{"id":603,"date":"2017-09-19T14:55:52","date_gmt":"2017-09-19T14:55:52","guid":{"rendered":"https:\/\/securitycurve.com\/?p=603"},"modified":"2017-09-19T14:55:52","modified_gmt":"2017-09-19T14:55:52","slug":"equifax-mfa-worse-than-red-herring","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=603","title":{"rendered":"Equifax: MFA worse than red herring"},"content":{"rendered":"

\"\"<\/a>So I’m a little irritated that I have to even address this one, but it’s come up a few times now in personal interactions so I’m going to tackle it head-on. \u00a0Specifically, Equifax, their CISO, and the fact that she has an MFA in music.<\/p>\n

We all know that Equifax got hacked<\/a>, right? \u00a0Pretty egregiously. Well, there has been quite a bit of subsequent attention about the fact that their CSO,\u00a0Susan Mauldin, has an MFA (in music composition.) \u00a0I’ve had a few folks bring it to my attention in personal interactions (i.e. LinkedIn screen-shots and whatnot) and there’s even been a headline or two<\/a> in the trade press about this<\/a>. \u00a0People are really making a fuss about this. \u00a0Their line of reasoning is something along the lines of “well, of course they got hacked, they had a music major as their CSO.” \u00a0Which would be laughable if it weren’t\u00a0so misguided.<\/p>\n

Here’s what I mean. \u00a0Say for the sake of argument (i.e. as a thought experiment) that she had a PhD in computer science instead of an MFA in music. Would that have made Equifax patch Apache Struts any faster? \u00a0Seriously… think about it. \u00a0Would it have made any difference at all in the outcome? \u00a0Nope. \u00a0Goose-egg, zilch, nada, the null set. \u00a0It is exactly the same outcome with MFA as PhD in computer science. \u00a0How about multiple degrees in technical fields and certifications coming out the wazoo? \u00a0Is Struts patched faster then?<\/p>\n

You see where I’m going with this, right?<\/p>\n

I’ve been reflecting on why exactly the hubbub about her MFA pisses me off as much as it does. \u00a0It’s not just that it’s an\u00a0irrelevant data point. \u00a0There are irrelevant data points in this industry all the time. \u00a0But somehow I’m able to let those go. \u00a0This MFA thing not so much. \u00a0I think the reason is that it represents, to my mind, a line of reasoning that is actively dangerous for the profession.<\/p>\n

There are a few reasons why I think this is true. \u00a0First, it stops conversation. \u00a0It short-cuts any potential learnings about what happened, discussion about how we can do better, or any growth that might occur as a result. \u00a0For example, why exactly couldn’t they (or didn’t they) patch Struts in a timely fashion? \u00a0Is there something we can learn from that? \u00a0Doesn’t matter, because MFA. \u00a0What can we learn about incident response as result of how they handled it? \u00a0Nothing, MFA. \u00a0Would better threat intelligence have made a difference in catching it earlier? \u00a0MFA. \u00a0You see what I mean? \u00a0“Because MFA” prevents us from learning , getting better, or unpacking the relevant facts. \u00a0It’s simultaneously lazy and counterproductive.<\/p>\n

Second, I think this reflects poorly on those calling it out. \u00a0It causes me to question whether they have a clear understanding what the position of CSO entails (like at a fundamental level). \u00a0For example, what do they think a CSO does that would necessitate an advanced technical degree? \u00a0Do they think CSO’s spend their days writing compilers? \u00a0Working hands-on analyzing malware? \u00a0Reading IDS logs? \u00a0 Any CSO that has time to do any of that (or is expected to) is either in the wrong job, has the wrong priorities, or is working for fundamentally broken company based on expectations of where that company’s leadership team should spend their time. \u00a0Instead, being a CSO (or CISO) is about building connections, establishing consensus, and cultivating relationships; it’s about motivating people despite being in what’s essentially asymmetric guerrilla warfare where the defenders are at significant disadvantage. \u00a0 To see what I mean, compare two potential CSO candidates for a bank: one is a music major (yes, with an MFA) that joined that bank right out of school and has worked her way up the business side of the organization for 20 years. \u00a0The other is a PhD in information assurance right out of school. \u00a0On the basis of these two facts, who’s the better hire? \u00a0Spoiler alert: it’s not the second one.<\/p>\n

Third, I’m pretty sure this is bad for the industry as a whole. \u00a0Look, I’m all about finding out who sucks at security and not making them a CSO. \u00a0In fact, I’ve argued again and again that we need professional licensing that can be revoked if someone sucks. \u00a0For example, if someone violates ethical rules? \u00a0Revoke their license. \u00a0If they do something actively ridiculous that violates a reasonable standard of care? \u00a0Maybe they get suspended if it happens once, or revoked if it happens more than once. \u00a0I’m fine with that. \u00a0There are people out there that are terrible at their jobs – some of them work in security. \u00a0I’m game for getting them to go do something else. \u00a0But focusing on their degree is absolutely not the way to do it.<\/p>\n

What is the end state of this armchair quarterbacking the CSO’s qualifications? \u00a0If it does anything at all, I think it encourages exactly one thing : restriction of leadership at other firms (who don’t want to be the next Equifax) and prioritizing security hires to only those that are\u00a0defensible<\/strong> if they get hacked.<\/em>\u00a0 This is, by the way, as an alternative to finding someone who understands their business and is good at the job. \u00a0Look, if someone is good at the job and knows the business, I don’t care if they have a degree in animal husbandry – or if they majored in pie eating thirty years ago. \u00a0But if instead, we limit the pool to select for people that you can defend quals for after you’ve been hacked? Seems to me like a completely wrong mindset.<\/p>\n","protected":false},"excerpt":{"rendered":"

So I’m a little irritated that I have to even address this one, but it’s come up a few times now in personal interactions so I’m going to tackle it head-on. \u00a0Specifically, Equifax, their CISO, and the fact that she has an MFA in music. We all know that Equifax got hacked, right? \u00a0Pretty egregiously. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[30,47,82],"class_list":["post-603","post","type-post","status-publish","format-standard","hentry","category-security","tag-cso","tag-equifax","tag-mfa"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=603"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/603\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}