I am not going to talk about the Equifax breach. I know nothing more about the breach than what has been reported via numerous media outlets and commented on by ‘experts’ of various pedigrees.
Instead, I think it’s important to spend a few moments discussing the abrupt ‘retirement’ of the Equifax CISO (Susan Mauldin), her recent pillorying in the media, and the potential ramifications on our profession’s efforts regarding diversity within the profession.
Days after the breach, and shortly before her ‘retirement,’ Susan Mauldin’s internet footprint disappeared. This, of course, only fed the media’s curiosity. In investigating the remnants of Ms. Mauldin’s internet footprint, it emerged that her degrees were in music composition. The media seized on this story, accusing Equifax of attempting to cover up the fact that they hired a supposedly less-than-qualified individual as the CISO. One reader of these articles even went so far as to opine that “a woman diversity hire is the cause of one of the largest hacks of financially sensitive data ever.”
I don’t know Susan Mauldin personally. In fact, until the breach I had never heard her name. However, anyone looking at the recovered archive information will see that Ms. Mauldin has more 15 years of experience in technology & finance organizations – with more than a decade’s worth of that experience in security responsible charge roles. This is somehow being discounted by her critics. Unlike being a doctor or lawyer, there is no specific degree required to become a C-level business executive of any sort. What’s required – first and foremost – is the ability to think critically, communicate well, and solve problems.
No degree program holds exclusive claim to those abilities.
Most CISOs of my generation came up hardscrabble and from a variety of backgrounds. If we were technologists, we learned the business. If we were businessmen, we learned the technology. My peers, mentors, and friends come from a wide array of educational backgrounds.
The highly successful and well-known CISO of a Fortune 500 technology company was a philosophy major in college.
One of my mentors in the security field (and a successful CISO himself) is a former seminary student.
The CEO of a successful security services company – and one of the best minds that I know in security – majored in history.
Ms. Mauldin has been further vilified because she is reported to have said “security can be learned” in an interview. Again, I’m trying to see the disconnect here. In past lives I’ve taken accountants, financial auditors, and sales personnel who have (a) expressed an interest in the topic and (b) shown creativity and drive, and turned them into some of the best cyber warriors I’ve seen. Yes, they had to work hard to shore up their technology deficits…but they did so willingly and efficiently. Their lack of a technology degree was not in and of itself an impediment to their success. Not in the slightest.
Besides…given that most of the nation’s top computer science programs still do not require graduates to take even a single security course, the hard truth is that most of us have “learned’ security via personal exploration and/or on-the-job training.
The thing that upsets me most about this situation, though, is this: the same folks who are taking Equifax to task over Susan Mauldin have remained silent over the fact that the interim Equifax CISO (Russ Ayres) has absolutely no security experience in his resume. One could argue that Equifax has lost faith and trust in its security team to the point that there was no one they were willing to place in the role…but if that is the case, then why is a member of the now-'retired' CIO’s team with no security qualifications still considered trustworthy and an appropriate candidate for this position?
More importantly: why aren’t we as security professionals focusing more of the media's attention on this seeming inequity in their concerns over what it takes to be a successful CISO?
In an ironic twist of fate, I find myself at four security-related events over the next 3 weeks. At each of these events, I am either speaking on or moderating panels on diversity in cybersecurity. We need to promote gender, ethnic, background, and thought diversity if we hope to succeed on the cyber battlefield. As professionals, we need to stand shoulder-to-shoulder, with our brothers and sisters – especially in troubled times.
Regardless of what went wrong at Equifax, let us not assume that it was a lack of competence or qualification on the part of one of our fellow warriors...
…and let us not stand silently by while the world makes such erroneous assumptions.
My two cents…