Chief Security Officer Foundation

The news from Equifax on Friday (9/15) states “the Chief Information Officer and Chief Security Officer are retiring”.  Somebody’s got to pay, and here are your first two scapegoats.  Will it stop with these two, or is the CEO (Richard Smith) job at risk too?  We can only speculate.

I’m more interested in answering the question; What makes a good CSO/CISO or a good information security professional/expert?

Equifax Chief Security Officer – Susan Mauldin

As I pointed out in my last article (AN INFORMATION SECURITY EXPERT’S TAKE ON THE EQUIFAX BREACH), the Equifax CSO was Susan Mauldin.  As you might expect, there’s been plenty of speculation about her qualifications and competence.  Some of the recent buzz is related to Ms. Mauldin’s choice in a college degree.

Degree Choice

Does your college degree make you a good CSO/CISO or a good information security professional/expert?

It appears some think that it does.  The lack of a college degree or the wrong college degree appears to be a disqualifier.  Susan Mauldin received her bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia.  There’s no shortage of critics of Susan Mauldin’s college degree choice.

Information security talent expert (tongue in cheek) and Market Watch columnist Brett Arends points out in his recent opinion, hiring a CSO with the wrong education is negligent.  He points out that Congress should start their grilling of Equifax CEO Richard Smith about why he would “put someone with degrees in music in charge of the company’s data security”.  Her “LinkedIn professional profile lists no education related to technology or security.”

Others have jumped onto the same or similar bandwagon.

Ben Popken from NBC News wrote a piece titled “Equifax Execs Resign; Security Head, Mauldin, Was Music Major.

On Twitter, there’s plenty of buzz about her college degree choice too.  Just a few…CSO College Degree Choice

CSO College Degree Choice

CSO college degree.3

The other side of the argument appears to discount the significance of a college degree or degree choice in comparison.  Kim Z Dale makes some good points in her post “The unfair vilification of the Equifax CSO’s music degrees” on the ChicagoNow online community.

Of course, there are Twitter users on this side of the argument too:

CSO college degree.4CSO college degree.5CSO college degree.6

Both sides have their points; however, the truth is:

A college degree can help you be a good CSO/CISO, but it does not make you a good CSO/CISO.

The thought that a college degree makes me (or you) a good CSO/CISO is myopic and unfounded.  There are many (maybe thousands) of very competent information security experts who lack any college degree, let alone a college degree in computer science or information security.  Susan Mauldin’s music degree does not make her incompetent, any more than an information security degree would establish her competence.

If we applied logic similar to that used by critics, then we should disqualify people without a college degree from being competent CEOs.  People like Richard Branson (Virgin Group), Paul Allen (Vulcan), Michael Dell (Dell), Bill Gates (Microsoft), Micky Arison (Carnival Corporation), Mark Zuckerberg (Facebook), Barry Diller (IAC/InterActiveGroup), Todd Jones (Publix), Robert Pittman (iHeartMedia, Inc.), Richard Schulze (Best Buy), John Tague (Hertz Global Holdings), and Ralph Lauren (Polo Ralph Lauren) all to name a few.

What makes a good CSO/CISO?

Back to our question; What makes a good CSO/CISO or a good information security professional/expert?

I like simplification.  My simple answer; there are three things that make a good CSO/CISO or good information security professional/expert:

  1. Intangibles
  2. Education
  3. Experience

I’ve seen many good CSO/CISOs and information security experts over the years.  I’ve also seen many bad CSO/CISOs and information security “experts” over the years.  This is the simple answer.


The first thing that makes a good CSO/CISO or good information security professional/expert is who they are; the intangibles.

FRSecure core values

The intangibles are the things that we can’t teach, and they’re foundational to everything else that makes a good information security professional/expert.  These are things that make us good people; things like dependability, honesty, reliability, and motivation. Either you have the intangibles, or you don’t.

At FRSecure, we hire for the intangibles and believe that we can teach everything else.  We’ve documented our intangibles as our core values right inside the entryway to our office, we want people to know what we’re about the second they walk in the door:

  1. We tell the truth
  2. We are collaborative
  3. We are supportive and driven to serve
  4. We do whatever it takes
  5. We are committed to constant improvement
  6. We have balance – we work hard and play hard
  7. We all buy into who we are, what we do, and where we’re going

The intangibles should never be overlooked.  We post them on the wall by our front entrance to remind ourselves of this every day.

Did Susan Mauldin have the intangibles?  Honestly, I don’t know the answer to this question.


The second thing that makes a good CSO/CISO or a good information security professional/expert is education.

The first definition of “education” from is:

“the act or process of imparting or acquiring general knowledge, developing the powers of reasoning and judgment, and generally of preparing oneself or others intellectually for mature life.”

The third definition from is:

“a degree, level, or kind of schooling”

There are hundreds and thousands of resources for education; books, schools (universities, colleges, high schools), websites, seminars, conferences, etc.

I recall my first information technology/security job in the early 1990s.  I was overwhelmed with how little I knew about what I was doing.  My boss at the time told me to just read; read everything about technology that I could get my hands on. A nice tidbit of sage advice, I’m still reading 25 years later.

We don’t discount college degrees, but we don’t require them either.  There are many awesome information security experts in our industry without college degrees, or that possess a college degree in a different discipline.  If I were to choose the best college degrees for information security professionals, I’d likely choose one of the following:

  • English
  • Mathematics
  • History
  • Business

An information security degree can also be helpful, and I want to be careful offending anyone who has invested time and money into one.  These degrees help lay the foundation for an information security career, or help take your career to the next level.

So, did Susan Mauldin have the education needed to be a good CSO?  If we base our answer solely upon her college degree, then no.  If we think that a college degree is the only testament to education, then we’re wrong. The critics argue that since she had a music degree, she must not have been well-educated.  I have two points aimed at the critics:

  1. College is one method of education; however, it is far from being the only method.
  2. Just as I am still being educated after 20+ years, education is far from being a single accomplishment.

Qualifying Susan Mauldin’s level of education solely on her college degree choice is ignorant.


The third thing that makes a good CSO/CISO or a good information security professional/expert is their experience.

Experience is the practicality of knowledge.  Experience comes from having done something before or by having observed something being done before.  If education is the “book smarts”, experience is the “street smarts”.

Over the years, I have seen many extremely intelligent and educated people who lacked experience cause more damage than good.  Don’t discount experience, it’s a critical component to what makes us great at what we do.

There’s good experience and then there’s bad experience.  The difference between good and bad experience is a topic for another article.  Bad experience creates bad habits that have to be unlearned, so use discernment in deciding if a person has a good experience or a bad one.

Was Susan Mauldin experienced?  The short answer is yes.  Even according to Mr. Arends (our information security talent expert from earlier), she has “at least have 14 years’ private-sector experience”.

She worked in security at Equifax since 2013 (4 years) and before that was the CSO at First Data Corporation (a 23,000 employee, $11+ billion-dollar company), and previous to that was with SunTrust Banks’ Group (24,000 employees, 1400 branches, and $8.2+ billion in revenue).  Her experience is sort of impressive.


Be careful to jump on the critics’ bandwagon when it comes to the role of a college degree.  In the information security industry, a college degree is good but it is far from being an exclusive indicator of good.  We’re all (or most of us) are ticked off by the Equifax breach, but think things through before throwing stones.  Throwing stones at the wrong target is destructive.

A good CSO/CISO or information security professional/expert can be hard to find; at FRSecure we grow them.

3 replies
  1. Billy
    Billy says:

    Thank you for sharing what makes a good Chief Security Officer. Definitely good things to keep in mind when it comes to either hiring or reconsidering the current person in the position. Security is so important and being sure that the right people are doing the right job is invaluable.

  2. Phil Agcaoili
    Phil Agcaoili says:

    These are all good.

    One “intangible” trait that I’ve experienced with good CISOs/CSOs has been being personable or likable. Some folks get upset when I state this, but if you’re not liked within your organization as a CISO then you won’t get very far.

    An “education” component that I didn’t see in this post is the requirement for all information security folks to constantly learn. I’ve told my people that the best security people are life-long learners. With this, under your education trait obtaining security certifications is a sign that a security practitioner is constantly and consistently being educated and staying up-to-date. There are arguments pro/con for security certifications, but, as a four-time CISO, I use this as a sign that the practitioner is trying to stay current and willing to be tested on their subject matter knowledge and competency.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *