Charles Lipson makes a good point with respect to Equifax’s data breach: why did neither the company’s Chief Security Officer nor its Chief Information Officer had any background in security, information, or computer science:
At first, I thought this LinkedIn profile for Susan Mauldin, Equifax’s chief security officer, was a joke.
It’s not.
The joke is on us.
Do you think the Chief Information Officer has a stronger background?
Nope. BA in Russian, an MBA, and then some work in a bank.
There are several obvious conclusions that may be taken from this. The first is that Equifax clearly didn’t take security seriously. Frankly, I’m skeptical that it will do so even with recent developments. I guess I should be philosophical about it. The company probably won’t exist in five years.
The other conclusion is that “technocracy” doesn’t mean what you think it means. In theory it means “rule by experts”. What does it mean in practice? My read is that both of these managers were Rolodex hires.
My experience tells me that Equifax has a lot more problemsthan just security. This property is condemned.
The Chief Security Officer had a BA and MFA in music composition. You can’t make this stuff up.
I was just discussing this with my wife. When you turn to hire a Chief Security Officer, is your first inclination to say “Quick! Get me the best oboe player you can find!” Frankly, I doubt it.
That suggests that either a) they didn’t give a damn or b) there was something else going on. As I said in the body of the post while it may have been (a) I think it was probably (b). I’m guessing she had connections.
Her degree is not a limitation of her knowledge. Those positions are management positions, and while she should be more knowledgeable than an accountant, it does not require a technical degree.
I know nothing her, and it is possible that she should not be allowed to run a lemonade stand or use anything more technical than a pocket calculator.
No company will spend more money on security than the absolute minimum, and more often, they will not spend that much. The solution is to make the shareholders responsible. Personal liability has a way of focusing the mind.
I would like to meet one person preaching ‘personal responsibility’ that is willing to abide by the requirement.