In the wake of the Equifax breach, a significant number of people lost their minds this week upon discovering that one of its newly deposed security executives has a degree in music composition. Despite 14 years of experience as a security professional in other companies, Susan Mauldin was mocked and dragged online for being a "diversity hire" who is "unqualified" for the job.
All those people are about to be proved so, very, very wrong in an in-depth report from internet infrastructure organization Packet Clearing House in collaboration with professor Coye Cheshire at the U.C. Berkeley School of Information. Their findings show data concluding that most infosec professionals don't hold a degree in a computer-science-related field. What's more, the report shows that degrees are the least-important feature of a competent practitioner and degree programs are the least-useful places to learn security skills.
Portions of the report prior to its November publication, titled "A Fragmented Whole: Cooperation and Learning in the Practice of Information Security" were shared with Engadget. It combines surveys, interviews and ethnographic research.
The project's lead researcher, Ashwin Mathew, told us via email, "There are many things for which we should fault Equifax, which other coverage has already pointed to, such as insufficient staffing and bad practices."
The CISO not having a CS degree is a distraction at best from the underlying problems -- and it is incredibly problematic the fact that the CISO is a woman who is called upon to defend her qualifications in a field dominated by white men, many of whom do not have CS degrees or infosec certifications.
The question of Ms. Mauldin's fitness for the position became a lens for many -- mostly dudes -- through which to focus their anger at Equifax for probably ruining millions of people's lives with a single missed patch. And as far as we've been told, that's what it came down to: A flaw in Apache Struts that should've been fixed in March led to its major breach the same month, which we only found out about on September 7th.
That's not all, of course. Right when we were learning about the theft of sensitive information belonging to at least 200 million U.S. consumers, as well as information on some Canadians and up to 400,000 British residents, we found out that Equifax execs sold off stocks before the breach was made public. Shares of Equifax plummeted 35 percent since the disclosure of its breach. Those shady Equifax stock sales are now the focus of a criminal probe by the FBI in conjunction with U.S. prosecutors in Atlanta.
In addition to the FBI, attorneys general in various states have announced formal investigations. Collectively, U.S. senators "want copies of all Equifax penetration test and audit reports by outside cybersecurity firms," according to Bloomberg.
To top it all off, Equifax has behaved horribly in the wake of the breach. Its website to help consumers was broken, Equifax itself sent the public to the wrong website that was a fake phishing site set up by a white-hat hacker and the company quietly disappeared its apps from both the Apple App and Google Play Stores.
But when the male-dominated discussions about infosec heard about Ms. Mauldin's degree in music, it was decided that she was a suitable target for their rage, with some well-deserved anger at Equifax as the catalyst. The hate was visible on Twitter, Reddit and Slashdot and put into press by MarketWatch's Brett Arends (a history major himself). He wrote,
When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company's data security.
And then they might also ask him if anyone at the company has been involved in efforts to cover up Susan Mauldin's lack of educational qualifications since the data breach became public.
This thinking begins to look unqualified, and worse, in light of the Berkeley report. Lead researcher Mathew told us, "I spoke with CISOs and senior engineers at large Silicon Valley firms who both did and didn't have degrees."
He explained that among those who even had degrees, those with degrees outside of computer science outnumbered those with a degree in CS. "For many of the positions which they hired for (including their own), degrees are not a consideration," he said. "Degrees are, in general, important only as a marker of character."
What's more, Mathew confided, "As several interviewees told me, having a degree shows a certain level of persistence and fortitude when evaluating junior positions, with the degree indicating that a candidate was willing to sit through several years of coursework -- but the subject of the degree is irrelevant. Many of the online services which we take for granted are secured by people who do not have degrees or whose degrees are not in CS."
Insofar as what the report will tell us about what all those people in infosec actually have degrees in, Mr. Mathew told Engadget:
"Respondents indicated a diverse array of fields of study from "hard" sciences like biology, chemistry and physics, to agriculture, languages, journalism, sociology and so on."
I hope we find out what happened with the Equifax breach, but I'm not holding my breath. Maybe Ms. Mauldin and her forcibly retired colleague were part of a decision-making chain that deprioritized a single patch, or maybe they're just scapegoats. Or maybe they were the ones who hired penetration-testing teams to audit the company but couldn't get their superiors to take the audit's finding seriously -- a situation that happens so often it's insane.
After all, according to her now-private LinkedIn page, Mauldin was the senior director of information security audits and compliance for Hewlett Packard from 2002-2007.
Short of literally punching a baby, it's hard to imagine what else Equifax has done wrong. The sky seems to be the limit here, and Ms. Mauldin was a part of it. So the only thing that's certain is that things aren't going to get better for anyone involved with Equifax, past or present. Especially all of us, who are involuntarily Equifax victims.
Either way, we should all be looking forward to "A Fragmented Whole: Cooperation and Learning in the Practice of Information Security." It'll be announced, and findable, on the front page of The Center for Long-Term Cybersecurity in early November.