
Equifax CEO hired a music major as the company’s chief security officer - senthil_rajasek
http://www.marketwatch.com/story/equifax-ceo-hired-a-music-major-as-the-companys-chief-security-officer-2017-09-15
======
cheeze
IMO being a music major isn't the story here, having no related
experience/knowledge is. But that doesn't get clicks quite as well.

One of the best engineers I've ever met had a bachelors in Psychology. Another
was a highschool dropout. The difference though was that those folks spent a
ton of time learning everything they could, and continually improved.

Having a music major isn't a bad thing at all. Having no relevant experience
is a much larger concern for me.

I'd go as far as saying that this headline is harmful. It perpetuates the
"only people with CS degrees can program/security/architect", which isn't true
at all. We shouldn't be shaming people who come from another walk of life.
More power to those who didn't get a traditional CS degree and still kick ass
:)

~~~
tjr
I started out majoring in music. I switched to studying CS and math because
career prospects looked better. It was also easier.

~~~
capkutay
Same...I think it's sad that people who theoretically know how to 'code'
(writing music, converting music notation into sounds) and spend thousands of
hours on a rigorous practice are cast as being useless to the modern
workforce.

I feel like music majors have to be very technical and studious...something
that really does transfer well to any other field if they put their mind to
it.

------
coleca
I'm no fan of Equifax, but some of the most talented engineers I've worked
with have been music majors, musician, etc. It has nothing to do with whether
she is qualified or not for the job.

The real story here is how Marketwatch (and HN, and Reddit, and Twitter, etc)
is coming to the conclusion that she is unqualified simply by looking at her
LinkedIn profile. I know many security professionals that have no LinkedIn
profile, or list very barebones information on it because they see themselves
as targets for spear phishing and see no need to give potential attackers any
easy ammunition.

From looking at her LinkedIn profile
([https://www.linkedin.com/in/susan-m-93069a/](https://www.linkedin.com/in/susan-m-93069a/)),
it looks like she also follows this practice. If you look at her previous
positions they are listed simply as "Professional".

TL;DR She may indeed be unqualified, but there is no way to determine that
only from her LinkedIn profile.

------
sp332
This is bullshit.

Alice Goldfuss, SRE at github: "reddit is mocking the Equifax CISO for having
a music degree, meanwhile I know no one in infosec with a CS one"
[https://twitter.com/alicegoldfuss/status/908430394529259520](https://twitter.com/alicegoldfuss/status/908430394529259520)

~~~
Cookingboy
Why should the word of a SRE at a small company be the gospel at this?

When I was working at Cisco pretty much all InfoSec people I know had a
technical degree, from CS to EE to sometimes Mathematics.

I'm sure there are some outliers, but saying "no infosec people have degree in
CS" is just plain ridiculous.

~~~
jpk
> "no infosec people have degree in CS"

You stretched that tweet pretty far. It's clearly nothing more than an
anecdotal counterexample. I'm not sure how your paraphrasing quote ended up
becoming such a sweeping generalization.

~~~
kinkrtyavimoodh
OP knows it's an anecdote. They are questioning the value of an anecdote from
someone in a small company when the anecdote is about claiming to know enough
people belonging to a certain category.

~~~
sp332
But github is very popular in the tech community. You'd think she would have
met some infosec people with relevant degrees if they were common.

------
kinkrtyavimoodh
I don't think people are dissing her for having a music degree. They are
dissing her for apparently having no infosec experience (an accusation further
intensified by her education also not being in a technical field). Whether
that is true or not can be investigated. But saying that the row is about her
having a music degree is a slight misrepresentation.

~~~
yebyen
I was pretty sure it was true (that she had no experience at all) after
listening to the first two or three minutes of the video interviews that were
available here[1], but apparently they don't want anyone to see interviews
with the CISO from before the breach. I have never seen anybody say cloud so
many times in two minutes.

By the end of the interview, I felt sorry for her. I have no idea if she had
relevant experience or not, she just sounded like someone who has been
conditioned to argue that delays in new development are unacceptable, and that
the cloud is inevitable, and if it costs more to do it right then you'll have
to make do with less, and cetera and so forth.

I'm not terribly shocked that they've taken down these interviews, but I am
very sorry I didn't save a copy when I found them. They were still available
for viewing as of 12:31pm Eastern Time on Sept 10, and there are transcripts
that you can find following the links in the article, which has been updated
to note the videos were scrubbed from the internet.

Serious question, is there any way this might actually count as destroying
evidence?

[1]: [https://www.hollywoodlanews.com/equifax-chief-security-
offic...](https://www.hollywoodlanews.com/equifax-chief-security-officer/)

------
yebyen
I would really like to post the link to video interviews with Susan Mauldin
(they made quite an impression on me) but they were deleted apparently only
hours after I watched them.

[https://www.hollywoodlanews.com/equifax-chief-security-
offic...](https://www.hollywoodlanews.com/equifax-chief-security-officer/)

There is a transcript that you can still read at:

[http://archive.is/6M8mg](http://archive.is/6M8mg)

------
rdtsc
There is absolutely nothing wrong with having a music degree then going into
tech. I have a CS degree but I worked with a lot of talented and smart
individuals who either didn't finish college.

That is true in general, however in this case we know there was a major breach
maybe one of the biggest ones, now all of the sudden having a Music degree
_and_ seemingly not having relevant infosec experience doesn't look too good.

Had there been no breach, fine, nobody would have noticed and everyone would
have given the benefit of the doubt, even say "How nice, they could pivot from
a different degree etc."

Moreover what looks shady is that they changed their last first name to M.
instead Mauldin in LinkedIn profile. Their interviews have been taken down
etc. If they had experience and this was just an unfortunate example, they
would have stood by and defended and explained what happened. The weasily
hiding looks shady like they are hiding their incompetence.

------
ris
I know numerous people whose technical skills I highly respect that have a
degree in all kinds of things, or, indeed, nothing.

~~~
CalChris
Are any of them the Chief Security Officer of a $17.5B company?

~~~
ojr
so a college degree in Computer Science, where they recycle old final exams
would have save the day? How many degree holders can even go back and pass the
final exams, cramming knowledge for a test is not an indicator for security
competence

~~~
vecter
That's a pretty silly strawman to build up and then tear down.

That's tantamount to saying an engineering degree is just a piece of paper. Of
course it implies a lot more.

~~~
grandalf
Many people with a CS degree are clueless about security. It's a relatively
new discipline.

------
atom_enger
This is the wrong thing to focus on. The situation we're in isn't a result of
where this person was educated. The fact that they had a lack of professional
experience required to demand a standard of security that would prevent this
type of problem is the only thing I think worth discussing here.

I dropped out of school as soon as I realized I could make 50k/year doing IT
work vs _paying_ 50k a year to a school whose curriculum was from the stone
age. I fully endorse education of all forms but our current model for
educating the next generation of workforce is broken but I digress.

------
paulpauper
I'm kinda amazed this is now such a big story. It was picked up on Reddit 4
days ago.

The story is more complicated than this [http://greyenlightenment.com/equifax-
hack-analysis/](http://greyenlightenment.com/equifax-hack-analysis/)

1\. she was hired in 2013. Butting against equifax stock on this knowledge
would have resulted in a large loss.

2\. The odds of Equifax (or any company) being hacked are high if hackers are
determined enough. It Bitcoin exchanges, ICOs, and online wallets, which are
run by STEM people, find it very hard to stop hackers, what does that say
about most websites in general.

~~~
rsyntax
agreed but the hack was a result of credentials being "admin/password"

~~~
grandalf
How many layers of management should have caught that first? It shouldn't
matter whether someone graduated from third grade when it comes to something
that simple.

------
thebiglebrewski
Hey! I'm an engineer that has a major in music! I take offense to this
headline.

No, I don't think I'm currently qualified to be CSO anywhere - but I don't
think it's a stretch that a music major could be.

~~~
manquer
Well you could also argue that cs major would take offense at that fact that
all the years of his education in the relavant field are effectively useless
if you would not consider what education the candidate has while securing the
job.

------
manquer
A lot of comments here are saying education is irrelevant.. It is very much
relevant , you don't want a self taught doctor . All other professional fields
such as lawyers, doctors, accountants have highly regulated practice where
qualifications are very important, expect engineering.

It should not be acceptable to have dam built by a self taught engineer, or
the privacy of 100 million ppl is safe guarded by music major even she had
"relevant experience" there is a reason education and certification exist

------
purplezooey
The problem is definitely not the music degree. As many have said there are
many brilliant technical folks who have music degrees.

The problem is the low quality hiring of executives. This seems to plague
almost every large company out there. These "executive level" people are just
part of some inner circle and know somebody who knows somebody. They might
look good on paper. The reality is that boards and CEOs have too little
knowledge of the specifics of their business and make chicken-shit hires.

------
yardie
She did have an MBA, so maybe that degree should be a sign of incompetence.

Instead of asking the Infosec community for their thoughts this journalist is
showing he is already out of his depth.

------
S_A_P
Red Herring to irrelevant what she majored in in college. C level employees
are not in the weeds or frontline when it comes to security anyway. At worst,
she could be blamed for not having the correct vision or grasping the scope of
importance securing this data required. As long as she hired and trusted the
right people that is all that really matters. A breach like this is more than
just one persons fault...

~~~
grandalf
I'm shocked that so many people fail to realize this is a red herring. This is
more shocking to me than the story itself.

------
vikingcaffiene
I am as mad as anyone about the Equifax breach but this story is bs. A degree
or lack thereof has nothing to do with ones technical competence. The best
programmer I've ever met was self taught. The worst had a masters degree.

~~~
manquer
Outliers exist obviously. Why Education is irrelevant in engineering would you
want a self taught doctor operating on you ? Why are you okay with unqualified
person handling privacy if 150 million people ?

------
tici_88
Well, we can all argue one way or another about how relevant a CS degree would
have been. The fact though that the profile was altered and other data deleted
remains highly suspicious, if true.

~~~
yebyen
It is super fishy that they got rid of every copy of video interviews with
Susan Mauldin right as they were being reported on. I watched the interviews
before they got erased and I was shocked that they were ever aired, I'm sure
the transcript does not convey as much about how little this person seems to
know for being the person in charge of the security of every person's credit
files who has credit in the US.

I don't like to see people get shit on (and she looked like a person who was
trying hard to do a good job,) but she also looked like a person who was put
in that position because someone with a lot of money knew that doing security
right would be expensive, and she would be someone to comply.

------
sgman
Headlines like these are why companies list relevant college degrees as job
requirements.

------
blairanderson
Click bait headline.

------
yebyen
And now this post has been deleted from the HN front page... Edit: they've
unmarked it

~~~
grzm
I think what's likely is that the articles are being flagged by HN members
(and possibly down weighted by mods) as not something that can be
constructively discussed on HN. If you've looked at the discussions, they've
produced far more heat than light.

As for being a dupe, it is in the sense that the same topic has been
introduced multiple times:

[https://hn.algolia.com/?query=equifax%20music&sort=byPopular...](https://hn.algolia.com/?query=equifax%20music&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

~~~
yebyen
It's marked as "dupe"

Edit: it was unmarked, thank you Scott

~~~
sctb
We've unmarked this one as a duplicate (of
[https://news.ycombinator.com/item?id=15258510](https://news.ycombinator.com/item?id=15258510)).
Both stories have received many flags by users, perhaps because the
indignation to insight ratio is off.

~~~
yebyen
The other post wasn't really a story, it was a link to her profile on
LinkedIn. I can see why there wouldn't be much to discuss, and why most people
probably wouldn't want to upvote that. (Especially given the information about
how that page has been altered, that you can find in the article that is the
subject of this posting.)

