The news from Equifax on Friday (9/15) states “the Chief Information Officer and Chief Security Officer are retiring”. Somebody’s got to pay, and here are your first two scapegoats. Will it stop with these two, or is the CEO (Richard Smith) job at risk too? We can only speculate.
I’m more interested in answering the question; What makes a good CSO/CISO or a good information security professional/expert?
Equifax Chief Security Officer – Susan Mauldin
As I pointed out in my last article (AN INFORMATION SECURITY EXPERT’S TAKE ON THE EQUIFAX BREACH), the Equifax CSO was Susan Mauldin. As you might expect, there’s been plenty of speculation about her qualifications and competence. Some of the recent buzz is related to Ms. Mauldin’s choice in a college degree.
Does your college degree make you a good CSO/CISO or a good information security professional/expert?
It appears some think that it does. The lack of a college degree or the wrong college degree appears to be a disqualifier. Susan Mauldin received her bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. There’s no shortage of critics of Susan Mauldin’s college degree choice.
Information security talent expert (tongue in cheek) and Market Watch columnist Brett Arends points out in his recent opinion, hiring a CSO with the wrong education is negligent. He points out that Congress should start their grilling of Equifax CEO Richard Smith about why he would “put someone with degrees in music in charge of the company’s data security”. Her “LinkedIn professional profile lists no education related to technology or security.”
Others have jumped onto the same or similar bandwagon.
Ben Popken from NBC News wrote a piece titled “Equifax Execs Resign; Security Head, Mauldin, Was Music Major.
The other side of the argument appears to discount the significance of a college degree or degree choice in comparison. Kim Z Dale makes some good points in her post “The unfair vilification of the Equifax CSO’s music degrees” on the ChicagoNow online community.
Of course, there are Twitter users on this side of the argument too:
Both sides have their points; however, the truth is:
A college degree can help you be a good CSO/CISO, but it does not make you a good CSO/CISO.
The thought that a college degree makes me (or you) a good CSO/CISO is myopic and unfounded. There are many (maybe thousands) of very competent information security experts who lack any college degree, let alone a college degree in computer science or information security. Susan Mauldin’s music degree does not make her incompetent, any more than an information security degree would establish her competence.
If we applied logic similar to that used by critics, then we should disqualify people without a college degree from being competent CEOs. People like Richard Branson (Virgin Group), Paul Allen (Vulcan), Michael Dell (Dell), Bill Gates (Microsoft), Micky Arison (Carnival Corporation), Mark Zuckerberg (Facebook), Barry Diller (IAC/InterActiveGroup), Todd Jones (Publix), Robert Pittman (iHeartMedia, Inc.), Richard Schulze (Best Buy), John Tague (Hertz Global Holdings), and Ralph Lauren (Polo Ralph Lauren) all to name a few.
What makes a good CSO/CISO?
Back to our question; What makes a good CSO/CISO or a good information security professional/expert?
I like simplification. My simple answer; there are three things that make a good CSO/CISO or good information security professional/expert:
I’ve seen many good CSO/CISOs and information security experts over the years. I’ve also seen many bad CSO/CISOs and information security “experts” over the years. This is the simple answer.
The first thing that makes a good CSO/CISO or good information security professional/expert is who they are; the intangibles.
The intangibles are the things that we can’t teach, and they’re foundational to everything else that makes a good information security professional/expert. These are things that make us good people; things like dependability, honesty, reliability, and motivation. Either you have the intangibles, or you don’t.
At FRSecure, we hire for the intangibles and believe that we can teach everything else. We’ve documented our intangibles as our core values right inside the entryway to our office, we want people to know what we’re about the second they walk in the door:
- We tell the truth
- We are collaborative
- We are supportive and driven to serve
- We do whatever it takes
- We are committed to constant improvement
- We have balance – we work hard and play hard
- We all buy into who we are, what we do, and where we’re going
The intangibles should never be overlooked. We post them on the wall by our front entrance to remind ourselves of this every day.
Did Susan Mauldin have the intangibles? Honestly, I don’t know the answer to this question.
The second thing that makes a good CSO/CISO or a good information security professional/expert is education.
The first definition of “education” from dictionary.com is:
“the act or process of imparting or acquiring general knowledge, developing the powers of reasoning and judgment, and generally of preparing oneself or others intellectually for mature life.”
The third definition from dictionary.com is:
“a degree, level, or kind of schooling”
There are hundreds and thousands of resources for education; books, schools (universities, colleges, high schools), websites, seminars, conferences, etc.
I recall my first information technology/security job in the early 1990s. I was overwhelmed with how little I knew about what I was doing. My boss at the time told me to just read; read everything about technology that I could get my hands on. A nice tidbit of sage advice, I’m still reading 25 years later.
We don’t discount college degrees, but we don’t require them either. There are many awesome information security experts in our industry without college degrees, or that possess a college degree in a different discipline. If I were to choose the best college degrees for information security professionals, I’d likely choose one of the following:
An information security degree can also be helpful, and I want to be careful offending anyone who has invested time and money into one. These degrees help lay the foundation for an information security career, or help take your career to the next level.
So, did Susan Mauldin have the education needed to be a good CSO? If we base our answer solely upon her college degree, then no. If we think that a college degree is the only testament to education, then we’re wrong. The critics argue that since she had a music degree, she must not have been well-educated. I have two points aimed at the critics:
- College is one method of education; however, it is far from being the only method.
- Just as I am still being educated after 20+ years, education is far from being a single accomplishment.
Qualifying Susan Mauldin’s level of education solely on her college degree choice is ignorant.
The third thing that makes a good CSO/CISO or a good information security professional/expert is their experience.
Experience is the practicality of knowledge. Experience comes from having done something before or by having observed something being done before. If education is the “book smarts”, experience is the “street smarts”.
Over the years, I have seen many extremely intelligent and educated people who lacked experience cause more damage than good. Don’t discount experience, it’s a critical component to what makes us great at what we do.
There’s good experience and then there’s bad experience. The difference between good and bad experience is a topic for another article. Bad experience creates bad habits that have to be unlearned, so use discernment in deciding if a person has a good experience or a bad one.
Was Susan Mauldin experienced? The short answer is yes. Even according to Mr. Arends (our information security talent expert from earlier), she has “at least have 14 years’ private-sector experience”.
She worked in security at Equifax since 2013 (4 years) and before that was the CSO at First Data Corporation (a 23,000 employee, $11+ billion-dollar company), and previous to that was with SunTrust Banks’ Group (24,000 employees, 1400 branches, and $8.2+ billion in revenue). Her experience is sort of impressive.
Be careful to jump on the critics’ bandwagon when it comes to the role of a college degree. In the information security industry, a college degree is good but it is far from being an exclusive indicator of good. We’re all (or most of us) are ticked off by the Equifax breach, but think things through before throwing stones. Throwing stones at the wrong target is destructive.
A good CSO/CISO or information security professional/expert can be hard to find; at FRSecure we grow them.