Opinion: when they say your major is a problem, what they mean is your gender is a problem

In-brief: Talking about Susan Mauldin’s music degree is a socially acceptable way for men to vent about a woman who they don’t feel belongs in their workplace – especially not in a senior role.

Have you heard the latest scandal about Equifax? Not content to lose sensitive and personally identifying information on 143 million people, the company also had the temerity to hire Susan Mauldin, a music and composition major from the University of Georgia – and a woman – as its Chief Security Officer. No wonder the company is going to hell in a hand basket!

That – or something like it – is the fourth day take on what will go down as one of the U.S.’s largest data breaches of 2017 and possibly a turning point in the long-stalled conversation about the need for strong data privacy protections in a country that has often seen fit to poo-poo such ideas. Clearly, what’s vexing our largest firms is the surplus of music, arts and humanities majors in top information security roles, right? After all, no less than History Major, Columnist and Chartered Financial Consultant Brett Arends of MarketWatch says so:

When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company’s data security.

Strong words, Brett. Especially coming from a guy with no professional degree in his chosen profession. Of course, it is not at all unusual for journalists to not have majored in journalism. In fact, it is so common that it’s not even worth having a conversation about.

Whether or not Mr. Arends knows it, the same is true of the information security space, where twisted career paths are the norm, rather than the exception. Some examples? Microsoft’s Chief Security Officer, Michael Howard? He holds a Bachelor’s of Science degree from San Jose State University in Criminal Justice. Ford Motor Company’s Chief Information Security Officer Derek Benz? He’s a History Major from Hillsdale College and he has an MBA in Global Finance from Columbia Business School. Home Depot’s CISO Jamil Farshchi has three degrees – none of them in computer science or engineering. One of the information security industry’s most celebrated hackers, Peiter Zatko (aka “Mudge”) of BBN and, more recently of DARPA is a graduate of the Berklee School of Music.

And those are the folks who have degrees. I can’t even figure out where Wal-Mart’s CISO, Kerry Kilker got his education, but I know he’s been with the company for more than 30 years after starting as an Information Systems Applications Programmer in 1985. Somehow, I think he knows his way around Wal-Mart’s IT operations pretty well, don’t you?

“So many of us in security have worked our way in and clawed our way up and we stand on the experience that we have and build on the experience of others,” noted security expert Chris Roberts (@sidragon1) told me. “This realm we’ve created over the last 20+ years has only recently lent itself to certification and most of us have the scars and bruises from so many years of experience which arguably counts for as much if not more in some cases.”

Ms. Mauldin certainly fits that mold. She had long stints at Hewlett-Packard and First Data Corp before joining Equifax – a point Mr. Arendt acknowledges in his article, before swatting those inconvenient truths away. Indeed, it is interesting to note that the outrage over Mauldin noticeably skips over her male superior, CIO David Webb, whose undergraduate major was Russian and about whom little has been said.

Susan Mauldin, who retired as Equifax’s Chief Security Officer, has come under fire for her undergraduate and graduate music degrees. But is that really the issue?

So why the vitriol about Equifax’s CSO’s qualifications? What’s the difference between those guys I named and Susan Mauldin?

Well, clearly it is the fact that her company was the victim of a data breach, right? Wrong. Grant Bourzikas was the CISO at Scottrade during the period when the company was hacked and records on 4.6 million customers were exposed. Grant has a Bachelors in Accounting from the University of Missouri, St. Louis and no computer science or engineering degrees. I don’t recall his credentials being a matter of debate or outrage. He’s since moved on and is now CISO at the security firm McAfee.

Maybe it’s the size of the breach, then? Nope. Bob Lord was the Chief Information Security Officer at Yahoo!, which coughed up sensitive information on 500 million people in a hack that predated his arrival at the company, but persisted during his tenure, as well. Bob has a degree in Political Science from the University of Chicago, but somehow his qualifications for the job were never a topic of conversation. Needless to say, Mrs. Mauldin isn’t getting the same soft-glove treatment.

Well then. Maybe its the severity of the breach – you know: Social Security numbers and credit ratings and such? Wrong again. Roy Mellinger has kept his job as CISO at Anthem despite that firm being the victim of a massive breach by a nation-state actor that surrendered detailed medical records on tens of millions of Americans. Still, I haven’t heard the trolls on Reddit banging the drum over Mr. Mellinger’s continued tenure at the firm. In fact, he was recently named Information Security Executive of the Year!

But things are different when you’re a music major. Or should I say, they’re different when you’re a woman music major in an industry that often seems to not want women around, unless its to be objects of desire, or maids and mommies on call for immature (but technically adept) male engineers. That is especially true of the information security industry, where only around 1 in 10 professionals are women.

You’ll be very hard put to find discussions of a male security executive’s per se right to have occupied the position he occupied, no matter his qualifications going into the job or what happens during his tenure. That kind of talk is reserved for women who have the misfortune of being in positions of authority when bad things happen.

That double standard is everywhere in the faux outrage about Mrs. Mauldin. Before Mr. Arend’s piece on MarketWatch, the story was mostly fodder for conservative blogs like Gateway Pundit where reader comments frequently allege that Mauldin’s hire was an expression of gender-based preferences and political correctness. There was also (of course) a thread on Reddit, where comments slide quickly into overt and profound misogyny. In short: talking about Susan Mauldin’s music degree is a socially acceptable way for men (and they’re almost all men) to vent about a woman who they don’t feel belongs in their workplace – especially not in a senior role. That truth is simply unavoidable.

This isn’t about consequences. Regardless of what happens to male CISOs following high-profile breaches (many end up stepping down and finding other positions), you’ll be very hard put to find discussions of a male security executive’s per se right to have occupied the position he occupied, no matter his qualifications going into the job or what happens during his tenure. That kind of talk is reserved for women who have the misfortune of being in positions of authority when bad things happen.

So where is the right place to focus our outrage? How about at the organization that employed her and who created the conditions by which this incident occurred. Deidre Diamond of the security staffing firm CyberSN notes that Equifax has 17 open (unfilled) job openings for information security, which suggests the organization’s security team was seriously understaffed.

“The first thing I thought of is what I see every day which is understaffed in security,” Diamond said. That isn’t to absolve Mauldin of her responsibility. “To miss a (10 severity) vulnerability is negligence – for sure,” she said. But it is to cast what happened in a more sympathetic light and one that doesn’t center on the person of the CSO or her resume. “When you look at an organization like this and you see 17 roles on their website, I think to myself ‘that’s an organization that is completely understaffed and that’s why a top 10 vulnerability gets missed, not a degree.'”

It should be said that many, many information technology professionals and security professionals of both genders have stepped up on social media and elsewhere to defend diversity in the workplace. The voluminous comments on tech industry sites like Slashdot offer mostly support and plenty of anecdotes for the notion that diverse degrees and backgrounds can make for excellent security professionals (also: lots of music puns).

“Judging *anyone* as qualified or unqualified using only a single data point is naive,” Zatko Tweeted on Friday.

True. But those discussions miss the point – and the force behind the vitriol directed at Ms. Mauldin. It’s not about what she studied – or even what she did. It’s about what she is: a woman.

Security Ledger wants to hear your thoughts! Leave a reply.