Equifax Hired a Music Major as Chief Security Officer

Iratus said:
Not sure it's that relevant, if it had been accountancy no one would have blinked.

When I went to University, not even 20 years ago you had Computer Science and that was the only real choice around computers. I avoided that because I don't particularly like programming. There were just starting to be Business Information Systems degrees but they were mostly at lower end schools. IT security boiled down to very simple things, primarily around secure coding standards and physical security (ooo not much internet)

Most people from that era, and they are the ones starting to get C titles; it was in something else. I did economics, I'm still near the top of my field and no one questions it.

Plus who sit's at 18 thinking "oh yeah information security, that's the life for me". That sphere is judged on experience and CISM/A's and things like SABSA. They don't give a shit about college.

The mysogeny in some of these posts is ridiculous. Her being a woman had nothing to do with the fact that she's ultimately been found lacking in her job. As for education, music theory is hard, she must have loved it but it didn't work out or she found something she loved more. How many people is that true for?

She should have put in the framework, process and systems that made sure that a secure configuration was validated continuously so that when some retard misconfigures S3 due to an errant change then it's caught, incident raise and resolved. End.
Click to expand...


>>The mysogeny in some of these posts is ridiculous.


Sorry, but all stereotypes have a basis in truth.

In my case noted above, we had a lady IT boss pulling highly skilled, highly paid people off of mission critical projects to clean closets.

Who cares what's in dusty old closets? Who does that?

A woman, that's who does that. Closets are important to her as a woman and she couldn't see past that.
She didn't understand IT and she didn't even care about IT. She was thinking closet space for shoes and handbags (or whatever the fuck).

Why would she not hire cheap temps to do the janitorial work?

Because she didn't understand the basics of what IT people do and why they can't be wasting time on that crap.
She also really seemed to enjoy the "I am woman, hear me roar!" thing. She loved bossing the guys around.


I'll fess up and say that there are women in IT who know their stuff, I've worked for one or two of them. Even with that said, I still had to
man-splain many technical issues to them. The women were far better at project management, customer contact, etc.

Men and women have different strengths and weaknesses and it's ridiculous to pretend that isn't the truth.
Most women do not belong in IT work. And most men should not be interior decorators. That's just the truth of it.

It's the fear of misogyny or political correctness that keeps leading us down the path of destruction.

This woman at Equifax got that position BECAUSE she's a woman, even though she had no credentials to have that position.

After we beat this subject to death, then we can talk about how it's such a great thing that illiterate inner city minorities are
given preference and money to go to college when they couldn't pass standardized testing in the public schools.

Sure, let's just give everybody who is unqualified a free pass with lots of money and freebies "because it's the right thing to do". :rolleyes::mad:

.
 
This is what comes from feeling the need to blindly "increase the number of women in tech" regardless of how that goal is achieved. I have seen it places where I have worked too Women with know IT background in charge of IT departments. That being said I have also seen some supremely qualified female IT mangers as well but still the important lesson from incidents like this is that Qualifications should be more important than Diversification. By all means if you have two equally qualified candidates and one if a Woman or a minority give them the Job but otherwise it should be the most qualified candidate that wins.

Of course it also strike me as quiet strange that there are many other job sectors that are male dominated but the outcry over a lack of diversity seems to only exist in the tech sector. I mean I think it's terrible that so many other fields are so male dominated . I say we need more women on Oil rigs, More women in Coals Mines, More women in Meat processing plants, more women in Public Sanitation, and Road construction, and Waste disposal. For to long the job of cleaning pig intestines out of an industrial meat grinder has been one that is closed to young women; Lets change that together lets figure out why women are being excluded from these kinds of jobs. I say equality now Equality Tomorrow EQUALITY FOREVER!
 
Was she the wrong person for the job? Most likely. Did being a woman help her get the job? Probably. But in the end, I do feel that she's unfairly being singled out. Most upper level executives I've ever encountered in tech jobs couldn't code a Hello World App to save their life, and basic technology makes their eyes glaze over. If anyone can find proof that she ordered the lackadaisical security, I'll admit I'm wrong on this issue. Personally, I just feel we have an overall hubris when it comes to technological security, and that greed from the corporate execs probably played a huge part.

If you have any information online, it's going to get stolen sooner or later. That's just the way things work, and at the very best, you can only delay it. What happened with Equifax probably involves quite a few terrible decision makers.
 
Spartacus said:
This woman at Equifax got that position BECAUSE she's a woman, even though she had no credentials to have that position.
Click to expand...

I'm sorry that you're having problems with the manager at work, I don't deny that it can be a problem. The IT Crowd is a show literally about that. However to quote a later post

Exavior said:
. In this case, he did this job there for 4 years, before Equifax she was Senior Vice President and Chief Security Officer at a company that created transaction software from 2009 to 2013, before that was the VP of a bank for two years. So she has been in a high ranking positon at many companies that have dealt with very personal information for at least the last 10 years. 8 of those years was being in charge of security, which over the last 8 years also happens to be when things went from you need to make sure your AV software is up to date to you better be watching everything like a hawk because everything is going crazy.
Click to expand...

That career path, is adequate for the job. You [spartacus] have absolutely no evidence that she had no credentials for the job beyond your reading of what she did at school 30 years ago. Now of course the preponderance of evidence suggest that she didn't do a good job, no-one is arguing that but you cannot flip that logic to somehow put that down to some fucked up positive discrimination. She's shit at her job. She's not shit at her job because she's a woman or because she did music at school.

One point of note
In an interview I found, Mauldin said that in recruiting, “[w]e’re looking for good analysts, whether it’s a data scientist, security analyst, network analyst, IT analyst, or even someone with an auditing degree. ... Security can be learned.”

But she also said she focuses college recruitment, understandably, on “universities that have programs in security, cyber security, or IT programs with security specialties.” She did not mention music composition.
Click to expand...

Both of those points are sensible. Security can be learnt. Absolutely it can. I know because I learnt it. I was a security architect for a number of years, I did my CISSP, I did my CISA, I was working towards my CISM. My knowledge on macroeconomic theory were absolutely no help to me in that role (though my ability to crunch data helped). She's also right that recruiting with those specialties is NOW a good thing. However even 15 years ago that was not possible. Didn't exist. Doesn't mean we're going to put 25 year olds in executive positions because they did a few courses at college, ones that probably reflect old practice anyway.

There's also an issue here in that LinkedIn profiles don't mean shit. I don't have my qualifications on there because I keep the absolute minimum amount of information possible. I'd delete my profile it if it wasn't considered weird to not have one and it being moderately useful to be able to get in touch with people I used to work with.

We can have a laugh over the fact that she did music. That she didn't make sure her team were doing their job properly but putting it down to her being a woman makes you look like a douche. None of us have the faintest fucking idea.
 
Some part of me isn't buying this
Or rather, that's what her LInkedIn profile would have disclosed if in the hours after the scandal broke
Click to expand...

The break in didn't happen in September, it happened way the fuck back in July. I mean I'm sure yeah ok her inept nature might forget that she had a Linkin profile page up, but I'm going to go into the camp of "made up story" or "'hacked' to make her look that way"

or it's a simple case of they didn't give a fuck what her college degree said, they gave a fuck what her experience background is which showed she did have previous experience at that position.
 
Iratus said:
I'm sorry that you're having problems with the manager at work, I don't deny that it can be a problem. The IT Crowd is a show literally about that. However to quote a later post



That career path, is adequate for the job. You [spartacus] have absolutely no evidence that she had no credentials for the job beyond your reading of what she did at school 30 years ago. Now of course the preponderance of evidence suggest that she didn't do a good job, no-one is arguing that but you cannot flip that logic to somehow put that down to some fucked up positive discrimination. She's shit at her job. She's not shit at her job because she's a woman or because she did music at school.

One point of note


Both of those points are sensible. Security can be learnt. Absolutely it can. I know because I learnt it. I was a security architect for a number of years, I did my CISSP, I did my CISA, I was working towards my CISM. My knowledge on macroeconomic theory were absolutely no help to me in that role (though my ability to crunch data helped). She's also right that recruiting with those specialties is NOW a good thing. However even 15 years ago that was not possible. Didn't exist. Doesn't mean we're going to put 25 year olds in executive positions because they did a few courses at college, ones that probably reflect old practice anyway.

There's also an issue here in that LinkedIn profiles don't mean shit. I don't have my qualifications on there because I keep the absolute minimum amount of information possible. I'd delete my profile it if it wasn't considered weird to not have one and it being moderately useful to be able to get in touch with people I used to work with.

We can have a laugh over the fact that she did music. That she didn't make sure her team were doing their job properly but putting it down to her being a woman makes you look like a douche. None of us have the faintest fucking idea.
Click to expand...


>>That she didn't make sure her team were doing their job properly but putting it down to her being a woman makes you look like a douche.


lol.... name calling is your go to position in this discussion? That's mature.

Go back and read what I wrote, I didn't place any blame on her or her failure based on her gender.

What I wrote was: "This woman at Equifax got that position BECAUSE she's a woman, even though she had no credentials to have that position."

I place the blame on Equifax for hiring a person with no credentials for this position. And if she didn't have the necessary credentials for the hire,
then why in the world did they hire her? Gosh, it couldn't be for the same reason that many of us in the corporate world have seen many times could it?

Maybe in college she was a manager at Walmart and had the key for the registers. That makes her qualified for the Equifax job in your book right?

I've worked at banks too and her being a VP at a bank means nothing, everybody is VP of something at a bank. And I'm not buying that her being
in a management role at some software company made her qualified for this job either.

Why was she hired for that job?

ETA: Go back and read the quote in Megalith's post:

"Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security."

So again.... for a position that requires a deep level of IT security knowledge, why was she hired?


.
 
Last edited:
I'm not gonna blame this lady because I know how this shit goes. We have no idea what happened behind the scenes. It usually goes something like this.:

Me: Major security bulletin about a software flaw that affects most of our servers came out today.
Boss: What's new?
Me: Well, we need to take this one seriously it's a bad flaw.
Boss: Then the patch will probably break several of our major sites.
Me: I will install it on the development server and test each site individually starting tomorrow morning.
Boss: No, I need you to do XYZ for a new site that will bring in new money.
Me: Okay, the next day then...
Boss: No that won't work either... Followed by: excuse, excuse, costs, development resources limited and every other excuse in the book.
Me: Okay, so we are going to ignore it?
Boss: No, just not going to deal with for now.
Me: I'm not responsible for this then.
Boss: Whatever, get back to work...

6 months later security audit comes up...

Boss: Why didn't you install that patch?
Me: You told me not to!

We luckily never had to pay the price for his decisions related to security. I bet it's a matter of time but it hasn't been my problem for almost a year now. My new employer isn't much better...
 
Good point, Zareek.

We've got one guy going on and on about how some woman manager made him clean closets out because she wanted to stack shoes in there completely oblivious to the fact that someone higher up almost certainly told her to get the damn closets cleaned out for some fucking dumb reason...and the answer as to why she didn't hire temps to do it is plainly obvious to anyone with more than 10 minutes experience in corporate America.

Then we got someone speculating how strange it is that we always hear about discrimination in the tech industry because obviously no one cares about it happening in any other industry...he's wondering about this on a tech oriented web forum...

I mean, just fucking LOL. The logic.
 
westrock2000 said:
mHtujMW.jpg
Click to expand...


To Hell with Georgia!


(Sorry, Jacket here... carry on :) )
 
mope54 said:
Good point, Zareek.

We've got one guy going on and on about how some woman manager made him clean closets out because she wanted to stack shoes in there completely oblivious to the fact that someone higher up almost certainly told her to get the damn closets cleaned out for some fucking dumb reason...and the answer as to why she didn't hire temps to do it is plainly obvious to anyone with more than 10 minutes experience in corporate America.

Then we got someone speculating how strange it is that we always hear about discrimination in the tech industry because obviously no one cares about it happening in any other industry...he's wondering about this on a tech oriented web forum...

I mean, just fucking LOL. The logic.
Click to expand...


>>and the answer as to why she didn't hire temps to do it is plainly obvious to anyone with more than 10 minutes experience in corporate America.


You have no idea what you're talking about.

I was actually considered for this lady's job, but the lady CIO brought her in because her friend needed a job. She was an old bird who knew nothing of the IT
world and was always asking me for advice on her decisions.

I won't bore everybody with the details other than to say this was at a very large company years ago, a household brand name who sponsored a NASCAR team.
We hired temps for all kinds of things, so the lady should have hired temps rather than take the IT people I was in charge of for such menial work.

It's my understanding that she did take some heat for that move, I wasn't in that meeting.

I work for myself now and I still don't clean closets.

.
 
>>Must have been rough for you working under all those women, LMFAO.

PTSD

Pussy Traumatic Stress Disorder



.
 
What I can't understand is why she would have applied for an IT manager position in the first place. She has a bachelor’s degree and a master of fine arts degree in music composition. Which portion of either of those would make her think that she would even be considered?
 
Exavior said:
I have to agree with you here. graduated 2003 with a CS degree. Our degree wasn't as much programming as it was a little of everything. learned how a OS works at the core, how hardware works at its core, how networking works at its core, how programming languages and compilers work. Then were learned how to learn how to program, went through multiple languages doing different things to be able to learn a new one as needed. Security was a 1 semester optional class where we learned about what a computer virus is, what it does... Back in that day IT wasn't something you got a degree in if you wanted to be practical about it. That is what trade schools were for. You got your A+, Network+, CCNA, MCSE and all the other certs and did on the job training. Given her age, there would not have been full security degrees back then. If anything you look at what a person did after college to see if their path would have helped prep them for the job. In this case, he did this job there for 4 years, before Equifax she was Senior Vice President and Chief Security Officer at a company that created transaction software from 2009 to 2013, before that was the VP of a bank for two years. So she has been in a high ranking positon at many companies that have dealt with very personal information for at least the last 10 years. 8 of those years was being in charge of security, which over the last 8 years also happens to be when things went from you need to make sure your AV software is up to date to you better be watching everything like a hawk because everything is going crazy. So her degree 20-40 years ago doesn't matter, what she has done in her professional time shows if she was given a job that she has no business having. Also like you said, gender has nothing to do with it, either she did her job or she did not.
Click to expand...
Playing devils advocate here, what if her gender is how she got up the food chain and what put her at the C level to begin with? We will never know, her work history doesn't reflect on this one way or another, but I think that is the assumption many have made in bringing up her gender. True or not (we will never know either way), its natural side effect of attempting to prop up sub group a.

My Position on her:
I thought about my personal experiences. While i have has seen TONS of terrible female leadership, i have seen TONS of terrible male leadership and as a rule every single C level person I've ever met companies survive in spite of not because of. In fact i have noticed all of the executive leadership i think did a good job started at the C level no later than the mid 80s, i can't figure out when she gained C level. What i'm getting at is i think her terribleness is a reflection of C level talent as a whole vs her background. Its ironic because assessing risk is THE critical task of a C level executive.
 
Creig said:
What I can't understand is why she would have applied for an IT manager position in the first place. She has a bachelor’s degree and a master of fine arts degree in music composition. Which portion of either of those would make her think that she would even be considered?
Click to expand...
best programmer i know has a BA in fine arts, bachelors don't mean shit, they are just an initial filter that you pay time and money to get through.
 
Romale23 said:
best programmer i know has a BA in fine arts, bachelors don't mean shit, they are just an initial filter that you pay time and money to get through.
Click to expand...
Except she has a bachelors and a masters in music composition. No mention anywhere of IT classes or training. To put it another way, would you want to operated on by a guy with a degree in Electrical Engineering who somehow got hired on as a surgeon?
 
Creig said:
Except she has a bachelors and a masters in music composition. No mention anywhere of IT classes or training. To put it another way, would you want to operated on by a guy with a degree in Electrical Engineering who somehow got hired on as a surgeon?
Click to expand...
I actually thought about that, and my first reaction was the same, but what i don't know is if she got it in conjunction with her BA, so BA, then Masters right after.

As far as the surgeon argument, i don't care if the guy never went to school if there is practical experience there. In other words i absolutely think you could be taught how to be a surgeon by another surgeon like a trade school. In-fact, that is practically what is done. You don't graduate school and magically your a surgeon day 1. There is 3-10 years of residency (OJT). The school still just acts as a filter to who can do that OJT.
 
Most upper level IT managers are more concerned about what marketing is yelling they want next. Or they are trying to stay under financial spending limits. They always think,
  • "Such a small flaw doesn't affect me. " OR
  • "I don't know how this flaw affects me."

    This is quickly followed by

  • "I don't have time or money to track everyone of these down"
I sent out many, many security alerts about various flaws to our managers & friends whenever I encounter them. Most of them end up in the circular file (trashcan)

It's amazing because we have a safety manager that post every week about potential physical dangers to look for. Yet I never see security alerts from our IT staff.
 
DigitalGriffin said:
Most upper level IT managers are more concerned about what marketing is yelling they want next. Or they are trying to stay under financial spending limits. They always think,
  • "Such a small flaw doesn't affect me. " OR
  • "I don't know how this flaw affects me."

    This is quickly followed by

  • "I don't have time or money to track everyone of these down"
I sent out many, many security alerts about various flaws to our managers & friends whenever I encounter them. Most of them end up in the circular file (trashcan)

It's amazing because we have a safety manager that post every week about potential physical dangers to look for. Yet I never see security alerts from our IT staff.
Click to expand...

It's the mentality of the industry, and I personally find it stupid. The vast majority of companies I worked for, bugs were handled in order of how often users have seen them, rather than how much damage they could cause. There's never enough time nor money, so if it hasn't come up, well, adding a new feature to bring more money in from customers is of higher importance.
 
DigitalGriffin said:
Most upper level IT managers are more concerned about what marketing is yelling they want next. Or they are trying to stay under financial spending limits. They always think,
  • "Such a small flaw doesn't affect me. " OR
  • "I don't know how this flaw affects me."

    This is quickly followed by

  • "I don't have time or money to track everyone of these down"
I sent out many, many security alerts about various flaws to our managers & friends whenever I encounter them. Most of them end up in the circular file (trashcan)

It's amazing because we have a safety manager that post every week about potential physical dangers to look for. Yet I never see security alerts from our IT staff.
Click to expand...

You know what you need to do? Give a risk assessment with them. A forwarded email to me is one I am likely to not read given I get hundreds of emails a day all vying for my attention. I focus on the ones that are intelligently written and have a clear request for action on my part. I know important things get dropped but I have to prioritize my response to be in line with what my employer needs. I cant answer 100% and if you are emailing me its your job to understand I get the facts and the importance quickly. Dont waste my time.
 
As the CSO the buck should stop with her. I'm sure she will end up resigning, but whats going to be fun to see is how much of a parachute she is going to get when she does. Should we start the guesses at $10mil? Seems like thats how with works when you are an executive.
 
Recidivant said:
As the CSO the buck should stop with her. I'm sure she will end up resigning, but whats going to be fun to see is how much of a parachute she is going to get when she does. Should we start the guesses at $10mil? Seems like thats how with works when you are an executive.
Click to expand...

22.5
 
kju1 said:
You know what you need to do? Give a risk assessment with them. A forwarded email to me is one I am likely to not read given I get hundreds of emails a day all vying for my attention. I focus on the ones that are intelligently written and have a clear request for action on my part. I know important things get dropped but I have to prioritize my response to be in line with what my employer needs. I cant answer 100% and if you are emailing me its your job to understand I get the facts and the importance quickly. Dont waste my time.
Click to expand...

But that's not my job either. I'm a grunt. I solve problems. I'm not IT security. But if I notify you of a potential weakness it is your job as manager to assign someone to look into it. You are in charge of assigning resources. The buck still stops with you and the product stack you are responsible for.

Engineers for years warned the O-ring design on the shuttle's SRB was subject to failure. Guess who they found responsible after the Challenger blew up?
 
RayderR6 said:
FB doesn't know who I am, so nothing about me, I don't have that choice with Equifax.
Click to expand...
Bullshit.

What a lot of people fail to realize about FB, is just how much data they have that people throw at them. I'd be willing to bet that the moment you try to sign up for a FB account, it's going to suggest people you know to add to your friend's list. How? Simple, everyone you know that uses FB has likely already posted info about you. Unless you're amazing at dodging cameras, odds are you've been in a picture, mentioned in a post somewhere, etc. Then consider that FB may collect data of their own, but they likely also buy it from other places(this is the issue people have with so many companies doing random data collection) and then consider all of the companies they own, browser cookies(no matter how fastidious you are about blocking cookies, scripts, etc. you've pinged on their radar at some point).
 
The smartest programmer here is a physics major. He doesn't code as well but he reads a lot and knows a lot of concepts in programming. Similar things could apply here
 
It is beyond time for companies to begin treating client data like it was money. In other words, something they have a legal responsibility to protect. And as such, they could then be fined and/or jailed if it is stolen because they didn't exercise due diligence.
 
TheBuzzer said:
The smartest programmer here is a physics major. He doesn't code as well but he reads a lot and knows a lot of concepts in programming. Similar things could apply here
Click to expand...

He maybe smart. And I've encountered a number of gifted people who are adept at picking up learning whatever is handed to them. The fact he's a physics major suggest he is above average intelligence.

But the credentials in the proper field are essential to CYB when the stakes are so high. NO EXCEPTIONS. That's like asking your physics major friend to do brain surgery on you.

What she likely was was a good paper pusher who could analyze numbers, prepare reports, establish policy, and delegate responsibility. (Like most upper level execs) But the fact she was assigned to an IT security role with no formal technical training was just asking for trouble. It was downright negligent.
 
Last edited by a moderator:
DigitalGriffin said:
But that's not my job either. I'm a grunt. I solve problems. I'm not IT security. But if I notify you of a potential weakness it is your job as manager to assign someone to look into it. You are in charge of assigning resources. The buck still stops with you and the product stack you are responsible for.

Engineers for years warned the O-ring design on the shuttle's SRB was subject to failure. Guess who they found responsible after the Challenger blew up?
Click to expand...

Thats not my point. My point was that your emails may be getting ignored because you arent providing the right information. I am a tech person so I get it when someone sends me a vulnerability but remember not all managers are and certainly the execs who read senior leadership emails are not. Your boss, or the exec, might not understand the implications of what you are sending.

Also how you interact with upper management is VERY different from how you interact with your peers. If you arent writing in inverted pyramid to upper management chances are you are losing them after 1-2 sentences or its not even getting read.
 
Romale23 said:
Playing devils advocate here, what if her gender is how she got up the food chain and what put her at the C level to begin with? We will never know, her work history doesn't reflect on this one way or another, but I think that is the assumption many have made in bringing up her gender. True or not (we will never know either way), its natural side effect of attempting to prop up sub group a.

My Position on her:
I thought about my personal experiences. While i have has seen TONS of terrible female leadership, i have seen TONS of terrible male leadership and as a rule every single C level person I've ever met companies survive in spite of not because of. In fact i have noticed all of the executive leadership i think did a good job started at the C level no later than the mid 80s, i can't figure out when she gained C level. What i'm getting at is i think her terribleness is a reflection of C level talent as a whole vs her background. Its ironic because assessing risk is THE critical task of a C level executive.
Click to expand...

That is possible. It is also possible to work in a field for 20 years and not know a damn thing. I know people that have had a job for 20+ years and didn't know what they were doing. So I can give you people who have a work history that should support a position like that but wouldn't. I also know people that have never worked IT outside of doing stuff on their own and doing things for others that could run circles around people. We had somebody doing dialup tech support back in the 90s early 20s that now does security work for the government due to what he was doing in his spare time. His time doing dial up tech support doesn't show a good history of why he should have gotten that job. The issue is that work history and school by itself don't always perfectly show how a person is qualified for something.
 
Gigantopithecus said:
Annnd there we have it.
Click to expand...

Yep.

I fully admit that my judgement on this subject has been colored by my negative personal experience.

The IT dept. became some kind of ladies coffee clutch with many of them being hired in for no other reason
than that she was a woman (with NO relevant skills) who needed a job and she was given favoritism over a
qualified male candidate who already knew the job.

And then this broad has the balls to ask me how to do her job?!!!

Yeah, you could say I've formed some opinions on this.

.
 
You must log in or register to reply here.
Back
Top