Equifax’s CSO Was a Music Major in College– So What?
Let’s be careful with our critiques of Susan Mauldin’s educational background before we set a dangerous precedent.
On Friday I came across an article that was as sensational as it was troubling: MarketWatch was reporting that Equifax’s Chief Security Officer was a music major in college. Since then, the story has spread like wildfire.
Yes, on its face, it looks incredible when it’s discovered that the person presiding over the cyber defenses of a company that just suffered a massive breach was studying music back in college—and you know, not computers or information technology or some related field.
And while I’ll be the first to admit that music is not the ideal background for a candidate of this scope, I think it’s worth taking a moment to pause and reflect on why framing a discussion this way is unproductive and possibly even dangerous: while having an educational background in an IT-related field is certainly a great foundation, disqualifying anyone without the right degree is an extremely harmful precedent to set.
First, let me concede a few points
As with any thought piece, I think it’s important to begin with a few concessions. First of all, I don’t know Susan Mauldin. I don’t know her level of competence. But, I can concede that on its face, given Equifax’s recent breach and some of the other unflattering news that’s come from the company since, you can certainly argue that things didn’t go well.
And if MarketWatch’s report is true, and Equifax immediately began scrubbing the internet of any record of her as soon as she took her breach-imposed retirement, then that raises some very troubling questions in and of itself.
But frankly, for the sake of this conversation, we’re talking less about Mauldin on a specific level and more about what Mauldin represents: a member of the cyber security community that doesn’t come from a traditional background.
Let’s talk about Education
It’s easy to look at what happened, look at Ms. Mauldin and connect the dots that someone unqualified caused all of this to happen. That’s a gross oversimplification. Equifax is massive, with a digital infrastructure that spans the entire world. The CSO isn’t the one updating Apache or making decisions on passwords for Argentinian databases. For something like that the company would create policies and then delegate those tasks.
It’s very easy to make the case that Ms. Mauldin’s department was poorly managed. All indications would seem to point to that. But calling into question her competence on the basis of her education is myopic.
For starters, it’s insulting to anyone that has made it in this field with a non-traditional background. And there’s quite a few more of those people than you might realize. As Ms. Mauldin once said in a (curiously) now-deleted interview, “you can learn security.”
And that’s true.
Pretending otherwise, as if you can’t enter the industry without the correct degree, is both unproductive and downright damaging to the prospect of acquiring and growing new talent. Especially when this industry operates in the shadows of great thinkers like Bill Gates, Paul Allen and Steve Jobs—none of whom even graduated from college.
Beyond that trio, there’s countless examples of CSOs without computer-related educational backgrounds. Bob Lord, of Yahoo, studied political science. Tisha Merly, CSO of the FBI, studied international affairs. Michael Cava of Amazon studied police science and administration. Plenty of talented people studied other things in college and perform admirably in their roles as CSOs and CISOs.
The Right Degree Helps, But Not Having it Isn’t Disqualifying
And that brings us to my next point: this is still a fairly young field, all things considered.
Colleges and universities have programs that cover computer science and IT and cyber security nowadays, but they’re relatively new and have only recently been built out. I graduated from Florida State University (a school that is comparable in every way to Mauldin’s University of Georgia) in 2008, and at that point – less than a decade ago – FSU’s computer sciences programs were still fledgling.
Now, it’s untoward to speculate on someone’s age, but based on photographs and her work experience, you can probably ballpark Ms. Mauldin as being somewhere in her late 40’s or early 50’s. That would put her in college sometime in the 1990’s at the earliest. This was not a time when computer science was seen like it is today. There were not a ton of programs – especially highly refined ones – at her disposal.
Beyond that, even if there were programs readily available, how relevant would that information be today? Ms. Mauldin would have needed to continue her education as a professional, regardless of her college background, to be where she is today. And given that she had worked at other reputable companies like First Data, SunTrust Banks and Hewlett Packard before stepping into her role as Equifax CSO in 2013, it would seem like her professional resume was at least passable.
It’s not like Equifax plucked her out of a concert hall and told her to run its cyber security operations. And if it did—that’s on Equifax, not Mauldin.
I’m not trying to litigate Equifax’s staffing decisions, frankly, that’s its own unique discussion. I’m not even trying to defend Susan Mauldin, the person. The point I’m making is that we set a very dangerous precedent when we start disqualifying people based on their college major. It undercuts the value of professional experience and it eliminates a pool of talented candidates.
Granted, a strong educational background definitely supports a candidate’s case. Nobody’s arguing that studying computers and IT in college doesn’t make you a more well-equipped candidate for this kind of position. I’m just saying that not having studied computers in college shouldn’t be a disqualifying factor, either.
You can learn cyber security. Even if that’s not what you knew you wanted to do at 20 years old.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown