
The Equifax Chief Security Officer Received a BA and MFA in Music Composition - thisisdallas
https://www.linkedin.com/in/susan-m-93069a/
======
nxsynonym
While it's easy to jump on the Equifax Sucks Bandwagon (they do), I find it
hard to believe that the degree earned has anything to do with this breach.

Are you absolutely certain that if their Chief Security Officer had a degree
in CS that things would have been different?

Attacking someone a personal level like this is tempting in a case this
serious, but it's in poor taste and will yield exactly 0 results. The data
can't be un-breached, and placing blame in hindsight is unhelpful and will
only escalate to more personal attacks.

Let's not pour oil on the 'Stem degrees are the only good degrees' echo
chamber fire.

~~~
dreamcompiler
It doesn't mean she didn't know what she was doing, but it certainly looks
bad. A company whose CSO doesn't have a technical degree is going to have a
harder time proving they took security seriously.

~~~
floatingatoll
Would it be less offensive to the HN community if her degree was in Math?

And, then, given that Music is entirely dependent on mathematical principles,
and Music Theory especially: What are the chances that, as an MFA in Music,
she has a _rock solid_ background in mathematics?

Does that make her choice of degree less distasteful?

Would we be having this conversation if she had no degree? (Of course not.)

~~~
phailhaus
> What are the chances that, as an MFA in Music, she has a rock solid
> background in mathematics?

Unlikely? There is no standard math requirement for music majors, and that's
pretty well known.

> Would we be having this conversation if she had no degree? (Of course not.)

Yes, even more so! A chief security officer with no degree presiding over the
security of a nation's credit data?! I mean, she's already under scrutiny
because Equifax has been hit by three big stories in the past couple weeks
demonstrating their absolute lack of concern for security: the breach, the
"random pins", the admin/admin credentials.

~~~
floatingatoll
Does it change your views if I restate this as (using just her public LinkedIn
profile):

"A chief security officer with 15 years of experience and peer accolades in
the fields of banking-grade security and human data management"

Typically, this is where most people don't even _ask_ what a degree is.
However, as you indicate "no degree" is unacceptable: _Which_ domain-relevant
degree programs, initiated 20+ years ago and completed 15 years ago, would
satisfy your terms?

~~~
phailhaus
Anything remotely technical. Remember, we wouldn't be having this conversation
if Equifax wasn't making embarrassing amateur mistakes with everyone's
personal data. Their CSO appears incompetent.

~~~
floatingatoll
Which qualifications does a "remotely technical" degree meet to operate
security at Equifax that a "non-technical" degree does not?

You imply that Music is a non-technical degree, which is arguable, but it's
certainly an Arts degree rather than a Science degree. If that's the
distinction by which you draw the line, you're wrong to do so. If you reject
job applicants to a technical role on that basis someday, that's more
overlooked high-value opportunities for others to hire instead :)

------
floatingatoll
If I hadn't quit college to continue my tech career, I would have ended up
with a degree in Sociology.

Would having a non-Tech degree make me _less_ qualified than someone who has
_no_ degree? Of course not. It proves I can do the drudge work necessary to
earn a degree, without which I must fall back on testimonials.

They have an _MFA_. That's a hell of a lot of hard work. Proves they are
capable of doing hard work.

I don't see what the problem is here.

EDIT: Received a BA, magna cum laude, and MFA, summa cum laude. That's
impressive regardless of the field. That's "succeed at all costs".

EDIT: Changed BS to degree in the first paragraph because I have no clue wtf
makes something BA or BS. It's an arbitrary division that's used primarily as
a weapon to disrespect women and is not a valid distinction of "intelligence"
or "science-capable" or "technical-capable" in the modern era in any way
whatsoever.

~~~
subie
> I don't see what the problem is here.

The massive breach of personal information.

~~~
floatingatoll
I don't understand. Could you help me understand? I'm not able to see the
connection you see between an MFA in Music and the Equifax breach, and I'll
need you to describe it clearly in order to comprehend what you're trying to
say here.

~~~
subie
Equifax's Chief security officer may have had a lack of knowledge in the
domain she was hired for(A very important role).

They ignored security warnings from Apache and now we have the fallout from
the breach. So did the CSO's lack of security knowledge aide in the breach? If
so that is on Equifax for hiring her into that role.

~~~
floatingatoll
I'm unable to follow your logic here, as there's a missing component of the
explanation.

How does the CSO's multiple degrees in Music convey a lack of knowledge in the
domain she was hired for?

It doesn't, because there's no information to derive there. I believe you are
attempting to construct an argument that says that an offtopic degree
_disqualifies_ her to be a skilled practitioner by default.

This is wrong. The topic of someone's degree has no implicit bearing on their
work experience before and after it.

LinkedIn shows endorsements by tens of people at each of her jobs in the
specific labels "Information Security", "Disaster Recovery", and "Business
Continuity". By that basis, she is perfectly qualified to handle this breach.

Unfortunately, that information - which takes up as much or _more_ screen
space on her LinkedIn page than her dual degrees - wasn't considered relevant
by the OP, and is being studiously ignored for some unknown reason.

~~~
gaius
_LinkedIn shows endorsements by tens of people at each of her jobs in the
specific labels "Information Security", "Disaster Recovery", and "Business
Continuity". By that basis, she is perfectly qualified to handle this breach_

LinkedIn endorsements are as meaningful as Facebook likes.

~~~
floatingatoll
Of _course_ her LinkedIn profile does _not_ correctly reflect her experience
and qualifications.

Yet here we are, on Hacker News, with people calling her out for not having
security experience based on her LinkedIn profile having an Art degree, rather
than a Science degree.

I agree wholeheartedly with you that LinkedIn is as meaningful as Facebook. We
absolutely should not be here evaluating her qualifications based on her
LinkedIn profile. Any conclusions therein derived would be obviously wrong, by
your own point.

~~~
subie
Nobody is outright saying she doesn't have the experience. Clearly some
employees at Equifax were ignoring security vulnerabilities. The first person
you look at is the CSO.

The Linkedin doesn't paint the whole picture but it could indicate something
and that what's being pointed out.

This isn't an attack on a single person it's an attempt to figure out how the
biggest breach of user information in history went down.

------
dang
This is unduly personal and therefore beneath the standard this community
ought to keep. Not cool.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
tptacek
It's also fucking stupid. Peiter "mudge" Zatko from the L0pht, Stripe's new
CSO, has a music degree from Berklee.

You can't criticize Equifax's CSO about her degree without revealing how
little you know about the infosec field.

~~~
dang
Thanks for that.

The middlebrow dynamic has to do with assuming one knows more than one does
and trying to constrain the spectrum of variation. Since unexpected variations
are often the most interesting, that is a big bad deal.

------
taylodl
One of the best developers and architects I've ever known has a Ph.D. in Music
Composition. Never took a formal CS course in his life - yet he was one of the
best. I suggest not being too quick to judge people by their degrees.

------
wglb
So from a CSO perspective, it isn't useful information what degree the CSO
had. Keep in mind the level of experience that she had in the position. Not
zero.

More relevant to the situation is the overall technical competence of the
organization. For a perspective, watch Alex Stamos' talk "Appsec is eating
security" [https://www.youtube.com/watch?v=2OTRU--
HtLM&t=7s](https://www.youtube.com/watch?v=2OTRU--HtLM&t=7s). The top 100 in
the Fortune 500 are technical companies with technical culture. The others,
not so much. He notes that the bottom 400 (he gives them a particular name)
are likely to be doomed.The top 100 are serious technical companies or
financial institutions.

Far more important to the security of an organization is the overall culture
of the company and its technical competence compared to the degree that a CSO
received decades ago.

One example. Is it not true that the bonus calculation of the Equifax higher-
ups excludes losses due to breaches or legal or compliance hits?

Flip that around, and you will see a whole different level of internal
culture.

------
Powerofmene
Would the breach appear worse if her degree was in CS or not? Seems the HN
community is trying to correlate her degree to the breach and this is
virtually impossible. Her MFA did not cause the breach nor is their an
identifiable correlation.

~~~
phailhaus
Optics. Equifax has pretty clearly demonstrated that it does not care at all
about security. There was the breach, then the news that their "random PINs"
were just timestamps, _then_ there was the admin/admin credentials for an
employee portal. It's a pretty bad look.

~~~
floatingatoll
This is Hacker News, though. Is it news that the CSO has a degree in Music?
No, not without further investigation, which didn't occur prior to the bait-
titled link to her LinkedIn profile.

That's my only point here. Her degree is irrelevant to the point of
uselessness for determining _whether_ she's qualified, and _whether_ fault for
this incident lies with her judgement calls, or with others.

Maybe we'll find out that she's been writing internal memos for years about
the security catastrophes and they've been willfully ignored by the CEO and
the Board of Directors. Hell, she has an MFA in Music, so she there's a non-
zero chance she wrote them a song about how they'll all be burned at the stake
someday if they don't listen to her. This is no less likely an outcome.

We literally have no information to accompany the bare facts of her profile.
Hacker News is not Hacker "link to a list of facts with a clickbait, personal-
attack title and hope that someone else investigates if they're newsworthy"
News. There is no news here without further investigation, and no one has done
that in this thread. This should never have been posted as-is.

EDIT: If you were doing a post-mortem of an incident and a manager came in and
said "Well, obviously that incident occurred, we let the guy with a Music
degree do production work", they'll probably end up being fired under a cloud
of HR violations, because they likely have a habit of invoking personal
attributes in an inappropriate context. Don't be That Guy. Personal attributes
- and _optics_ \- are not relevant to a post-mortem. Work behaviors,
intentions, statements, and judgements are.

~~~
thisisdallas
>This is Hacker News, though. Is it news that the CSO has a degree in Music?
No, not without further investigation, which didn't occur prior to the bait-
titled link to her LinkedIn profile.

First off, the title was literally a fact. There was no opinion or "click
bait" added to the title.

Second, yes this is absolutely news. The Chief Security Officer of a company
who has very private details of tens of millions of US citizens received two
degrees in a music field. Some might find it news because it's, in my opinion,
quite interesting she was able to go from studying music to becoming the CSO
of a major and very important company. Some people might find it to be news
because it most certainly could cause questions of her ability when looking at
this fact and other Equifax security related facts.

I'm quite confused as to why you are so offended by this submission. It's not
uncommon from C level executives of major businesses to have received degrees
in the area they are working. The fact that computer/network security is an
extremely focused field and the CSO of an extremely important company has two
degrees in music instead of CS or a related field is quite interesting.

------
dreamcompiler
...and now she's <cough>fired </cough>retired.

[https://investor.equifax.com/news-and-
events/news/2017/09-15...](https://investor.equifax.com/news-and-
events/news/2017/09-15-2017-224018832)

------
otakucode
And what is the alternative? Hiring a Licensed Software Security professional?
Oh wait, those don't exist. It's software, so literally anything you do can
never be considered negligent. So it goes.

------
PascLeRasc
Music is incredibly intellectually challenging and stimulating. I'm getting a
STEM degree because I couldn't handle a music degree. Music students I know
work just as long if not longer days than I and my ECE peers do. This personal
attack of the CSO isn't relevant.

