:18 · Score: 2

At least a couple of the funny mods were slightly merited, but I'm pretty baffled by the "insightful" on this one. Something about the financial model of Slashdot? What's to say beyond "It's broken"? Maybe some deeper insightful suggestion on how to improve it?
So after scanning all of the "funny" and "insightful" comments, I did another round of searches for relevance and eventually wound up back at your post for the "personal" embedded in "personally". As of now, it's the only match in the visible part of the largish discussion. Not impressive. Especially since I think you're wrong about the 'not "stuff that matters"' part of it. How would you know? Which leads to my personal involvement...
I actually decided to take action on this fiasco. I decided to try to find out if Equifax has a file on me and if so, was my file leaked. If those questions get positive answers, then I might need to do something. Spent a long time searching, mostly on the Equifax website. Got NOTHING. It's almost like the Equifax people want to pretend there's no problem here.
What's bugging me more and more about this abuse of personal information stuff is that I don't get to join in. Let's take the case of you, hrbmstr. Should I pay any attention to your comments? What is your reputation really like? Companies like Equifax have assembled comprehensive dossiers on you, but I can't even get a short summary for preemptive filtering. Hey, if a troll has no credit history at all, then why should I pretend the troll exists and why should my time be wasted?

--
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Re:In her defense... by Zero__Kelvin · 2017-09-15 12:49 · Score: 2

If you want to argue the importance of college degrees, you should probably at least get through the second sentence without misusing a word completely.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun