11 comments

[ 2.8 ms ] story [ 32.1 ms ] thread
(comment deleted)
These articles are misguided. Nobody's saying music majors are idiots and unqualified to be in-charge of security at a web company because of the degree itself. If you're hearing that maybe it's your own thoughts bubbling up on you.

What people want to highlight is that this woman's only qualification is being a music major. She has literally no experience in managing the security of hundreds of millions of people's private information. For a company handling such huge amounts of such sensitive data, the CSO should possess exceptional credentials in the security community. She clearly does not.

Combine this with the facts that we know are correct (Equifax has terrible data security and response), and the music major qualification becomes a big red flag.

When sexual harassment allegations against Uber executives surfaced, didn't we put a lot of blame on the CEO for letting such a work-culture thrive? The same is applicable here on the CSO, and the CEO for hiring a woman whose sole achievement is a music degree.

Take a look at the links to the articles this article criticizes. They do not highlight general lack of qualifications, they focus almost entirely on the music education angle when talking about her.

E.g. http://www.marketwatch.com/story/equifax-ceo-hired-a-music-m... talks about her non-degree experience with one sentence:

> To play devil’s advocate, Mauldin does at least have 14 years’ private-sector experience since getting her degrees.[...] The question is how far any of this can take you in this field if you don’t have a formal education in technology.

Pointing out to the general public that this alone is not unusual in the field is IMHO important context. And it's not like the article is trying to argue that she was good at her job, just that you can't derive much information from the pure fact what degree someone has.

So if Signal turns out to have a critical bug will it become relevant that Moxie is a boating enthusiast?
Boating enthusiast isn't a qualification?
The Linkedin profile is now gone.. but the employment history was listed as "Professional" for the CSO's previous positions - rather than showing a graceful rise to a C-level position.

C-Level is amongst other things, a strategic and political position.

After an incident like this, it is understandable that people look at the profile of those entrusted with this responsibility.

If we look at Moxie's OSINT, we'd quickly see that he was perfectly qualified based on his presence in the ecosystem (conference talks etc).

A more suitable comparison would be the CSO of Equifax's competitor - which is Experian.

Do the same comparison with their CSO:

  - Director of Security / Compliance,Capital One
  - VP of Information Security, Citi Group
  - Director Information Security and Risk Management, Thomson Reuters
  - Director / CSO, Experian
Oh, this candidate also has relevant publications, certifications and a PhD in Computer Science..

Whilst I think the education is relevant, I don't think it is the defining factor... But.. We should be careful to jump to "education doesn't matter".

Was this the right person to be entrusted with the strategy for OUR data security? We simply don't know... but what we have seen has caused concern.

Are we talking about the same article?

Here's a quote from the one I read:

> Internet sleuths dutifully began digging into Mauldin's past — and uncovered what seemed like the perfect fuel for the raging firestorm of public outrage. It turned out that Mauldin, the top executive handling cybersecurity at Equifax, didn't have much formal training in technology. She had studied music composition at the University of Georgia.

> This was the smoking gun (my emphasis) that to some proved Mauldin's obvious unfitness for the job. With a bachelor of arts and a master's of fine arts, Mauldin's record betrayed a “lack of educational qualifications” for her job, according to a columnist writing for MarketWatch. Other outlets seized on the point and ran with it. “Equifax Execs Resign; Security Head, Mauldin, Was Music Major,” read one headline from NBC News.

Your well-reasoned comparison emphasizes the lack of work experience in any related field (and Moxie's wealth of such experience). The WAPO author on the other hand falls through to the only reported formal education, speculates that it is a "smoking gun", and attributes it to an anonymous group of unverifiable experts.

Furthermore, your well-reasoned argument works just as well if the person in question had studied computer science in college. The absence of any other experience in the field would be the same red flag as it was here. The only difference is in that case, the WAPO journalist would have been forced to lead with the less effective but more accurate "absence of experience" rather than "studied music". Instead, because the journalist had a choice and made it we can judge the veracity of their tech reporting accordingly.

Edit: typo

The edited title here ("Equifax’s security chief had some big problems") doesnt match the article. There's no discussion about Mauldin's problems.

The full title is "Equifax’s security chief had some big problems. Being a music major wasn’t one of them."

And the article is entirely about that 2nd part... that her degree in music shouldn't be an issue.

I noticed this too. Was waiting for the big problems and they never surfaced. I expected him to talk about ignoring warnings from low-level people or disregarding PCI-compliance reports... It's easy to dismiss the music major thing as "fake news" or whatever you want to call it. What did this multi-million dollar organization miss? Surely they have outside PCI checks for common security issues, right? Maybe she ignored middle managers. Did they fail to renew some contract (like the NHS did to pay for extended Windows XP support) and updates stopped? What was it?
Do C-level exec have performance reviews? That'd be more telling than the degree etc etc
Let's face it, security is a tough, technical challenge. The friendly slide decks with clip art of people shaking hands and "consultants" that make us feel good can only get you so far.