Equifax’s CSO Was a Music Major in College - So What?

Let’s be careful with our critiques of Susan Mauldin’s educational background before we set a dangerous precedent.

On Friday I came across an article that was as sensational as it was troubling: MarketWatch was reporting that Equifax’s Chief Security Officer was a music major in college. Since then, the story has spread like wildfire.

Yes, on its face, it looks incredible when it’s discovered that the person presiding over the cyber defenses of a company that just suffered a massive breach was studying music back in college—and you know, not computers or information technology or some related field.

And while I’ll be the first to admit that music is not the ideal background for a candidate of this scope, I think it’s worth taking a moment to pause and reflect on why framing a discussion this way is unproductive and possibly even dangerous: while having an educational background in an IT-related field is certainly a great foundation, disqualifying anyone without the right degree is an extremely harmful precedent to set.

First, let me concede a few points

As with any thought piece, I think it’s important to begin with a few concessions. First of all, I don’t know Susan Mauldin. I don’t know her level of competence. But, I can concede that on its face, given Equifax’s recent breach and some of the other unflattering news that’s come from the company since, you can certainly argue that things didn’t go well.

And if MarketWatch’s report is true, and Equifax immediately began scrubbing the internet of any record of her as soon as she took her breach-imposed retirement, then that raises some very troubling questions in and of itself.

But frankly, for the sake of this conversation, we’re talking less about Mauldin on a specific level and more about what Mauldin represents: a member of the cyber security community that doesn’t come from a traditional background.

Let’s talk about Education

It’s easy to look at what happened, look at Ms. Mauldin and connect the dots that someone unqualified caused all of this to happen. That’s a gross oversimplification. Equifax is massive, with a digital infrastructure that spans the entire world. The CSO isn’t the one updating Apache or making decisions on passwords for Argentinian databases. For something like that the company would create policies and then delegate those tasks.

It’s very easy to make the case that Ms. Mauldin’s department was poorly managed. All indications would seem to point to that. But calling into question her competence on the basis of her education is myopic.

For starters, it’s insulting to anyone that has made it in this field with a non-traditional background. And there’s quite a few more of those people than you might realize. As Ms. Mauldin once said in a (curiously) now-deleted interview, “you can learn security.”

And that’s true.

Pretending otherwise, as if you can’t enter the industry without the correct degree, is both unproductive and downright damaging to the prospect of acquiring and growing new talent. Especially when this industry operates in the shadows of great thinkers like Bill Gates, Paul Allen and Steve Jobs—none of whom even graduated from college.

Beyond that trio, there’s countless examples of CSOs without computer-related educational backgrounds. Bob Lord, of Yahoo, studied political science. Tisha Merly, CSO of the FBI, studied international affairs. Michael Cava of Amazon studied police science and administration. Plenty of talented people studied other things in college and perform admirably in their roles as CSOs and CISOs.

The Right Degree Helps, But Not Having it Isn’t Disqualifying

And that brings us to my next point: this is still a fairly young field, all things considered.

Colleges and universities have programs that cover computer science and IT and cyber security nowadays, but they’re relatively new and have only recently been built out. I graduated from Florida State University (a school that is comparable in every way to Mauldin’s University of Georgia) in 2008, and at that point – less than a decade ago – FSU’s computer sciences programs were still fledgling.

Now, it’s untoward to speculate on someone’s age, but based on photographs and her work experience, you can probably ballpark Ms. Mauldin as being somewhere in her late 40’s or early 50’s. That would put her in college sometime in the 1990’s at the earliest. This was not a time when computer science was seen like it is today. There were not a ton of programs – especially highly refined ones – at her disposal.

Beyond that, even if there were programs readily available, how relevant would that information be today? Ms. Mauldin would have needed to continue her education as a professional, regardless of her college background, to be where she is today. And given that she had worked at other reputable companies like First Data, SunTrust Banks and Hewlett Packard before stepping into her role as Equifax CSO in 2013, it would seem like her professional resume was at least passable.

It’s not like Equifax plucked her out of a concert hall and told her to run its cyber security operations. And if it did—that’s on Equifax, not Mauldin.

I’m not trying to litigate Equifax’s staffing decisions, frankly, that’s its own unique discussion. I’m not even trying to defend Susan Mauldin, the person. The point I’m making is that we set a very dangerous precedent when we start disqualifying people based on their college major. It undercuts the value of professional experience and it eliminates a pool of talented candidates.

Granted, a strong educational background definitely supports a candidate’s case. Nobody’s arguing that studying computers and IT in college doesn’t make you a more well-equipped candidate for this kind of position. I’m just saying that not having studied computers in college shouldn’t be a disqualifying factor, either.

You can learn cyber security. Even if that’s not what you knew you wanted to do at 20 years old.