Equifax Hired a Music Major as Chief Security Officer

Thats not my point. My point was that your emails may be getting ignored because you arent providing the right information. I am a tech person so I get it when someone sends me a vulnerability but remember not all managers are and certainly the execs who read senior leadership emails are not. Your boss, or the exec, might not understand the implications of what you are sending.

Also how you interact with upper management is VERY different from how you interact with your peers. If you arent writing in inverted pyramid to upper management chances are you are losing them after 1-2 sentences or its not even getting read.

If I send you a letter with a subject that says, "Potential Security Issue With XYZ" and then provide sources for information, you better make it your job to delegate it out to somebody to investigate further and assess impact.

Like I said, I'm a grunt. (Chief problem solving grunt, but a grunt) And I don't know all our products in a company of 100,000+ people, or how they are developed and used. It's not my place to give that assessment. I can only make you aware of how it might affect us. (ie: I know we have products that use JAVA and there is a new exploit for JAVA versions X Y Z that we may use.) The rest is up to you.
 
Last edited by a moderator:
All this over what her LinkedIn profile says? Maybe she didn't give a shit what it said and ignored it after starting it. Good god. Mine doesn't even list me graduating high school.
 
I'm sorry that you're having problems with the manager at work, I don't deny that it can be a problem. The IT Crowd is a show literally about that. However to quote a later post



That career path, is adequate for the job. You [spartacus] have absolutely no evidence that she had no credentials for the job beyond your reading of what she did at school 30 years ago. Now of course the preponderance of evidence suggest that she didn't do a good job, no-one is arguing that but you cannot flip that logic to somehow put that down to some fucked up positive discrimination. She's shit at her job. She's not shit at her job because she's a woman or because she did music at school.

One point of note


Both of those points are sensible. Security can be learnt. Absolutely it can. I know because I learnt it. I was a security architect for a number of years, I did my CISSP, I did my CISA, I was working towards my CISM. My knowledge on macroeconomic theory were absolutely no help to me in that role (though my ability to crunch data helped). She's also right that recruiting with those specialties is NOW a good thing. However even 15 years ago that was not possible. Didn't exist. Doesn't mean we're going to put 25 year olds in executive positions because they did a few courses at college, ones that probably reflect old practice anyway.

There's also an issue here in that LinkedIn profiles don't mean shit. I don't have my qualifications on there because I keep the absolute minimum amount of information possible. I'd delete my profile it if it wasn't considered weird to not have one and it being moderately useful to be able to get in touch with people I used to work with.

We can have a laugh over the fact that she did music. That she didn't make sure her team were doing their job properly but putting it down to her being a woman makes you look like a douche. None of us have the faintest fucking idea.

Quite possibly the best post in this entire thread.
 
If I send you a letter with a subject that says, "Potential Security Issue With XYZ" and then provide sources for information, you better fucking well make it your job to delegate it out to somebody to investigate further and assess impact.

I'm just telling you how to get your point across better and trying to explain why you might not be getting the desired response. I get your a grunt, but when you say "upper level" like where I sit we are not involved in tactical decisions like patching a vulnerability. We are in strategic mode. I sometimes reach down to tactical level, but I usually try not to because my lower level managers dont need me meddling in their teams.

You send me an email with that subject you have a few sentences to convince me its something *I* at the strategic level need to worry about. Not your tactical level, corporate strategy level. If you dont do that quickly I will run it down the chain and find out why the heck you came to me directly instead of raising it through your management and having it addressed with proper procedures. You might not like that attention.

Put another way sending senior leadership that kind of email is akin to yelling bomb in an airport. There damn well better be a bomb AND a reason why you didnt just go over to security and tell them.
 
You send me an email with that subject you have a few sentences to convince me its something *I* at the strategic level need to worry about. Not your tactical level, corporate strategy level. If you dont do that quickly I will run it down the chain and find out why the heck you came to me directly instead of raising it through your management and having it addressed with proper procedures. You might not like that attention.

Put another way sending senior leadership that kind of email is akin to yelling bomb in an airport. There damn well better be a bomb AND a reason why you didnt just go over to security and tell them.

I'll acquiesce the point that it shouldn't go straight to the top. I made the mistake of saying upper level management in my first post. I agree such information should be worked up from the bottom.

But as a whole, IT organizations don't do near enough. There are no IT safety bulletins relating to general issues that I have ever seen other than "Secure your laptop and information. Don't load it with software we don't approve of. Don't click on suspicious emails. etc etc..."

Yet every heavy manufacturing plant puts out regular safety bulletins. There is training. There is safety equipment. There are standards for equipment. Dangerous situations are illustrated. There is a safety foreman you can report to about concerns. Near accidents are listed and reported. They also list remediation. The irony in this is so much concern is taken to protect a few individuals. Yet when it comes to the most valuable asset of companies (their data and secrets and the millions of people they might affect) they often think of it as 20:20 hindsight.
 
Last edited by a moderator:
I'll acquiesce the point that it shouldn't go straight to the top. I made the mistake of saying upper level management in my first post. I agree such information should be worked up from the bottom.

But as a whole, IT organizations don't do near enough. There are no IT safety bulletins relating to general issues that I have ever seen other than "Secure your laptop and information. Don't load it with software we don't approve of. Don't click on suspicious emails. etc etc..."

Yet every heavy manufacturing plant puts out regular safety bulletins. There is training. There is safety equipment. There are standards for equipment. Dangerous situations are illustrated. There is a safety foreman you can report to about concerns. Near accidents are listed and reported. They also list remediation. The irony in this is so much concern is taken to protect a few individuals. Yet when it comes to the most valuable asset of companies (their data and secrets and the millions of people they might affect) they often think of it as 20:20 hindsight.

I will agree with that. Its not that way for me. I have a few mandatory things that I wont budge on to include:

  • All critical security vulnerabilities are addressed immediately (i.e. patched, mitigated, or proven not applicable)
  • All customer facing operational issues are addressed immediately (see above).

Everyone knows if I find out one of those wasn't done there will be problems. Not that we are perfect, certainly not, but we do a lot better than most shops.

I will also agree that if the level just above you isn't addressing those issues then they are not doing their jobs. And anyone who is not doing their job should be removed in my opinion. I dont suffer dead weight.

I could go on for quite a while about what I think most IT shops should be doing for IT security...the answer would be a hell of a lot more than they are doing today. But most corps wont want to hear it because to them IT is an expense not a revenue generator.
 
I will agree with that. Its not that way for me. I have a few mandatory things that I wont budge on to include:

  • All critical security vulnerabilities are addressed immediately (i.e. patched, mitigated, or proven not applicable)
  • All customer facing operational issues are addressed immediately (see above).

Everyone knows if I find out one of those wasn't done there will be problems. Not that we are perfect, certainly not, but we do a lot better than most shops.

I will also agree that if the level just above you isn't addressing those issues then they are not doing their jobs. And anyone who is not doing their job should be removed in my opinion. I dont suffer dead weight.

I could go on for quite a while about what I think most IT shops should be doing for IT security...the answer would be a hell of a lot more than they are doing today. But most corps wont want to hear it because to them IT is an expense not a revenue generator.


>>But most corps wont want to hear it because to them IT is an expense not a revenue generator.


Absolutely true.

I just picked up a new customer, and as the business owner was shaking my hand and smiling, he told me
"Just to be clear, I don't like you or your kind.". I laughed and I told him I understand.

I joked back that, "If you get tired of paying me to do your IT work, we can always just sit back and watch it burn."
He wasn't expecting that but he also understood my point.

As you say, many corps see IT as a big hole in the ground to throw money into. And when that attitude sets in,
that's when the big trouble starts.

.
 
Last edited:
The security officer at our work reminds me of this lady... I was in a high level meeting regarding security and sat behind her as she was googling terms as they came up... one was ARP cache poisoning IIRC. Don't give a shit that she is a woman or minority but makes me wonder if I'm selling myself short on my resume. LOL
 
The security officer at our work reminds me of this lady... I was in a high level meeting regarding security and sat behind her as she was googling terms as they came up... one was ARP cache poisoning IIRC. Don't give a shit that she is a woman or minority but makes me wonder if I'm selling myself short on my resume. LOL

identify as a woman and sue if you don't get hired.

that's current year for you.
 
TLDR - I read an article that said one or more of their web accessible gateways used "admin/admin". I hope heads roll big time for this.
 
The admin/admin should have been a no brainer that easily could have been caught had Equifax had a mediocre audit shop. How they missed that, makes me wonder about how they view security as an entity. Also, looking at her LinkedIn profile, she just listed herself as a Professional at all of the previous companies, with no mention of what specific role she was in. Also, being in an executive, I would at least have a few certifications behind my name. It's very common for people today working in security to have a CISSP, CISA, etc... There were no mentions of any security certifications on her profile either.
 
The admin/admin should have been a no brainer that easily could have been caught had Equifax had a mediocre audit shop. How they missed that, makes me wonder about how they view security as an entity. Also, looking at her LinkedIn profile, she just listed herself as a Professional at all of the previous companies, with no mention of what specific role she was in. Also, being in an executive, I would at least have a few certifications behind my name. It's very common for people today working in security to have a CISSP, CISA, etc... There were no mentions of any security certifications on her profile either.

Yeah clearly they dont give two shits about security if admin/admin was on there for any length of time.

I am not sure I agree with the exec requires certifications part though. Nobody has ever been willing to pay for certifications for me and I have made it there just fine...
 
Yeah clearly they dont give two shits about security if admin/admin was on there for any length of time.

I am not sure I agree with the exec requires certifications part though. Nobody has ever been willing to pay for certifications for me and I have made it there just fine...

I work in audit and I'm currently an IT Audit Manager. My colleagues in higher ranking positions all have at least 1 cert of some sort. I would think my staff below me would question me being in my current position if I had no certs behind my name while they have certs. Gotta lead by example. Especially in security, where the certs show an extra effort taken to get immersed in the field and to stay up to date on security matters. Also, companies usually reimburse for obtaining a cert since it is beneficial to have from an appearance standpoint and also being knowledgeable in the field, and she was an exec at a pretty big company with a lot behind the name. I would think Equifax wouldn't mind reimbursing an exec (that has been around for quite some time) to obtain a security cert.
 
I work in audit and I'm currently an IT Audit Manager. My colleagues in higher ranking positions all have at least 1 cert of some sort. I would think my staff below me would question me being in my current position if I had no certs behind my name while they have certs. Gotta lead by example. Especially in security, where the certs show an extra effort taken to get immersed in the field and to stay up to date on security matters.


Well I am not in audit but the only cert I have is an out of date developer one. I dont assume certs mean much these days, I have met far more people who are more knowledgeable without than with.
 
Regardless, whether one has certs is a separate issue from listing them on LinkedIn.
 
and more fun, looks like Equifax was also hacked back in March as well :)
https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed

The article also has this cute little tidbit:
"The new timeline is also likely to focus scrutiny on an earlier sale by Gamble of 14,000 shares on May 23. According to a regulatory filing, which didn’t indicate that the sale was part of a scheduled trading plan, the value of that transaction was $1.91 million, more than twice the size of his Aug. 1 disposal of 6,500 shares for $946,374."
 
Good point, Zareek.

We've got one guy going on and on about how some woman manager made him clean closets out because she wanted to stack shoes in there completely oblivious to the fact that someone higher up almost certainly told her to get the damn closets cleaned out for some fucking dumb reason...and the answer as to why she didn't hire temps to do it is plainly obvious to anyone with more than 10 minutes experience in corporate America.

Then we got someone speculating how strange it is that we always hear about discrimination in the tech industry because obviously no one cares about it happening in any other industry...he's wondering about this on a tech oriented web forum...

I mean, just fucking LOL. The logic.


Yeah because clearly since this is a tech site the forum members here only read tech news and thus only use that information as a point of reference.
 
The security officer at our work reminds me of this lady... I was in a high level meeting regarding security and sat behind her as she was googling terms as they came up... one was ARP cache poisoning IIRC. Don't give a shit that she is a woman or minority but makes me wonder if I'm selling myself short on my resume. LOL
Eh, i get your point but high level is supposed to set policy and spend resources.I'm just as critical of her as most, just for different reasons (the policy clearly sucked). But if someone doesn't know a specific attack vector at that point (although in fairness to your statement it sounds like this person knew none of them, which means she probably doesn't understand the problem set), its not that big a deal that is what the technical people are for. What she should be doing is assessing risk. So ask tech people what arp cache poisoning do, and maybe still tech people on how much does it cost to mitigate, how much would an attack cost in best and worst case scenarios, what insurance policies are available and deciding if mitigating x threat is worth the expense (as far as an individual attack goes). What makes the Equifax one so egregious from a business standpoint is it was an attack on their core business that will cause massive financial damage to the company that a stricter patching policy would of prevented. The risk assessment on this one is easy and was clearly done wrong.
 
better question who did she fuck for that job
Looking at that photo probably not anyone recently. She filled a checkbox in a position which the management felt was non-critical (ie not directly involved in profit generation).
 
and more fun, looks like Equifax was also hacked back in March as well :)
https://www.bloomberg.com/news/arti...suffer-a-hack-earlier-than-the-date-disclosed

The article also has this cute little tidbit:
"The new timeline is also likely to focus scrutiny on an earlier sale by Gamble of 14,000 shares on May 23. According to a regulatory filing, which didn’t indicate that the sale was part of a scheduled trading plan, the value of that transaction was $1.91 million, more than twice the size of his Aug. 1 disposal of 6,500 shares for $946,374."

Apparently they also got their (Equifax HQ) districts Congressmen (Barry Loudermilk) to sponsor a bill to limit liability before this all released. I'm curious if Barry did any shorting on Equifax stock, since I think Congress/Senate are exempt from insider trading laws.

from H.R. 2359:

except that the total recovery (excluding reasonable attorney’s fees as determined by the court) of the class shall not exceed the lesser of (1) $500,000; or (2) 1 percent of the net worth of such person

This is serious corruption (from the non-disclosure and insider trading, to the backdoor politics)
 
"I'm not an actual internet security professional, but I did stay at a Holiday Inn Express last night!"
 
Many people in management positions don't really know a thing about the fields they manage. They know how to manage a project and people and the people who work for you have the technical expertise to do the job at hand.

Also when has it always been the most qualified individual gets the job? Betsy Devos, Ben Carson, Rick Perry, none of which are qualified for the positions they are in now. Same goes with private companies, someone knows someone else's cousin, etc.
 
I'll acquiesce the point that it shouldn't go straight to the top. I made the mistake of saying upper level management in my first post. I agree such information should be worked up from the bottom.

But as a whole, IT organizations don't do near enough. There are no IT safety bulletins relating to general issues that I have ever seen other than "Secure your laptop and information. Don't load it with software we don't approve of. Don't click on suspicious emails. etc etc..."

Yet every heavy manufacturing plant puts out regular safety bulletins. There is training. There is safety equipment. There are standards for equipment. Dangerous situations are illustrated. There is a safety foreman you can report to about concerns. Near accidents are listed and reported. They also list remediation. The irony in this is so much concern is taken to protect a few individuals. Yet when it comes to the most valuable asset of companies (their data and secrets and the millions of people they might affect) they often think of it as 20:20 hindsight.


My IT world and your IT world are different.

In mine, we have many many controls. It's not enough to STIG and Patch, all the documentation must be maintained, software must go before a CCB before it gets approval to install, this is by release version so if v2.1 was the lat version approved, 2.2 will have to go to CCB before approval as well. Outside agencies must inspect and confer accreditation or we can be shut down until we meet the standards/requirements. Scans must be done, procedures in place to react to the findings of the scans, etc.

And then the reality sets in. Bureaucracy with a capitol B, managers with no experience in the IT areas they manage, companies hiring unskilled people, did I say that I work for a company that works for the government? Yea.

A perfect plan is useless in the face of insurmountable red tape and miss-management (y)
 
Back
Top