Equifax’s CSO Was a Music Major in College– So What?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Equifax’s CSO Was a Music Major in College– So What?

Let’s be careful with our critiques of Susan Mauldin’s educational background before we set a dangerous precedent.

On Friday I came across an article that was as sensational as it was troubling: MarketWatch was reporting that Equifax’s Chief Security Officer was a music major in college. Since then, the story has spread like wildfire.

Yes, on its face, it looks incredible when it’s discovered that the person presiding over the cyber defenses of a company that just suffered a massive breach was studying music back in college—and you know, not computers or information technology or some related field.

And while I’ll be the first to admit that music is not the ideal background for a candidate of this scope, I think it’s worth taking a moment to pause and reflect on why framing a discussion this way is unproductive and possibly even dangerous: while having an educational background in an IT-related field is certainly a great foundation, disqualifying anyone without the right degree is an extremely harmful precedent to set.

First, let me concede a few points

As with any thought piece, I think it’s important to begin with a few concessions. First of all, I don’t know Susan Mauldin. I don’t know her level of competence. But, I can concede that on its face, given Equifax’s recent breach and some of the other unflattering news that’s come from the company since, you can certainly argue that things didn’t go well.

And if MarketWatch’s report is true, and Equifax immediately began scrubbing the internet of any record of her as soon as she took her breach-imposed retirement, then that raises some very troubling questions in and of itself.

But frankly, for the sake of this conversation, we’re talking less about Mauldin on a specific level and more about what Mauldin represents: a member of the cyber security community that doesn’t come from a traditional background.

Let’s talk about Education

It’s easy to look at what happened, look at Ms. Mauldin and connect the dots that someone unqualified caused all of this to happen. That’s a gross oversimplification. Equifax is massive, with a digital infrastructure that spans the entire world. The CSO isn’t the one updating Apache or making decisions on passwords for Argentinian databases. For something like that the company would create policies and then delegate those tasks.

It’s very easy to make the case that Ms. Mauldin’s department was poorly managed. All indications would seem to point to that. But calling into question her competence on the basis of her education is myopic.

For starters, it’s insulting to anyone that has made it in this field with a non-traditional background. And there’s quite a few more of those people than you might realize. As Ms. Mauldin once said in a (curiously) now-deleted interview, “you can learn security.”

And that’s true.

Pretending otherwise, as if you can’t enter the industry without the correct degree, is both unproductive and downright damaging to the prospect of acquiring and growing new talent. Especially when this industry operates in the shadows of great thinkers like Bill Gates, Paul Allen and Steve Jobs—none of whom even graduated from college.

Beyond that trio, there’s countless examples of CSOs without computer-related educational backgrounds. Bob Lord, of Yahoo, studied political science. Tisha Merly, CSO of the FBI, studied international affairs. Michael Cava of Amazon studied police science and administration. Plenty of talented people studied other things in college and perform admirably in their roles as CSOs and CISOs.

The Right Degree Helps, But Not Having it Isn’t Disqualifying

And that brings us to my next point: this is still a fairly young field, all things considered.

Colleges and universities have programs that cover computer science and IT and cyber security nowadays, but they’re relatively new and have only recently been built out. I graduated from Florida State University (a school that is comparable in every way to Mauldin’s University of Georgia) in 2008, and at that point – less than a decade ago – FSU’s computer sciences programs were still fledgling.

Now, it’s untoward to speculate on someone’s age, but based on photographs and her work experience, you can probably ballpark Ms. Mauldin as being somewhere in her late 40’s or early 50’s. That would put her in college sometime in the 1990’s at the earliest. This was not a time when computer science was seen like it is today. There were not a ton of programs – especially highly refined ones – at her disposal.

Beyond that, even if there were programs readily available, how relevant would that information be today? Ms. Mauldin would have needed to continue her education as a professional, regardless of her college background, to be where she is today. And given that she had worked at other reputable companies like First Data, SunTrust Banks and Hewlett Packard before stepping into her role as Equifax CSO in 2013, it would seem like her professional resume was at least passable.

It’s not like Equifax plucked her out of a concert hall and told her to run its cyber security operations. And if it did—that’s on Equifax, not Mauldin.

I’m not trying to litigate Equifax’s staffing decisions, frankly, that’s its own unique discussion. I’m not even trying to defend Susan Mauldin, the person. The point I’m making is that we set a very dangerous precedent when we start disqualifying people based on their college major. It undercuts the value of professional experience and it eliminates a pool of talented candidates.

Granted, a strong educational background definitely supports a candidate’s case. Nobody’s arguing that studying computers and IT in college doesn’t make you a more well-equipped candidate for this kind of position. I’m just saying that not having studied computers in college shouldn’t be a disqualifying factor, either.

You can learn cyber security. Even if that’s not what you knew you wanted to do at 20 years old.

  • I see where the author complimented her, she is mid sixties, she has been in the tech field longer than most of you mamby pamby fools have been alive. She earned her position and although not directly responsible for the breach, she did the honorable thing, she accepted that it was her department and she fell on her sword. Her competency far exceeds all but a few of the internet pundits, “bon jour”….

  • If you work in one of the traditional professions (medicine, law, engineering, or accounting) you MUST have the appropriate educational credentials, professional designations and in some cases licenses in order to practice. The chances that you’ll find a music major functioning as a Chief Financial Officer, heading up a law group, managing and engineering department or practicing medicine are zero. Not so in the field of Information Technology. To say that this woman achieved competence in the field of IT Security by way of on the job training is a laughable. She had no formal training in programming, databases, networks, system design or any other IT specialty for that matter which is the typical background of most CISOs. How can you manage something if you don’t have any real understanding of what you’re managing. I’m certain that she was good at throwing around buzzwords, attending meetings, crafting emails and otherwise bs-ing her way through her career, but in the end she proved herself to be an incompetent dolt who couldn’t even ensure that basic IT Security hygiene was being followed. There are a lot of empty suits like her running around the IT field who have no business being there. The fact that Equifax hired someone like her instead of an experienced IT Security practitioner with the appropriate educational credentials and certifications is puzzling to say the least and something the CEO will have to answer for.

    • How can you manage without any real management education? Therefore, no CS majors need apply for CIO, CSO or CISO position as these are management positions.

      The point is we need a mosaic of backgrounds and experiences to solve this problem. Mistakes are made, let’s not make one where academic credentialing dictates who can assist.

  • A formal education in security ( BS. , MS ) is not required in order to work in security but the minimum is expected is to have Security Certifications ( CISSP, CEH, GIAC etc..) which indicates some training / knowledge on Security. This person has NONE !!!

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.