67 comments

[ 3.3 ms ] story [ 122 ms ] thread
This is bullshit.

Alice Goldfuss, SRE at github: "reddit is mocking the Equifax CISO for having a music degree, meanwhile I know no one in infosec with a CS one" https://twitter.com/alicegoldfuss/status/908430394529259520

I work in infosec and I dropped out of a biology program.
Why should the word of a SRE at a small company be the gospel at this?

When I was working at Cisco pretty much all InfoSec people I know had a technical degree, from CS to EE to sometimes Mathematics.

I'm sure there are some outliers, but saying "no infosec people have degree in CS" is just plain ridiculous.

(comment deleted)
I know a system architect at Facebook with four music degrees...

Worked with several highly competent people in tech and infosec with music degrees, liberal arts degrees, no degree...

But I'm sure you also know system architect at Facebook with actual CS degrees.

I'm not saying music degree people can't be good engineers, but saying "no infosec people have CS degree" is plain absurd.

It really depends on your social circle and what area of infosec you're in. I've socially been in the 'hacker community' for most of my life and virtually nobody that I associate with from there has an actual CS degree.

A few folks got Physics degrees, but the vast majority of people I know left school to work and have not finished. Myself included.

The other very common backgrounds that I encounter is people who served in the military and people who backdoored their way into it from being sysadmins.

Good thing Alice doesn't say that, then. The headline strongly implies that having a music degree means that you can't be a good engineer.
Totally ignoring the fact that she was magna cum laude for her BA and summa cum laude for her MFA. And 15 years of experience working in tech.

She could have her degrees for computer music for all we know, which at the time she got them probably would have required some serious programming chops.

Yeah, it is absurd. Maybe that's why the tweet doesn't say that. (^:
(comment deleted)
(comment deleted)
they aren't saying "no infosec people have degree in CS", they are saying they don't know any. I don't know that I do either. I know very few people with CS degrees.
> "no infosec people have degree in CS"

You stretched that tweet pretty far. It's clearly nothing more than an anecdotal counterexample. I'm not sure how your paraphrasing quote ended up becoming such a sweeping generalization.

OP knows it's an anecdote. They are questioning the value of an anecdote from someone in a small company when the anecdote is about claiming to know enough people belonging to a certain category.
But github is very popular in the tech community. You'd think she would have met some infosec people with relevant degrees if they were common.
(comment deleted)
obviously Equifax has shit security they had multiple webpage panels exposed on the public internet (ouch so stupid) and with default credentials of admin/admin and you are arguing that the CISO is competent? She was obviously massively incompetent.
IMO being a music major isn't the story here, having no related experience/knowledge is. But that doesn't get clicks quite as well.

One of the best engineers I've ever met had a bachelors in Psychology. Another was a highschool dropout. The difference though was that those folks spent a ton of time learning everything they could, and continually improved.

Having a music major isn't a bad thing at all. Having no relevant experience is a much larger concern for me.

I'd go as far as saying that this headline is harmful. It perpetuates the "only people with CS degrees can program/security/architect", which isn't true at all. We shouldn't be shaming people who come from another walk of life. More power to those who didn't get a traditional CS degree and still kick ass :)

And expecting everyone's LI profile to be a source of absolute truth is also risky.
If you are a C-level exec, I would say it should be pretty accurate...
Yeah. If you graduated more than 10 years ago I don't really care what your degree was in, but I do care about what you know and where you've practiced it.
I started out majoring in music. I switched to studying CS and math because career prospects looked better. It was also easier.
Same...I think it's sad that people who theoretically know how to 'code' (writing music, converting music notation into sounds) and spend thousands of hours on a rigorous practice are cast as being useless to the modern workforce.

I feel like music majors have to be very technical and studious...something that really does transfer well to any other field if they put their mind to it.

The way I read it is that: hey, they hired a person whose most relevant experience is a music degree. Of course, the title certainly leads itself to other interpretations.
I love how even 15 years after you've been out of school, your work experience isn't as relevant as what you studied in school.
It's not, this article is click bait.
I work with a talented and diligent colleague who started college as a CS major but switched to music (and a minor in geology). He participates in hardware hacking CTFs for fun and runs circles around me.

I also work with another colleague who had a scholarship to his undergrad for music, who switched to CS. Not as technical as the first colleague, but is very good at systems thinking.

A third colleague is a superb SME who understands security policy, compliance, and risk management (with a CISSP and actually using it); he was an architect and interior designer before switching careers... and is in a band. :)

Music isn't a bad background to have in IT or security fields from my perspective. Issues with anecdotes aside, I don't see the issue here if a person has demonstrated growth and expertise in the field.

I know numerous people whose technical skills I highly respect that have a degree in all kinds of things, or, indeed, nothing.
Are any of them the Chief Security Officer of a $17.5B company?
"of a company handling important private financial data of more or less the whole population of the United States" would be more relevant than the market cap here, I think.
so a college degree in Computer Science, where they recycle old final exams would have save the day? How many degree holders can even go back and pass the final exams, cramming knowledge for a test is not an indicator for security competence
That's a pretty silly strawman to build up and then tear down.

That's tantamount to saying an engineering degree is just a piece of paper. Of course it implies a lot more.

Many people with a CS degree are clueless about security. It's a relatively new discipline.
Indeed. The only thing a degree in anything proves is that the holder of those degrees paid someone money to say they were taught something, probably.
Or, I don't know, they learned useful and relevant things while earning those degrees?
I don't think people are dissing her for having a music degree. They are dissing her for apparently having no infosec experience (an accusation further intensified by her education also not being in a technical field). Whether that is true or not can be investigated. But saying that the row is about her having a music degree is a slight misrepresentation.
I was pretty sure it was true (that she had no experience at all) after listening to the first two or three minutes of the video interviews that were available here[1], but apparently they don't want anyone to see interviews with the CISO from before the breach. I have never seen anybody say cloud so many times in two minutes.

By the end of the interview, I felt sorry for her. I have no idea if she had relevant experience or not, she just sounded like someone who has been conditioned to argue that delays in new development are unacceptable, and that the cloud is inevitable, and if it costs more to do it right then you'll have to make do with less, and cetera and so forth.

I'm not terribly shocked that they've taken down these interviews, but I am very sorry I didn't save a copy when I found them. They were still available for viewing as of 12:31pm Eastern Time on Sept 10, and there are transcripts that you can find following the links in the article, which has been updated to note the videos were scrubbed from the internet.

Serious question, is there any way this might actually count as destroying evidence?

[1]: https://www.hollywoodlanews.com/equifax-chief-security-offic...

She did have an MBA, so maybe that degree should be a sign of incompetence.

Instead of asking the Infosec community for their thoughts this journalist is showing he is already out of his depth.

This is the wrong thing to focus on. The situation we're in isn't a result of where this person was educated. The fact that they had a lack of professional experience required to demand a standard of security that would prevent this type of problem is the only thing I think worth discussing here.

I dropped out of school as soon as I realized I could make 50k/year doing IT work vs paying 50k a year to a school whose curriculum was from the stone age. I fully endorse education of all forms but our current model for educating the next generation of workforce is broken but I digress.

all of the broken systems these CSO's are trying to cover were designed by people with CS degrees...
I'm kinda amazed this is now such a big story. It was picked up on Reddit 4 days ago.

The story is more complicated than this http://greyenlightenment.com/equifax-hack-analysis/

1. she was hired in 2013. Butting against equifax stock on this knowledge would have resulted in a large loss.

2. The odds of Equifax (or any company) being hacked are high if hackers are determined enough. It Bitcoin exchanges, ICOs, and online wallets, which are run by STEM people, find it very hard to stop hackers, what does that say about most websites in general.

agreed but the hack was a result of credentials being "admin/password"
How many layers of management should have caught that first? It shouldn't matter whether someone graduated from third grade when it comes to something that simple.
(comment deleted)
I am as mad as anyone about the Equifax breach but this story is bs. A degree or lack thereof has nothing to do with ones technical competence. The best programmer I've ever met was self taught. The worst had a masters degree.
Outliers exist obviously. Why Education is irrelevant in engineering would you want a self taught doctor operating on you ? Why are you okay with unqualified person handling privacy if 150 million people ?
Red Herring to irrelevant what she majored in in college. C level employees are not in the weeds or frontline when it comes to security anyway. At worst, she could be blamed for not having the correct vision or grasping the scope of importance securing this data required. As long as she hired and trusted the right people that is all that really matters. A breach like this is more than just one persons fault...
I'm shocked that so many people fail to realize this is a red herring. This is more shocking to me than the story itself.
Well, we can all argue one way or another about how relevant a CS degree would have been. The fact though that the profile was altered and other data deleted remains highly suspicious, if true.
It is super fishy that they got rid of every copy of video interviews with Susan Mauldin right as they were being reported on. I watched the interviews before they got erased and I was shocked that they were ever aired, I'm sure the transcript does not convey as much about how little this person seems to know for being the person in charge of the security of every person's credit files who has credit in the US.

I don't like to see people get shit on (and she looked like a person who was trying hard to do a good job,) but she also looked like a person who was put in that position because someone with a lot of money knew that doing security right would be expensive, and she would be someone to comply.

I'm no fan of Equifax, but some of the most talented engineers I've worked with have been music majors, musician, etc. It has nothing to do with whether she is qualified or not for the job.

The real story here is how Marketwatch (and HN, and Reddit, and Twitter, etc) is coming to the conclusion that she is unqualified simply by looking at her LinkedIn profile. I know many security professionals that have no LinkedIn profile, or list very barebones information on it because they see themselves as targets for spear phishing and see no need to give potential attackers any easy ammunition.

From looking at her LinkedIn profile (https://www.linkedin.com/in/susan-m-93069a/), it looks like she also follows this practice. If you look at her previous positions they are listed simply as "Professional".

TL;DR She may indeed be unqualified, but there is no way to determine that only from her LinkedIn profile.

Headlines like these are why companies list relevant college degrees as job requirements.
And now this post has been deleted from the HN front page... Edit: they've unmarked it
I think what's likely is that the articles are being flagged by HN members (and possibly down weighted by mods) as not something that can be constructively discussed on HN. If you've looked at the discussions, they've produced far more heat than light.

As for being a dupe, it is in the sense that the same topic has been introduced multiple times:

https://hn.algolia.com/?query=equifax%20music&sort=byPopular...

It's marked as "dupe"

Edit: it was unmarked, thank you Scott

We've unmarked this one as a duplicate (of https://news.ycombinator.com/item?id=15258510). Both stories have received many flags by users, perhaps because the indignation to insight ratio is off.
The other post wasn't really a story, it was a link to her profile on LinkedIn. I can see why there wouldn't be much to discuss, and why most people probably wouldn't want to upvote that. (Especially given the information about how that page has been altered, that you can find in the article that is the subject of this posting.)
None of the previous articles posted in the search you linked... (a) were articles, or (b) had any mention of the fact that Equifax has evidently gone to great lengths to scrub this information off the internet. The video interviews with their CISO from before the breach were eye-opening. "Resistance to the cloud is futile."

You can still find a transcript of one of the two interviews here, but it does not include this quote

https://archive.is/Je7Yi

https://archive.is/6M8mg

There is absolutely nothing wrong with having a music degree then going into tech. I have a CS degree but I worked with a lot of talented and smart individuals who either didn't finish college.

That is true in general, however in this case we know there was a major breach maybe one of the biggest ones, now all of the sudden having a Music degree _and_ seemingly not having relevant infosec experience doesn't look too good.

Had there been no breach, fine, nobody would have noticed and everyone would have given the benefit of the doubt, even say "How nice, they could pivot from a different degree etc."

Moreover what looks shady is that they changed their last first name to M. instead Mauldin in LinkedIn profile. Their interviews have been taken down etc. If they had experience and this was just an unfortunate example, they would have stood by and defended and explained what happened. The weasily hiding looks shady like they are hiding their incompetence.

Gross negligence. Might as well hired a janitor to build your infrastructure.
Hey! I'm an engineer that has a major in music! I take offense to this headline.

No, I don't think I'm currently qualified to be CSO anywhere - but I don't think it's a stretch that a music major could be.

Well you could also argue that cs major would take offense at that fact that all the years of his education in the relavant field are effectively useless if you would not consider what education the candidate has while securing the job.
The problem is definitely not the music degree. As many have said there are many brilliant technical folks who have music degrees.

The problem is the low quality hiring of executives. This seems to plague almost every large company out there. These "executive level" people are just part of some inner circle and know somebody who knows somebody. They might look good on paper. The reality is that boards and CEOs have too little knowledge of the specifics of their business and make chicken-shit hires.

A lot of comments here are saying education is irrelevant.. It is very much relevant , you don't want a self taught doctor . All other professional fields such as lawyers, doctors, accountants have highly regulated practice where qualifications are very important, expect engineering.

It should not be acceptable to have dam built by a self taught engineer, or the privacy of 100 million ppl is safe guarded by music major even she had "relevant experience" there is a reason education and certification exist