Equifax and the Precedent Set by the Media

With all of the coverage, it’s really not worth recapping the entire Equifax breach and how disastrous it is and likely will be for American adults for years to come.  Of course, this all depends on who reaped the reward and what their intentions are… There will be plenty of speculation in the weeks to follow and hopefully a glimmer of factual evidence will be included. What I do want to talk about is the picture painted by the media of Equifax’s security leadership, Susan Mauldin, whose qualification as Equifax’s Chief Information Security Officer is being scrutinized, because of Susan’s education.

Let me preface this post with:

  • I do not know Susan Mauldin
  • I have never met Susan Mauldin
  • I have absolutely no clue whether she is qualified or not… but neither do you.

I typically do not feel compelled to write an opinionated post on such a topic, but in this case, I felt it to be necessary.  Why?  Because this is an industry that is thirsty for talent and after working in InfoSec for years, I have met many amazing (talented) people.  When I say, “amazing,” I mean – I would not be where I am today without having met the folks – Everyone from analysts and engineers to architects and CISO’s.  If you work in InfoSec, I will almost guarantee that you know some very talented folks who lack formal education in a security related discipline, or even a technical discipline, or lack formal higher education altogether.

My point being: The media is painting this picture of Susan Mauldin as some incompetent executive, whom of which no one knows her or her level of qualification for that matter.  This portrayal is all on the basis of Susan’s education, which is in Music Composition being visible on her LinkedIn profile – yeah… her LinkedIn profile.  You can agree to disagree, but there are some fundamental problems regarding the media’s disqualification of Susan’s competency:

  • There was no formal education or curriculum in InfoSec at the time she attended college. Even if there were, you’d have to take a few things into consideration.  First and foremost, who actually comes out of college and “knows” everything that they would need to know?  From my perspective, I learned a hell of a lot more working in the field and on my own than I did in the classroom and I know plenty of others that feel the same way.  The other important thing to consider is that fact that even if Susan held a degree in a related field, does that automatically make her an expert?  Think hard about that one college grads.
  • Aside from looking at Susan’s education, did they look at her work history? If they did, they would have noticed that over the past 15 years, Susan has held positions at Hewlett-Packard, Sun Trust Bank, and First Data, before becoming the CISO for Equifax. There isn’t much detail regarding what her position was at those other organizations or to what capacity, but I will almost bet that she wasn’t composing music.
  • How will this affect those quality InfoSec people that are out there who do not have a formal education in InfoSec or a related subject? I, personally believe that it hurts the industry.  An industry that is in desperate need of talent.  If the perception becomes that you cannot get exceptional people, because they do not possess what the media perceives as a job qualifier, then you are doing yourself and your organization a disservice.  There are ways to qualify people – LinkedIn?  That’s not one of them.

No one ever wants to be the figure of scrutiny, but no one wants to get breached either.  You can argue negligence as the result of the breach.  I wouldn’t disagree, but how do you know that Susan was aware of the vulnerability?  Many of the people that I have met in her position only know what they are told – not an excuse, but the point being:  We do not have all of the facts.

Leave a comment

Leave A Reply