So I’m a little irritated that I have to even address this one, but it’s come up a few times now in personal interactions so I’m going to tackle it head-on. Specifically, Equifax, their CISO, and the fact that she has an MFA in music.
We all know that Equifax got hacked, right? Pretty egregiously. Well, there has been quite a bit of subsequent attention about the fact that their CSO, Susan Mauldin, has an MFA (in music composition.) I’ve had a few folks bring it to my attention in personal interactions (i.e. LinkedIn screen-shots and whatnot) and there’s even been a headline or two in the trade press about this. People are really making a fuss about this. Their line of reasoning is something along the lines of “well, of course they got hacked, they had a music major as their CSO.” Which would be laughable if it weren’t so misguided.
Here’s what I mean. Say for the sake of argument (i.e. as a thought experiment) that she had a PhD in computer science instead of an MFA in music. Would that have made Equifax patch Apache Struts any faster? Seriously… think about it. Would it have made any difference at all in the outcome? Nope. Goose-egg, zilch, nada, the null set. It is exactly the same outcome with MFA as PhD in computer science. How about multiple degrees in technical fields and certifications coming out the wazoo? Is Struts patched faster then?
You see where I’m going with this, right?
I’ve been reflecting on why exactly the hubbub about her MFA pisses me off as much as it does. It’s not just that it’s an irrelevant data point. There are irrelevant data points in this industry all the time. But somehow I’m able to let those go. This MFA thing not so much. I think the reason is that it represents, to my mind, a line of reasoning that is actively dangerous for the profession.
There are a few reasons why I think this is true. First, it stops conversation. It short-cuts any potential learnings about what happened, discussion about how we can do better, or any growth that might occur as a result. For example, why exactly couldn’t they (or didn’t they) patch Struts in a timely fashion? Is there something we can learn from that? Doesn’t matter, because MFA. What can we learn about incident response as result of how they handled it? Nothing, MFA. Would better threat intelligence have made a difference in catching it earlier? MFA. You see what I mean? “Because MFA” prevents us from learning , getting better, or unpacking the relevant facts. It’s simultaneously lazy and counterproductive.
Second, I think this reflects poorly on those calling it out. It causes me to question whether they have a clear understanding what the position of CSO entails (like at a fundamental level). For example, what do they think a CSO does that would necessitate an advanced technical degree? Do they think CSO’s spend their days writing compilers? Working hands-on analyzing malware? Reading IDS logs? Any CSO that has time to do any of that (or is expected to) is either in the wrong job, has the wrong priorities, or is working for fundamentally broken company based on expectations of where that company’s leadership team should spend their time. Instead, being a CSO (or CISO) is about building connections, establishing consensus, and cultivating relationships; it’s about motivating people despite being in what’s essentially asymmetric guerrilla warfare where the defenders are at significant disadvantage. To see what I mean, compare two potential CSO candidates for a bank: one is a music major (yes, with an MFA) that joined that bank right out of school and has worked her way up the business side of the organization for 20 years. The other is a PhD in information assurance right out of school. On the basis of these two facts, who’s the better hire? Spoiler alert: it’s not the second one.
Third, I’m pretty sure this is bad for the industry as a whole. Look, I’m all about finding out who sucks at security and not making them a CSO. In fact, I’ve argued again and again that we need professional licensing that can be revoked if someone sucks. For example, if someone violates ethical rules? Revoke their license. If they do something actively ridiculous that violates a reasonable standard of care? Maybe they get suspended if it happens once, or revoked if it happens more than once. I’m fine with that. There are people out there that are terrible at their jobs – some of them work in security. I’m game for getting them to go do something else. But focusing on their degree is absolutely not the way to do it.
What is the end state of this armchair quarterbacking the CSO’s qualifications? If it does anything at all, I think it encourages exactly one thing : restriction of leadership at other firms (who don’t want to be the next Equifax) and prioritizing security hires to only those that are defensible if they get hacked. This is, by the way, as an alternative to finding someone who understands their business and is good at the job. Look, if someone is good at the job and knows the business, I don’t care if they have a degree in animal husbandry – or if they majored in pie eating thirty years ago. But if instead, we limit the pool to select for people that you can defend quals for after you’ve been hacked? Seems to me like a completely wrong mindset.