It really depends on your social circle and what area of infosec you're in. I've socially been in the 'hacker community' for most of my life and virtually nobody that I associate with from there has an actual CS degree.
A few folks got Physics degrees, but the vast majority of people I know left school to work and have not finished. Myself included.
The other very common backgrounds that I encounter is people who served in the military and people who backdoored their way into it from being sysadmins.
Totally ignoring the fact that she was magna cum laude for her BA and summa cum laude for her MFA. And 15 years of experience working in tech.
She could have her degrees for computer music for all we know, which at the time she got them probably would have required some serious programming chops.
they aren't saying "no infosec people have degree in CS", they are saying they don't know any. I don't know that I do either. I know very few people with CS degrees.
You stretched that tweet pretty far. It's clearly nothing more than an anecdotal counterexample. I'm not sure how your paraphrasing quote ended up becoming such a sweeping generalization.
OP knows it's an anecdote. They are questioning the value of an anecdote from someone in a small company when the anecdote is about claiming to know enough people belonging to a certain category.
obviously Equifax has shit security they had multiple webpage panels exposed on the public internet (ouch so stupid) and with default credentials of admin/admin and you are arguing that the CISO is competent? She was obviously massively incompetent.
IMO being a music major isn't the story here, having no related experience/knowledge is. But that doesn't get clicks quite as well.
One of the best engineers I've ever met had a bachelors in Psychology. Another was a highschool dropout. The difference though was that those folks spent a ton of time learning everything they could, and continually improved.
Having a music major isn't a bad thing at all. Having no relevant experience is a much larger concern for me.
I'd go as far as saying that this headline is harmful. It perpetuates the "only people with CS degrees can program/security/architect", which isn't true at all. We shouldn't be shaming people who come from another walk of life. More power to those who didn't get a traditional CS degree and still kick ass :)
Yeah. If you graduated more than 10 years ago I don't really care what your degree was in, but I do care about what you know and where you've practiced it.
Same...I think it's sad that people who theoretically know how to 'code' (writing music, converting music notation into sounds) and spend thousands of hours on a rigorous practice are cast as being useless to the modern workforce.
I feel like music majors have to be very technical and studious...something that really does transfer well to any other field if they put their mind to it.
The way I read it is that: hey, they hired a person whose most relevant experience is a music degree. Of course, the title certainly leads itself to other interpretations.
I work with a talented and diligent colleague who started college as a CS major but switched to music (and a minor in geology). He participates in hardware hacking CTFs for fun and runs circles around me.
I also work with another colleague who had a scholarship to his undergrad for music, who switched to CS. Not as technical as the first colleague, but is very good at systems thinking.
A third colleague is a superb SME who understands security policy, compliance, and risk management (with a CISSP and actually using it); he was an architect and interior designer before switching careers... and is in a band. :)
Music isn't a bad background to have in IT or security fields from my perspective. Issues with anecdotes aside, I don't see the issue here if a person has demonstrated growth and expertise in the field.
"of a company handling important private financial data of more or less the whole population of the United States" would be more relevant than the market cap here, I think.
so a college degree in Computer Science, where they recycle old final exams would have save the day? How many degree holders can even go back and pass the final exams, cramming knowledge for a test is not an indicator for security competence
I don't think people are dissing her for having a music degree. They are dissing her for apparently having no infosec experience (an accusation further intensified by her education also not being in a technical field). Whether that is true or not can be investigated. But saying that the row is about her having a music degree is a slight misrepresentation.
I was pretty sure it was true (that she had no experience at all) after listening to the first two or three minutes of the video interviews that were available here[1], but apparently they don't want anyone to see interviews with the CISO from before the breach. I have never seen anybody say cloud so many times in two minutes.
By the end of the interview, I felt sorry for her. I have no idea if she had relevant experience or not, she just sounded like someone who has been conditioned to argue that delays in new development are unacceptable, and that the cloud is inevitable, and if it costs more to do it right then you'll have to make do with less, and cetera and so forth.
I'm not terribly shocked that they've taken down these interviews, but I am very sorry I didn't save a copy when I found them. They were still available for viewing as of 12:31pm Eastern Time on Sept 10, and there are transcripts that you can find following the links in the article, which has been updated to note the videos were scrubbed from the internet.
Serious question, is there any way this might actually count as destroying evidence?
This is the wrong thing to focus on. The situation we're in isn't a result of where this person was educated. The fact that they had a lack of professional experience required to demand a standard of security that would prevent this type of problem is the only thing I think worth discussing here.
I dropped out of school as soon as I realized I could make 50k/year doing IT work vs paying 50k a year to a school whose curriculum was from the stone age. I fully endorse education of all forms but our current model for educating the next generation of workforce is broken but I digress.
1. she was hired in 2013. Butting against equifax stock on this knowledge would have resulted in a large loss.
2. The odds of Equifax (or any company) being hacked are high if hackers are determined enough. It Bitcoin exchanges, ICOs, and online wallets, which are run by STEM people, find it very hard to stop hackers, what does that say about most websites in general.
How many layers of management should have caught that first? It shouldn't matter whether someone graduated from third grade when it comes to something that simple.
I am as mad as anyone about the Equifax breach but this story is bs. A degree or lack thereof has nothing to do with ones technical competence. The best programmer I've ever met was self taught. The worst had a masters degree.
Outliers exist obviously. Why Education is irrelevant in engineering would you want a self taught doctor operating on you ? Why are you okay with unqualified person handling privacy if 150 million people ?
Red Herring to irrelevant what she majored in in college. C level employees are not in the weeds or frontline when it comes to security anyway. At worst, she could be blamed for not having the correct vision or grasping the scope of importance securing this data required. As long as she hired and trusted the right people that is all that really matters. A breach like this is more than just one persons fault...
Well, we can all argue one way or another about how relevant a CS degree would have been. The fact though that the profile was altered and other data deleted remains highly suspicious, if true.
It is super fishy that they got rid of every copy of video interviews with Susan Mauldin right as they were being reported on. I watched the interviews before they got erased and I was shocked that they were ever aired, I'm sure the transcript does not convey as much about how little this person seems to know for being the person in charge of the security of every person's credit files who has credit in the US.
I don't like to see people get shit on (and she looked like a person who was trying hard to do a good job,) but she also looked like a person who was put in that position because someone with a lot of money knew that doing security right would be expensive, and she would be someone to comply.
I would really like to post the link to video interviews with Susan Mauldin (they made quite an impression on me) but they were deleted apparently only hours after I watched them.
I'm no fan of Equifax, but some of the most talented engineers I've worked with have been music majors, musician, etc. It has nothing to do with whether she is qualified or not for the job.
The real story here is how Marketwatch (and HN, and Reddit, and Twitter, etc) is coming to the conclusion that she is unqualified simply by looking at her LinkedIn profile. I know many security professionals that have no LinkedIn profile, or list very barebones information on it because they see themselves as targets for spear phishing and see no need to give potential attackers any easy ammunition.
From looking at her LinkedIn profile (https://www.linkedin.com/in/susan-m-93069a/), it looks like she also follows this practice. If you look at her previous positions they are listed simply as "Professional".
TL;DR She may indeed be unqualified, but there is no way to determine that only from her LinkedIn profile.
I think what's likely is that the articles are being flagged by HN members (and possibly down weighted by mods) as not something that can be constructively discussed on HN. If you've looked at the discussions, they've produced far more heat than light.
As for being a dupe, it is in the sense that the same topic has been introduced multiple times:
We've unmarked this one as a duplicate (of https://news.ycombinator.com/item?id=15258510). Both stories have received many flags by users, perhaps because the indignation to insight ratio is off.
The other post wasn't really a story, it was a link to her profile on LinkedIn. I can see why there wouldn't be much to discuss, and why most people probably wouldn't want to upvote that. (Especially given the information about how that page has been altered, that you can find in the article that is the subject of this posting.)
None of the previous articles posted in the search you linked... (a) were articles, or (b) had any mention of the fact that Equifax has evidently gone to great lengths to scrub this information off the internet. The video interviews with their CISO from before the breach were eye-opening. "Resistance to the cloud is futile."
You can still find a transcript of one of the two interviews here, but it does not include this quote
There is absolutely nothing wrong with having a music degree then going into tech. I have a CS degree but I worked with a lot of talented and smart individuals who either didn't finish college.
That is true in general, however in this case we know there was a major breach maybe one of the biggest ones, now all of the sudden having a Music degree _and_ seemingly not having relevant infosec experience doesn't look too good.
Had there been no breach, fine, nobody would have noticed and everyone would have given the benefit of the doubt, even say "How nice, they could pivot from a different degree etc."
Moreover what looks shady is that they changed their last first name to M. instead Mauldin in LinkedIn profile. Their interviews have been taken down etc. If they had experience and this was just an unfortunate example, they would have stood by and defended and explained what happened. The weasily hiding looks shady like they are hiding their incompetence.
Well you could also argue that cs major would take offense at that fact that all the years of his education in the relavant field are effectively useless if you would not consider what education the candidate has while securing the job.
The problem is definitely not the music degree. As many have said there are many brilliant technical folks who have music degrees.
The problem is the low quality hiring of executives. This seems to plague almost every large company out there. These "executive level" people are just part of some inner circle and know somebody who knows somebody. They might look good on paper. The reality is that boards and CEOs have too little knowledge of the specifics of their business and make chicken-shit hires.
A lot of comments here are saying education is irrelevant.. It is very much relevant , you don't want a self taught doctor . All other professional fields such as lawyers, doctors, accountants have highly regulated practice where qualifications are very important, expect engineering.
It should not be acceptable to have dam built by a self taught engineer, or the privacy of 100 million ppl is safe guarded by music major even she had "relevant experience" there is a reason education and certification exist
67 comments
[ 3.3 ms ] story [ 122 ms ] threadAlice Goldfuss, SRE at github: "reddit is mocking the Equifax CISO for having a music degree, meanwhile I know no one in infosec with a CS one" https://twitter.com/alicegoldfuss/status/908430394529259520
When I was working at Cisco pretty much all InfoSec people I know had a technical degree, from CS to EE to sometimes Mathematics.
I'm sure there are some outliers, but saying "no infosec people have degree in CS" is just plain ridiculous.
Worked with several highly competent people in tech and infosec with music degrees, liberal arts degrees, no degree...
I'm not saying music degree people can't be good engineers, but saying "no infosec people have CS degree" is plain absurd.
A few folks got Physics degrees, but the vast majority of people I know left school to work and have not finished. Myself included.
The other very common backgrounds that I encounter is people who served in the military and people who backdoored their way into it from being sysadmins.
She could have her degrees for computer music for all we know, which at the time she got them probably would have required some serious programming chops.
You stretched that tweet pretty far. It's clearly nothing more than an anecdotal counterexample. I'm not sure how your paraphrasing quote ended up becoming such a sweeping generalization.
One of the best engineers I've ever met had a bachelors in Psychology. Another was a highschool dropout. The difference though was that those folks spent a ton of time learning everything they could, and continually improved.
Having a music major isn't a bad thing at all. Having no relevant experience is a much larger concern for me.
I'd go as far as saying that this headline is harmful. It perpetuates the "only people with CS degrees can program/security/architect", which isn't true at all. We shouldn't be shaming people who come from another walk of life. More power to those who didn't get a traditional CS degree and still kick ass :)
I feel like music majors have to be very technical and studious...something that really does transfer well to any other field if they put their mind to it.
I also work with another colleague who had a scholarship to his undergrad for music, who switched to CS. Not as technical as the first colleague, but is very good at systems thinking.
A third colleague is a superb SME who understands security policy, compliance, and risk management (with a CISSP and actually using it); he was an architect and interior designer before switching careers... and is in a band. :)
Music isn't a bad background to have in IT or security fields from my perspective. Issues with anecdotes aside, I don't see the issue here if a person has demonstrated growth and expertise in the field.
That's tantamount to saying an engineering degree is just a piece of paper. Of course it implies a lot more.
By the end of the interview, I felt sorry for her. I have no idea if she had relevant experience or not, she just sounded like someone who has been conditioned to argue that delays in new development are unacceptable, and that the cloud is inevitable, and if it costs more to do it right then you'll have to make do with less, and cetera and so forth.
I'm not terribly shocked that they've taken down these interviews, but I am very sorry I didn't save a copy when I found them. They were still available for viewing as of 12:31pm Eastern Time on Sept 10, and there are transcripts that you can find following the links in the article, which has been updated to note the videos were scrubbed from the internet.
Serious question, is there any way this might actually count as destroying evidence?
[1]: https://www.hollywoodlanews.com/equifax-chief-security-offic...
Instead of asking the Infosec community for their thoughts this journalist is showing he is already out of his depth.
I dropped out of school as soon as I realized I could make 50k/year doing IT work vs paying 50k a year to a school whose curriculum was from the stone age. I fully endorse education of all forms but our current model for educating the next generation of workforce is broken but I digress.
The story is more complicated than this http://greyenlightenment.com/equifax-hack-analysis/
1. she was hired in 2013. Butting against equifax stock on this knowledge would have resulted in a large loss.
2. The odds of Equifax (or any company) being hacked are high if hackers are determined enough. It Bitcoin exchanges, ICOs, and online wallets, which are run by STEM people, find it very hard to stop hackers, what does that say about most websites in general.
I don't like to see people get shit on (and she looked like a person who was trying hard to do a good job,) but she also looked like a person who was put in that position because someone with a lot of money knew that doing security right would be expensive, and she would be someone to comply.
https://www.hollywoodlanews.com/equifax-chief-security-offic...
There is a transcript that you can still read at:
http://archive.is/6M8mg
The real story here is how Marketwatch (and HN, and Reddit, and Twitter, etc) is coming to the conclusion that she is unqualified simply by looking at her LinkedIn profile. I know many security professionals that have no LinkedIn profile, or list very barebones information on it because they see themselves as targets for spear phishing and see no need to give potential attackers any easy ammunition.
From looking at her LinkedIn profile (https://www.linkedin.com/in/susan-m-93069a/), it looks like she also follows this practice. If you look at her previous positions they are listed simply as "Professional".
TL;DR She may indeed be unqualified, but there is no way to determine that only from her LinkedIn profile.
As for being a dupe, it is in the sense that the same topic has been introduced multiple times:
https://hn.algolia.com/?query=equifax%20music&sort=byPopular...
Edit: it was unmarked, thank you Scott
You can still find a transcript of one of the two interviews here, but it does not include this quote
https://archive.is/Je7Yi
https://archive.is/6M8mg
That is true in general, however in this case we know there was a major breach maybe one of the biggest ones, now all of the sudden having a Music degree _and_ seemingly not having relevant infosec experience doesn't look too good.
Had there been no breach, fine, nobody would have noticed and everyone would have given the benefit of the doubt, even say "How nice, they could pivot from a different degree etc."
Moreover what looks shady is that they changed their last first name to M. instead Mauldin in LinkedIn profile. Their interviews have been taken down etc. If they had experience and this was just an unfortunate example, they would have stood by and defended and explained what happened. The weasily hiding looks shady like they are hiding their incompetence.
No, I don't think I'm currently qualified to be CSO anywhere - but I don't think it's a stretch that a music major could be.
The problem is the low quality hiring of executives. This seems to plague almost every large company out there. These "executive level" people are just part of some inner circle and know somebody who knows somebody. They might look good on paper. The reality is that boards and CEOs have too little knowledge of the specifics of their business and make chicken-shit hires.
It should not be acceptable to have dam built by a self taught engineer, or the privacy of 100 million ppl is safe guarded by music major even she had "relevant experience" there is a reason education and certification exist