The Equifax data breach is still spewing gory details on exact numbers of those affected as well as the countries they are from. Last count suggests details of more than 143 million US citizens and up to 400,000 UK customers are now in circulation without their knowledge.
However, one of the most surprising fallouts of what is becoming known as one of worst breaches ever, is not the number of heads that are rolling (or retiring) or the number of shares sold by execs before breach details came to light. The sharpest focus currently is on the qualifications, or lack of, of the Board.
Over the weekend, the hashtag #unqualifiedfortech started trending on Twitter and it soon became obvious who it was referring to. Susan Mauldin, the now-retired CISO at Equifax. Keyboard detectives soon found out that she was the CISO at the now beleaguered company and cottoned onto the fact that instead of a major or graduate degree in a STEM subject, her undergraduate as well as post graduate degrees are in Music from the University of Georgia.
Not only have they been naming, shaming AND mocking her for that but it has now also led Equifax to scrub all mention of her from the internet.
This has also shown how badly the breach has been managed with many likening it to a dumpster fire- including Brian Krebs. However, we digress. Was her not having a cyber security degree really the reason for the breach?
The answer is no, it happened because of a catalogue of errors. AS CISO, she did have ultimate responsibility for making sure a breach never happened but a degree cannot be blamed for a lapse of professional judgement.
Among the errors was a known vulnerability being left unpatched for months, the classic username/password combination of admin/admin used on some of its site for administrators to get access and more.
Mauldin received her MFA almost 14 years back. Those pointing at her credentials need to think- did any cyber security training, that would have been relevant in 2017, exist back in 2003?
Anyone with a computer science degree from the early-90s will be able to tell you how pertinent it is today… Not at all. Isn’t a career in the cyber security industry all about learning on the job while getting certifications as you go along?
Earlier this year, Barbra Kay, Senior Product Director at McAfee wrote a blog on TEISS addressing exactly these questions. She said: “Cybersecurity is a complex profession, blending technical, business, and socio-political subjects. While there are definitely opportunities within core IT engineering tracks, such as network operations, systems administration, and database management, cybersecurity requires rising above the purely technical. Detecting and investigating an incident requires consideration of the context, motivations, and relationships of the attacker (or insider) and different events. It requires creativity, imagination, and dogged determination.
My own degree combines History with English, and yet I earned a Certified Information Systems Security Professional (CISSP) accreditation, which is recommended for anyone with “security” in their job title, and means I can technically become a Chief Information Security Officers (CISO) one day.
Across the board, ALL cyber security professionals I spoke to, echoed Kay’s thoughts. Brian Vecci, Technical Evangelist at data protection company Varonis said: ‘I studied computer science and music too. Firstly I think it is ridiculous that what a CISO studied 45 years ago has any bearing on whether she was or wasn’t qualified. Music is a very technical field of study and Information Security as a profession requires a lot of technical knowledge as well as creativity to really understand how pieces fit together on a system. It is not a job that you can do based on just certification- you need a lot of experience and people from diverse backgrounds will succeed in that.
‘This is a massive breach and people are looking for people to blame for the scale of it because it will continue to affect all of us for a long time. The fact that we are examining what she studied is just insulting.
“I was a guitar player and a music major and the CMO of Varonis, who hired me was one too! We both have CISSPs and have technical background. It shows you have a diverse mind if you have studied music.
“However, in a vacuum the CISO of Equifax has a lot to answer for!
There is a skills shortage in the industry and there is always a massive campaign to attract more recruits to the field and attacking anyone who seems different is not just a low blow but also just demeaning to those with liberal arts degrees, who work in the industry. Indeed, a journalist who worked on TEISS retrained as a cyber security professional and has landed his first job as a security analyst.
Penalising people for what choices they made in their teens isn’t the grown up thing to do especially in the face of a situation like the one the Equifax breach has created. In fact, I am not even sure if Mauldin is being hauled over coals because she is a woman CISO and dared to get into an industry which is 93% men in suits. The diversity ratio in cyber security is shameful and the attitude petty if in 2017 a woman is being shamed for a degree (with distinction- according to her LinkedIn profile) in music.
READ MORE: Fixing the UK cyber skills gap
Bharat Mistry, principal security strategist at Trend Micro said: “Having a security or technology related degree doesn’t necessarily mean you are equipped to be a CSO. While it demonstrates an individual has a grasp of the technical threats and understands the theory of how to respond, in reality, putting the theory in to practice can be a completely different ball game.
“As with many industries, experience is what counts. If you have experience of dealing effectively with cyber risk, communicating to the board and implementing appropriate mitigation strategies, your technical qualifications are irrelevant.”
Jo Stewart Rattray, Director of information security and IT assurance at BRM Holdich (Australia) told me earlier this year that there were just 7% women in the cyber security industry.
“It isn’t always about holding themselves back- it is also about not wanting to put themselves into the firing line. Holding yourself back can be a protective mechanism. Again, it is about encouragement. Women generally need to be encouraged and because they are currently under-represented, that doesn’t help the situation either. It goes back to the same question of: Where are the role models? Who can I look towards? Who are the shining lights?”
With the amount of flak that’s coming through to a woman CISO, for all the wrong reasons, it isn’t hard to imagine why cyber security has such a skills gap.
Nobody wants to be in the firing line every time there is a slip-up.