After Equifax: What Makes a Good CSO? Also: App Sec is a Mess. We Talk about Why.

What makes a good CSO? In the wake of the Equifax breach, we talk about the controversy over that company’s CSO’s music degree. Also: we talk with Signal Sciences about why companies keep getting hacked via application vulnerabilities like the Apache Struts hole that felled Equifax.

What makes a good CSO? In the wake of the Equifax breach, we are using this week’s Security Ledger podcast to talk about the controversy over that company’s CSO’s music degree.  Deidre Diamond, the CEO and founder of the placement firm CyberSN talks to us about what companies are looking for in Chief Security Officers. Also: Chris Roberts, the noted hacker known as @sidragon1 and Chief Security Architect at the firm Acalvio, talks about the convention of unconventional paths to the information security space.
Roberts recounts his own twisting path to the information security space as a young hacker coming of age in the 1980s. Diamond sees the specter of another endemic problem behind Equifax’s problems: a shortage of security professionals needed to stay on top of patches and other issues.

Equifax’s AppSec Problem

Susan Mauldin of Equifax who retired last week. Did her music degree disqualify her from the CSO role?
Susan Mauldin, who retired as Equifax’s Chief Security Officer, has come under fire for her undergraduate and graduate music degrees. But is that really the issue?

Also: we go deep on the “how” of the Equifax hack: speaking with two experts on the subject of web application security: Signal Sciences CEO Andrew Peterson and its VP of Marketing and Strategy Tyler Shields. They tell us that incidents like the Equifax hack are evidence that companies are under investing in application security. That’s true even when its clear that hackers are using application vulnerabilities as a path to sensitive corporate data.

“We’re dangerously behind in how we’re funding the web application security space,” Peterson told us. A big reason for that: continued spending on legacy security investments in network hardware.

Finally, Mike Pittenger of the open source software management firm Black Duck Software  joins us to talk about the difficulty that software companies have tracking and monitoring that software within their environment. Mike says that more eyes than ever are pouring over open source software. They are finding security holes like the one hackers exploited in Apache Struts are being discovered every day: most belong to “white hat” security researchers, not cyber criminals.

Check our full conversation in our latest Security Ledger podcast below or over at Soundcloud. You can also listen to it on iTunes.  As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.

Security Ledger wants to hear your thoughts! Leave a reply.