The Equifax Chief Security Officer Received a BA and MFA in Music Composition
linkedin.comWhile it's easy to jump on the Equifax Sucks Bandwagon (they do), I find it hard to believe that the degree earned has anything to do with this breach.
Are you absolutely certain that if their Chief Security Officer had a degree in CS that things would have been different?
Attacking someone a personal level like this is tempting in a case this serious, but it's in poor taste and will yield exactly 0 results. The data can't be un-breached, and placing blame in hindsight is unhelpful and will only escalate to more personal attacks.
Let's not pour oil on the 'Stem degrees are the only good degrees' echo chamber fire.
It doesn't mean she didn't know what she was doing, but it certainly looks bad. A company whose CSO doesn't have a technical degree is going to have a harder time proving they took security seriously.
Would it be less offensive to the HN community if her degree was in Math?
And, then, given that Music is entirely dependent on mathematical principles, and Music Theory especially: What are the chances that, as an MFA in Music, she has a rock solid background in mathematics?
Does that make her choice of degree less distasteful?
Would we be having this conversation if she had no degree? (Of course not.)
> What are the chances that, as an MFA in Music, she has a rock solid background in mathematics?
Unlikely? There is no standard math requirement for music majors, and that's pretty well known.
> Would we be having this conversation if she had no degree? (Of course not.)
Yes, even more so! A chief security officer with no degree presiding over the security of a nation's credit data?! I mean, she's already under scrutiny because Equifax has been hit by three big stories in the past couple weeks demonstrating their absolute lack of concern for security: the breach, the "random pins", the admin/admin credentials.
Does it change your views if I restate this as (using just her public LinkedIn profile):
"A chief security officer with 15 years of experience and peer accolades in the fields of banking-grade security and human data management"
Typically, this is where most people don't even ask what a degree is. However, as you indicate "no degree" is unacceptable: Which domain-relevant degree programs, initiated 20+ years ago and completed 15 years ago, would satisfy your terms?
Anything remotely technical. Remember, we wouldn't be having this conversation if Equifax wasn't making embarrassing amateur mistakes with everyone's personal data. Their CSO appears incompetent.
Which qualifications does a "remotely technical" degree meet to operate security at Equifax that a "non-technical" degree does not?
You imply that Music is a non-technical degree, which is arguable, but it's certainly an Arts degree rather than a Science degree. If that's the distinction by which you draw the line, you're wrong to do so. If you reject job applicants to a technical role on that basis someday, that's more overlooked high-value opportunities for others to hire instead :)
Math is not arithmetic. What are the odds she can prove basic theorems in undergrad math like rank-nullity or intermediate value?
What are the odds someone who can prove whatever those things are can also talk about harmonic resonance equations and the practical matters of designing instrument-compatible chording arrangements, two topics entrenched heavily in mathematics (and physics, and materials science, and human usability concerns) but with a completely different specific focus?
The odds are near zero. Everyone learns their own domain. Quoting random properties of a specific subdomain of a branch of all possible learning demonstrates your knowledge, not disproves theirs.
You mean she might have had to memorize a simple formula? Such "rock solid" mathematical chops.
True. I'm just trying to caution against this turning into a witch hunt against one specific person when the entire company from top to bottom was in the wrong.
If I hadn't quit college to continue my tech career, I would have ended up with a degree in Sociology.
Would having a non-Tech degree make me less qualified than someone who has no degree? Of course not. It proves I can do the drudge work necessary to earn a degree, without which I must fall back on testimonials.
They have an MFA. That's a hell of a lot of hard work. Proves they are capable of doing hard work.
I don't see what the problem is here.
EDIT: Received a BA, magna cum laude, and MFA, summa cum laude. That's impressive regardless of the field. That's "succeed at all costs".
EDIT: Changed BS to degree in the first paragraph because I have no clue wtf makes something BA or BS. It's an arbitrary division that's used primarily as a weapon to disrespect women and is not a valid distinction of "intelligence" or "science-capable" or "technical-capable" in the modern era in any way whatsoever.
> I don't see what the problem is here.
The massive breach of personal information.
I don't understand. Could you help me understand? I'm not able to see the connection you see between an MFA in Music and the Equifax breach, and I'll need you to describe it clearly in order to comprehend what you're trying to say here.
Equifax's Chief security officer may have had a lack of knowledge in the domain she was hired for(A very important role).
They ignored security warnings from Apache and now we have the fallout from the breach. So did the CSO's lack of security knowledge aide in the breach? If so that is on Equifax for hiring her into that role.
I'm unable to follow your logic here, as there's a missing component of the explanation.
How does the CSO's multiple degrees in Music convey a lack of knowledge in the domain she was hired for?
It doesn't, because there's no information to derive there. I believe you are attempting to construct an argument that says that an offtopic degree disqualifies her to be a skilled practitioner by default.
This is wrong. The topic of someone's degree has no implicit bearing on their work experience before and after it.
LinkedIn shows endorsements by tens of people at each of her jobs in the specific labels "Information Security", "Disaster Recovery", and "Business Continuity". By that basis, she is perfectly qualified to handle this breach.
Unfortunately, that information - which takes up as much or more screen space on her LinkedIn page than her dual degrees - wasn't considered relevant by the OP, and is being studiously ignored for some unknown reason.
LinkedIn shows endorsements by tens of people at each of her jobs in the specific labels "Information Security", "Disaster Recovery", and "Business Continuity". By that basis, she is perfectly qualified to handle this breach
LinkedIn endorsements are as meaningful as Facebook likes.
Of course her LinkedIn profile does not correctly reflect her experience and qualifications.
Yet here we are, on Hacker News, with people calling her out for not having security experience based on her LinkedIn profile having an Art degree, rather than a Science degree.
I agree wholeheartedly with you that LinkedIn is as meaningful as Facebook. We absolutely should not be here evaluating her qualifications based on her LinkedIn profile. Any conclusions therein derived would be obviously wrong, by your own point.
Nobody is outright saying she doesn't have the experience. Clearly some employees at Equifax were ignoring security vulnerabilities. The first person you look at is the CSO.
The Linkedin doesn't paint the whole picture but it could indicate something and that what's being pointed out.
This isn't an attack on a single person it's an attempt to figure out how the biggest breach of user information in history went down.
> LinkedIn shows endorsements by tens of people at each of her jobs in the specific labels "Information Security", "Disaster Recovery", and "Business Continuity"
You're right, She was qualified.
This is unduly personal and therefore beneath the standard this community ought to keep. Not cool.
It's also fucking stupid. Peiter "mudge" Zatko from the L0pht, Stripe's new CSO, has a music degree from Berklee.
You can't criticize Equifax's CSO about her degree without revealing how little you know about the infosec field.
Thanks for that.
The middlebrow dynamic has to do with assuming one knows more than one does and trying to constrain the spectrum of variation. Since unexpected variations are often the most interesting, that is a big bad deal.
One of the best developers and architects I've ever known has a Ph.D. in Music Composition. Never took a formal CS course in his life - yet he was one of the best. I suggest not being too quick to judge people by their degrees.
So from a CSO perspective, it isn't useful information what degree the CSO had. Keep in mind the level of experience that she had in the position. Not zero.
More relevant to the situation is the overall technical competence of the organization. For a perspective, watch Alex Stamos' talk "Appsec is eating security" https://www.youtube.com/watch?v=2OTRU--HtLM&t=7s. The top 100 in the Fortune 500 are technical companies with technical culture. The others, not so much. He notes that the bottom 400 (he gives them a particular name) are likely to be doomed.The top 100 are serious technical companies or financial institutions.
Far more important to the security of an organization is the overall culture of the company and its technical competence compared to the degree that a CSO received decades ago.
One example. Is it not true that the bonus calculation of the Equifax higher-ups excludes losses due to breaches or legal or compliance hits?
Flip that around, and you will see a whole different level of internal culture.
Would the breach appear worse if her degree was in CS or not? Seems the HN community is trying to correlate her degree to the breach and this is virtually impossible. Her MFA did not cause the breach nor is their an identifiable correlation.
Optics. Equifax has pretty clearly demonstrated that it does not care at all about security. There was the breach, then the news that their "random PINs" were just timestamps, then there was the admin/admin credentials for an employee portal. It's a pretty bad look.
This is Hacker News, though. Is it news that the CSO has a degree in Music? No, not without further investigation, which didn't occur prior to the bait-titled link to her LinkedIn profile.
That's my only point here. Her degree is irrelevant to the point of uselessness for determining whether she's qualified, and whether fault for this incident lies with her judgement calls, or with others.
Maybe we'll find out that she's been writing internal memos for years about the security catastrophes and they've been willfully ignored by the CEO and the Board of Directors. Hell, she has an MFA in Music, so she there's a non-zero chance she wrote them a song about how they'll all be burned at the stake someday if they don't listen to her. This is no less likely an outcome.
We literally have no information to accompany the bare facts of her profile. Hacker News is not Hacker "link to a list of facts with a clickbait, personal-attack title and hope that someone else investigates if they're newsworthy" News. There is no news here without further investigation, and no one has done that in this thread. This should never have been posted as-is.
EDIT: If you were doing a post-mortem of an incident and a manager came in and said "Well, obviously that incident occurred, we let the guy with a Music degree do production work", they'll probably end up being fired under a cloud of HR violations, because they likely have a habit of invoking personal attributes in an inappropriate context. Don't be That Guy. Personal attributes - and optics - are not relevant to a post-mortem. Work behaviors, intentions, statements, and judgements are.
>This is Hacker News, though. Is it news that the CSO has a degree in Music? No, not without further investigation, which didn't occur prior to the bait-titled link to her LinkedIn profile.
First off, the title was literally a fact. There was no opinion or "click bait" added to the title.
Second, yes this is absolutely news. The Chief Security Officer of a company who has very private details of tens of millions of US citizens received two degrees in a music field. Some might find it news because it's, in my opinion, quite interesting she was able to go from studying music to becoming the CSO of a major and very important company. Some people might find it to be news because it most certainly could cause questions of her ability when looking at this fact and other Equifax security related facts.
I'm quite confused as to why you are so offended by this submission. It's not uncommon from C level executives of major businesses to have received degrees in the area they are working. The fact that computer/network security is an extremely focused field and the CSO of an extremely important company has two degrees in music instead of CS or a related field is quite interesting.
...and now she's <cough>fired </cough>retired.
https://investor.equifax.com/news-and-events/news/2017/09-15...
And what is the alternative? Hiring a Licensed Software Security professional? Oh wait, those don't exist. It's software, so literally anything you do can never be considered negligent. So it goes.
Music is incredibly intellectually challenging and stimulating. I'm getting a STEM degree because I couldn't handle a music degree. Music students I know work just as long if not longer days than I and my ECE peers do. This personal attack of the CSO isn't relevant.