Equifax Hired a Music Major as Chief Security Officer

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company’s data security: those who managed to pull up Susan Mauldin’s LinkedIn page before it was altered and taken down were surprised to find that Equifax’s CSO had an amusing but rather irrelevant set of qualifications. Remember, it’s not what you know, but who you know…

Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security. This is the person who was in charge of keeping your personal and financial data safe — and whose apparent failings have put 143 million of us at risk from identity theft and fraud. It was revealed this week that the massive data breach came due to a software vulnerability that was known about, and should have been patched, months earlier.
 
Ah, this is perfect. I work in a software development position right now. My boss doesn't know anything about developing software - not sure what she majored in college. However, at least she has worked in IT for several years.
When I explain stuff, I can see her eyes glaze over. I learned not to get too detailed. I'm actually ok with this as long as she takes my counsel. Some times the big boss doesn't need to know all the details - instead, sub-managers/directors are there to give vital feedback and recommendations.
That said, I did an estimate for a project and she argued with me since it was much higher than she thought. I had to explain it was not a simple project. I was like - I can make the estimates lower, we end up pissing the client off when we go over (or we could eat the extra costs). Shrugs.
Back to Equifax - I wonder if any of her reports brought this up/raised awareness? I could see a higher up not wanting to fix it to save costs. Software updates vs new features. The eternal dilemma.
 
Security is low priority to a lot of companies. It sometimes gets looked at as a good place to toss your useless buddies/relatives, or for diversity hires not really qualified for anything else.
 
steakman1971 said:
Ah, this is perfect. I work in a software development position right now. My boss doesn't know anything about developing software - not sure what she majored in college. However, at least she has worked in IT for several years.
When I explain stuff, I can see her eyes glaze over. I learned not to get too detailed. I'm actually ok with this as long as she takes my counsel. Some times the big boss doesn't need to know all the details - instead, sub-managers/directors are there to give vital feedback and recommendations.
That said, I did an estimate for a project and she argued with me since it was much higher than she thought. I had to explain it was not a simple project. I was like - I can make the estimates lower, we end up pissing the client off when we go over (or we could eat the extra costs). Shrugs.
Back to Equifax - I wonder if any of her reports brought this up/raised awareness? I could see a higher up not wanting to fix it to save costs. Software updates vs new features. The eternal dilemma.
Click to expand...
As a security consultant, this is most of the IT manager world. You don't go into detail with any manager or IT executive. They may understand the concepts, but the details; that for the technical staff.
 
Smaller businesses I get, because it saves costs and though their data needs to be secure, most times it isn't as detrimental if it is out there.
But, a company like Equifax, which has everything under the sun about you stored, why, why oh why, would they trust a "cloud" to store information?
 
Perhaps she is just an autodidact... it's not like most of the people on the other end of the security coin are often "well" educated. I would argue that when it comes to security education can be a hinderance... or perhaps a degrees in philosophy and sociology / psychology could well be of better use. Staying ahead of the criminal and for fun hacker types is going to require more then what you learn in a class room years prior.

Yes this company fucked up hard... but is it the head of securities fault even. I mean she is going to take the blame. Still how much do you want to bet she had insane targets to hit with the budget. This hole should have got plugged and I really don't want to defend their ex head of security but this is a very expensive hole to fix, as its not a simple file upload but a major rebuild of damn near everything. It is possible she was waiting for the next fiscal quarter to get it done.

LMAO ok ok I know that is a weak argument and its just as possible she had no freaking clue what she was doing and is the CEOs GFs niece or some such shit.

I just wanted to point out that in all of this it feels like she is going to be made the fall guy (girl I guess) for this. When ime the fault in these types of cases often goes further up to leaders that do really stupid things like attach massive bounses for the security and other IT depts being under budget ect. It leads to companies hanging on to ancient Operating Systems / Software / Hardware,paying for extended support for years, keeping employee hours low... all to save a few % points so the middle management can make their stupid stock hand out bonus targets. So ya its possible she simply had no clue and their security really was that bad. (which looks like it is very possible) Its also possible she knew shit was going to go side ways at some point cause she does know her shit; but screw it... if she kept the books nice and black she would be making bank.

I make the point because I have seen it in other good size companies (not equifax big... still not small) where I talk to a person in charge of different IT depts and even though they know they should do X or Y.... they have rolled over for their bones. I had one company that purposely took almost a year to roll out a new system not because they wanted to take their time testing and gradually changing things. They simply wanted to spread the costs out over 3 or 4 quarters. (never mind that it was a far less secure way of doing it... chances are it would all go fine and they wouldn't have to report major expenditures) Big companies are often run by morons.
 
Semantics said:
Doubt a 40 year old white woman with blonde hair and blue eyes is a diversity hire
Click to expand...

"Woman"

In the tech world, if you're anything other than "Male", "White", "Indian", "Asian". You're hiring for diversity. WAIT. stop the angry typing! I don't mean that if you're anything other than those 4 things, you're not qualified... I know a few women network engineers that make me look like I'm a kid playing with play dough.

pitchforks.jpg
 
ChadD said:
Perhaps she is just an autodidact... it's not like most of the people on the other end of the security coin are often "well" educated. I would argue that when it comes to security education can be a hinderance... or perhaps a degrees in philosophy and sociology / psychology could well be of better use. Staying ahead of the criminal and for fun hacker types is going to require more then what you learn in a class room years prior.

Yes this company fucked up hard... but is it the head of securities fault even. I mean she is going to take the blame. Still how much do you want to bet she had insane targets to hit with the budget. This hole should have got plugged and I really don't want to defend their ex head of security but this is a very expensive hole to fix, as its not a simple file upload but a major rebuild of damn near everything. It is possible she was waiting for the next fiscal quarter to get it done.

LMAO ok ok I know that is a weak argument and its just as possible she had no freaking clue what she was doing and is the CEOs GFs niece or some such shit.

I just wanted to point out that in all of this it feels like she is going to be made the fall guy (girl I guess) for this. When ime the fault in these types of cases often goes further up to leaders that do really stupid things like attach massive bounses for the security and other IT depts being under budget ect. It leads to companies hanging on to ancient Operating Systems / Software / Hardware,paying for extended support for years, keeping employee hours low... all to save a few % points so the middle management can make their stupid stock hand out bonus targets. So ya its possible she simply had no clue and their security really was that bad. (which looks like it is very possible) Its also possible she knew shit was going to go side ways at some point cause she does know her shit; but screw it... if she kept the books nice and black she would be making bank.

I make the point because I have seen it in other good size companies (not equifax big... still not small) where I talk to a person in charge of different IT depts and even though they know they should do X or Y.... they have rolled over for their bones. I had one company that purposely took almost a year to roll out a new system not because they wanted to take their time testing and gradually changing things. They simply wanted to spread the costs out over 3 or 4 quarters. (never mind that it was a far less secure way of doing it... chances are it would all go fine and they wouldn't have to report major expenditures) Big companies are often run by morons.
Click to expand...
Fall Guy? Who is ultimately was put in charge of and responsible for the data security of Equifax? . Especially for a company where information is it's biggest asset? Yes she should be blamed and also the CEO and other executives for not informing the public earlier. I've been in the data security field for years, and yes something have to be cut for profit or access, but you do a risk security assessment. But all the failures we been seeing that should of been taken care of with periodical security audits where not being addressed. Open un-encrypted connections with Admin/Admin access is a failure of adhering to basic security process and plain laziness. This was no ZeroDay flaw, this was a problem where people did not follow basic IT security procedures and/or incident response.
 
Last edited:
Sometimes I scratch my head and wonder if these companies setup auto tickets to generate every 6-months to a year to remind them to do this little thing called an audit. In this case a security audit.... (I'm pertaining to the Equifax use of admin, admin as username and password of a system).. I just get this feeling that a lot of companies are failing to audit their systems at least once a year.
 
Just perhaps it is time to ditch the 1950s approach to credit determination/storage/reporting and use something modern and secure?

Nah, that's just silly. Things will go on as they have, lawyers will make a ton, victims will be screwed and politicians will get donations. All is well.
 
Semantics said:
Doubt a 40 year old white woman with blonde hair and blue eyes is a diversity hire
Click to expand...
Yeah, sure. I'm positive that woman in IT has nothing to do with diversity because she was white and blonde. She should have been an albino african with a major in voodoo studies. That would have hit the diversity trifecta.
 
I've been in the IT industry for many years and have seen this at many large organizations.

There are a lot of women that get hired in to IT management positions and they have no qualifications
or background to be in the position. Some kind of "We don't have a glass ceiling here." thing I think.

I remembered one such case where the new IT boss lady wanted the boxes and things cleaned out of the
IT storage closets. She put critical projects on hold to have the IT staff clean closets.

I was a contractor and was group leader of a desktop support team. I resigned shortly after that woman
was placed in charge. It was a no win situation for me at that point.

Another great idea along with handing over passwords of banking and finance systems to low wage foreign
immigrants here on work visas.

Sure, let them support our critical infrastructure, what's the worst that could happen?


.
 
Last edited:
Spartacus said:
I've been in the IT industry for many years and have seen this at many large organizations.

There are a lot of women that get hired in to IT management positions and they have no qualifications
or background to be in the position. Some kind of "We don't have a glass ceiling here." thing I think.

I remembered one such case where the new IT boss lady wanted the boxes and things cleaned out of the
IT storage closets. She put critical projects on hold to have the IT staff clean closets.

I was a contractor and was group leader of a desktop support team. I resigned shortly after that woman
was placed in charge. It was a no win situation for me at that point.

.
Click to expand...
Women are hired into management positions more and more now of days because guys are seen as dicks and get more complaints. That coupled with the business degrees claiming that managing is all the skill they need to be a manager anywhere, don't need to know shit just need to know people.
 
The best IT and programmers I know don't have degrees. In fact, the smartest programmer I know is one is the most valued programmers at a huge company and he has an audio engineering degree. I don't know what her qualifications are but not having a degree isn't a bad thing here. If she truly sucks at her job that's a different story.
 
Have to wonder if her previous employer, First Data Corporation, is doing a full security review? She served essentially the same function there as she did at Equifax. First Data does credit card processing for merchants. Hope any merchants that use First Data are doing their own reviews. I think a bunch of due diligence safe harbors are rapidly drying up.

While someone can be an effective manager and not be a SME, I don't see much evidence here that she was. Equifax didn't appear to have an effective Incident Response procedure. If they did, those three executives would not have been able to claim "We didn't know" when they sold stock. And the response since the breech became public has been a comedy of errors.
 
Where can I sign up for the lawsuit? I want my $3.58 that's coming to me after the lawyers get their slice.

Changed all my passcodes today and froze my credit. What a PITA. This company should be dismantled and what value left split up among all the victims of their screw uppery.
 
Semantics said:
Doubt a 40 year old white woman with blonde hair and blue eyes is a diversity hire
Click to expand...

At the big Redmond company, if you are a woman, and over 40, you are practically untouchable. If you want to lay one off due it ineptitude, it takes VP level approval, and they'll still get 6-12 months of severance.
 
westrock2000 said:
You guys are over reacting. It was only 143 million poeple. Not even 1/10th of Facebook users. See, thats not so bad now is it.
Click to expand...

Not sure if you're being sarcastic but theres what? 300 million United States citizens? This affects about half of Americans...
 
TorryHolt81 said:
Not sure if you're being sarcastic but theres what? 300 million United States citizens? This affects about half of Americans...
Click to expand...

Considering the % of those 300 that are actually eligible to use a credit card (+18 years old, not old seniors, not in jail, etc) and then the % of those eligible who actually use credit based services, it comes out to about 100% of the American adult credit using population.

So, being sarcastic :whistle: :hungover:
 
she was probably a piano teacher before this shit.

This is how america runs. Always hire unqualified people, and never hire overqualified people. (The latter, I never understood)
 
Not sure it's that relevant, if it had been accountancy no one would have blinked.

When I went to University, not even 20 years ago you had Computer Science and that was the only real choice around computers. I avoided that because I don't particularly like programming. There were just starting to be Business Information Systems degrees but they were mostly at lower end schools. IT security boiled down to very simple things, primarily around secure coding standards and physical security (ooo not much internet)

Most people from that era, and they are the ones starting to get C titles; it was in something else. I did economics, I'm still near the top of my field and no one questions it.

Plus who sit's at 18 thinking "oh yeah information security, that's the life for me". That sphere is judged on experience and CISM/A's and things like SABSA. They don't give a shit about college.

The mysogeny in some of these posts is ridiculous. Her being a woman had nothing to do with the fact that she's ultimately been found lacking in her job. As for education, music theory is hard, she must have loved it but it didn't work out or she found something she loved more. How many people is that true for?

She should have put in the framework, process and systems that made sure that a secure configuration was validated continuously so that when some retard misconfigures S3 due to an errant change then it's caught, incident raise and resolved. End.
 
It's probably a position that's more public relations than actual IT work, like many top management positions. Though it really is damning to not have someone with even a superficial background into what you hired them to manage. Kind of ridiculous to play the woman issue, when I'm pretty sure there are far more men in positions they have no business being in.
 
Iratus said:
Not sure it's that relevant, if it had been accountancy no one would have blinked.

When I went to University, not even 20 years ago you had Computer Science and that was the only real choice around computers. I avoided that because I don't particularly like programming. There were just starting to be Business Information Systems degrees but they were mostly at lower end schools. IT security boiled down to very simple things, primarily around secure coding standards and physical security (ooo not much internet)

Most people from that era, and they are the ones starting to get C titles; it was in something else. I did economics, I'm still near the top of my field and no one questions it.

Plus who sit's at 18 thinking "oh yeah information security, that's the life for me". That sphere is judged on experience and CISM/A's and things like SABSA. They don't give a shit about college.

The mysogeny in some of these posts is ridiculous. Her being a woman had nothing to do with the fact that she's ultimately been found lacking in her job. As for education, music theory is hard, she must have loved it but it didn't work out or she found something she loved more. How many people is that true for?

She should have put in the framework, process and systems that made sure that a secure configuration was validated continuously so that when some retard misconfigures S3 due to an errant change then it's caught, incident raise and resolved. End.
Click to expand...

I have to agree with you here. graduated 2003 with a CS degree. Our degree wasn't as much programming as it was a little of everything. learned how a OS works at the core, how hardware works at its core, how networking works at its core, how programming languages and compilers work. Then were learned how to learn how to program, went through multiple languages doing different things to be able to learn a new one as needed. Security was a 1 semester optional class where we learned about what a computer virus is, what it does... Back in that day IT wasn't something you got a degree in if you wanted to be practical about it. That is what trade schools were for. You got your A+, Network+, CCNA, MCSE and all the other certs and did on the job training. Given her age, there would not have been full security degrees back then. If anything you look at what a person did after college to see if their path would have helped prep them for the job. In this case, he did this job there for 4 years, before Equifax she was Senior Vice President and Chief Security Officer at a company that created transaction software from 2009 to 2013, before that was the VP of a bank for two years. So she has been in a high ranking positon at many companies that have dealt with very personal information for at least the last 10 years. 8 of those years was being in charge of security, which over the last 8 years also happens to be when things went from you need to make sure your AV software is up to date to you better be watching everything like a hawk because everything is going crazy. So her degree 20-40 years ago doesn't matter, what she has done in her professional time shows if she was given a job that she has no business having. Also like you said, gender has nothing to do with it, either she did her job or she did not.
 
Iratus said:
The mysogeny in some of these posts is ridiculous. Her being a woman had nothing to do with the fact that she's ultimately been found lacking in her job. As for education, music theory is hard, she must have loved it but it didn't work out or she found something she loved more. How many people is that true for?
Click to expand...
I won't argue that some of the comments in this thread have been very sexist. If it had been a man, I would have had the exact same reaction.
 
You must log in or register to reply here.
Back
Top