Why I cannot defend Equifax’s CISO
The Equifax breach that impacted over 143 million of Americans prompted a witch-hunt that targeted Equifax employees that were responsible for keeping the data safe and secure.
The media and general public found the background of the Chief Information Security Officer (CISO), Susan Mauldin particularly interesting. They raised an issue of the fact that a company like Equifax hired a CISO that held BA and MFA in ‘Music Composition’ instead of a CS degree that relates to her field of work.
I am a supporter (and advocate) of an idea that you do not need a CS degree to become an expert the technology field. Hands on experience, interest, and drive will always trump a cookie cutter degree. Especially when it comes to cyber security.
Many people in the technology field that feel the same way came to Ms. Mauldin’s defense — citing that her degree is irrelevant and we should not assume or speculate.
Usually, I would agree with this, but there are just too many things that point to gross negligence.
It is important to understand, that to an outsider looking in, this kind of hire is identical to appointing a surgeon general that doesn’t have a medical degree or picking a person that can’t read or write in charge of U.S. department of education.
We are not dealing with a start-up that was carelessly leaking tons of sensitive customer data. The Target breach that exposed addresses and phone numbers of 70 million customers is a child’s play compared to this.
Equifax is a juggernaut that controls the most sensitive personal information you can imagine. They record and keep track of your employment, residency, loan, credit, and payment history. Equifax knows the financial situation of your relatives better than you. The SSN is just a cherry on top.
You do not sign up, pay or opt-in to this service. Equifax will make that decision on your behalf, and the only way to cancel is to prove that you are in fact, dead.
Unless the CISO is a world-renowned security expert with decades of management experience, and a relevant public track record that goes on for miles — the idea of putting a BA in ‘Music Composition’ in charge at that level and in that kind of company is irresponsible and borderline criminal.
The blame does not ultimately fall on the individual, but the individual should be held accountable for their actions.
You should never take on the responsibility of that magnitude if you know that you may not be 100% qualified. Equifax is not a place where you can figure things out later.
Most people in Ms. Mauldin’s position would choose to go back to school and get a degree that would complement the role. It does not matter if you know everything there is to know. At the end of the day, you are a Chief Information Security Officer at Equifax (out of all the places) with an irrelevant BA.
This is somebody who has time and money to pursue something they were always passionate about. Getting an academic perspective on concepts that you learned by yourself and made millions, as a result, is priceless.
To me, that shows that Ms. Mauldin is either extremely confident in her abilities and can defend her decisions in an event something goes wrong, or she is viewed Equifax as a guaranteed gig with a golden parachute.
From some of the accounts I read, Ms. Mauldin seems like a great manager. I will give credit where it is due. She could be a fantastic manager, but you cannot make tough technical decisions that could harm the millions of people living in U.S and Canada by going with the loudest internal bidder.
The retirement sealed the deal for me.
Ms. Mauldin could have stood up and defended herself with facts, supported by evidence. If you did everything right, you do not give up decades of hard work and personal innovation overnight. She signed up for the job and phoned it in when something went wrong.
Should we defend and speak for a millionaire who had the public floor and decided to collect and retire instead? The answer, at least for me, is a definite no.
There is a fine line between supporting one our own and defending somebody who could be guilty of malpractice. We are professionals and should act accordingly.
We should be the first in line to demand answers and call for an investigation.
It was up to Ms. Mauldin to demonstrate that she was fully qualified and never oversold or misrepresented her skills or area of knowledge.
The public should know that no matter what the outcome is, we will do whatever we can to make sure people that bullshit their way into a high-risk technical position are held accountable for their actions.
Ms. Mauldin, without a doubt, damaged the public view of self-taught engineers. The rest of us will deal with consequences; not her.
Just a thought… not many of us are going to retire anytime soon.