You’d be surprised how incompetent an auditor can be if the security framework simply requires them to blindly fill in responses on boilerplate spreadsheets based on the department’s word alone.

For example, risk assessments are performed for all new applications requested by employees. InfoSec: Does this COTS web application have X security control which protects data in transit via encryption acceptable for use in our operating environment?

Some bozo from marketing: Yeah, I’m pretty sure.

In truth, neither of them are sure. The requester didn’t check, and the auditor saw the word “encryption” on the vendor’s website along with a green padlock in the address bar and that was good enough.

The auditor doesn’t even know how check the ciphers being used for this sketchy web application. The control also requires TLS 1.2+ due to the sensitive nature of the data. The auditor marks the security control as “Met” and approves the software request.

The auditor is completely incompetent, but is used as a pawn in an elaborate game of “security theater” to abstract away liability.

Also, even if the hypothetical security control in the example above wasn’t met, the head of marketing (System Owner) could request an exception be created to skip that security control.

Wait, qzx_pierri, you’re telling me that the security control can be skipped? How the hell is that a security CONTROL?

I don’t know, and that’s why I quit that depressing industry. To everyone reading this: Stay paranoid, and protect your data yourself if it’s on someone else’s server. "Security" (in America, at least) is often complete bullshit.

The person had no relevant degree (as is the case for most people working in security roles, because such degrees didn't exist until very recently).

The person did have a literal decades of relevant experience, working in security.

In this case they happen to be female.

That doesn't mean the criticism is motivated by gender.

Your gender also doesn't excuse you from criticism.

It's hard to get a formal degree on a subject which isn't taught anywhere!

For example: HN loves Mudge, who also happened to just leave a CISO post, and also only holds a music degree from Berkelee.

They were criticised too.

I guess we all see the world as we wish.

Compsci is not an infosec-related degree.

The vast majority of the people who invented, built, and maintain all the systems infosec people are deploying had CS or CE degrees. A good CS degree provides an excellent foundation for infosec careers. In fact, at many institutions, the infosec major is very similar to the CS major.

It's not everything you need, which is why a CISO should minimally also spend some time as an individual contributor in an infosec or closely adjacent group.

You're moving the goalposts because your position that CISOs need no education whatsoever in the work they are leading is prime facie absurd.

That's not to say that a CS graduate is or isn't the ideal candidate for the program (I think he felt that they were). But securing systems and organizations is primarily not a technical problem. You should understand that and understand the reasons why.

Sure, but the best security programs don't even exist in the same department as CS.

At CMU Information Security is run by the College of Engineering, not by the CS department.

At NYU Cybersecurity is run by Tandon school of Engineering, not by the CS department.

At RIT Computing Security is run by ... the Department of Computing Security.

At JHU Cybersecurity is run by Whiting School of Engineering, not by the CS department.

This is because computer science and computer security are two entirely different disciplines.

I'll agree the criticism isn't valid.

I disagree about the invalid criticism being gender biased or motivated.

The subject just happens to be female. That doesn't exempt them from valid or invalid criticism.

This isn't difficult really.

> It's a nasty sexist lie.

LMAO It is literally true.

It is also true AFAIK that when she got her first role as an executive in charge of security, she had no formal training or IC experience in security. All of her "security" experience was in executive roles. Which is insane. That never happens with other types of technical leadership roles (legal, law, finance, accounting, engineering, etc.).

Yes, but that's also true of almost all BigCo CISOs.

>It is also true AFAIK that when she got her first role as an executive in charge of security

By "AFAIK" you mean that this is just what you assume without checking, right?

Yes, we've been over this. The article is about Equifax. I made a comment about Equifax. I've previously criticized other execs after data breaches or other major technical failures (Eg Boeing).

> By "AFAIK" you mean that this is just what you assume without checking, right?

No, it means I did check and she does not according to any publicly available evidence. I added the AFAIK because I cannot personally certify that her publicly available resumes are complete.

It would be extremely odd to exclude relevant work experience from public profiles, so I strongly believe that she does not have relevant experience outside of exec positions (which she shouldn't have had in the first place without IC experience and/or relevant education). But I do not personally know her so I cannot personally attest that her public resumes are complete. Therefore, I added a qualifier.

I can understand why this wording confuses you, though. It's a result of the fact that I have personal integrity and take words and accusations seriously.

People who wield power over IC's but themselves have never been an IC are more willing to make decisions that harm others, but not themselves.

And this is the crux of the issue with the security industry. Too many of their decisions are made in a vacuum and everyone else has to deal with it.