People in technical leadership roles should have formal training and should have spent some time in the trenches, full stop. We hold most other specialized leadership roles to this standard: Chief Financial Officers, Chief Legal Officers, Chief Medical Officers, etc. Why not CTOs and CISOs?
> nasty sexism... male CISO at other company...
The article is about Equifax. I am commenting about Equifax. This is not about gender.
I'm well aware that this problem is pervasive in American business culture. The article is about Equifax. So I am commenting about Equifax.
> Turns out Susan Maudin at Equifax had decades of relevant experience:
Those are all also management roles. She went from non-cybersecurity into cybersecurity management and then worked her way up the management chain.
She had no formal training in IT/CS, no experience as an IC in IT/CS, and her organization royally screwed up.
Expecting relevant formal education and relevant IC experience is not sexist.
>People in technical leadership roles should have formal training and should have spent some time in the trenches, full stop. We hold most other specialized leadership roles to this standard: Chief Financial Officers, Chief Legal Officers, Chief Medical Officers, etc. Why not CTOs and CISOs?
The vast majority of qualified candidates will not have relevant formal training. Until very recently it's been borderline impossible to get an infosec degree, and what little opportunities existed were of atrocious quality.
>Oh, please. I'm well aware that this problem is pervasive in American business culture. The article is about Equifax. I am commenting about Equifax.
1) It's not a problem
2) It's not American
This is just how emerging fields are, you can't have formal education when nobody knows what to teach.
You will never convince me that Equifax could not have hired a CISO with decades of relevant IC and leadership experience and appropriate educational background. Perhaps Maudin at the time she was hired, I'm not sure the length of her tenure. But there was certainly no excuse for choosing an MBA without IC cybersecurity experience for her replacement. (Who, btw, is a man and also wildly unqualified except for a string of other executive positions that he also should not have been in... happy now?)
>> The article is about Equifax. I am commenting about Equifax.
> 1) It's not a problem
You have got to be kidding me.
1. Equifax majorly shit the bed on cybersecurity, and the buck stops at the CISO.
2. Why is this not the case for CFOs, CMOs, CLOs, and literally every other technical chief officer position except CTOs and CISOs? Again, it's not the 90s.
>You will never convince me that Equifax could not have hired a CISO without decades of relevant IC and leadership experience and appropriate educational background.
If it's so easy, surely you can name a couple of people with decades of relevant IC and leadership experience and appropriate educational background who they could have hired back when they went with Maudin?
>1. Equifax majorly shit the bed on cybersecurity, and the buck stops at the CISO.
The buck never stops at the CISO, just like it supposedly didn't at Twitter.
Yes, I can name dozens of people who would have made excellent CISOs in 2017 and meet my (low) bar of (1) relevant IC experience and (2) some relevant formal training.
> The buck never stops at the CISO, just like it supposedly didn't at Twitter.
If the buck doesn't stop there, it certainly passes through.
Let me flip this around: should you hire a Software Engineer with decades of management experience at a bank to the Chief Financial Officer? What about lawyer who's worked at a hospital to be the Chief Medical Officer? Would you hire an MBA without any legal experience to be your Chief Legal Officer? No, no, and no. If a company did any of those things and shit hit the fan, people would be irate and the company would be rightly criticized.
So why is it okay to fill CTO and CISO roles with MBAs who have no technical training or experience?
It's not, and I don't think juries are going to put up with this over the next couple decades. The "new field" argument is increasingly implausible.
My current employer's CISO or my former employer's equivalent of the CISO. Both were hired prior to 2017 and had relevant education and expertise. And no, I'm not going to risk doxing myself to someone accusing me of sexism for saying that CTO/CISO roles should be filled by people with relevant education.
> Compsci is not an infosec-related degree.
Are you kidding me? I am beginning to lose confidence in any ability to have a reasonable conversation with you.
Four years of CS cover a lot of material that is directly relevant to information security, even without any formal coursework in security. Most CS degrees require several years of programming, an Operating Systems course, and courses like Networking, Cybersecurity, and Cryptography are often offered as electives. Even the basic courses offer a lot of basic knowledge about the work being managed.
Is it everything you need? No, of course not! That's why the criteria -- from my first post -- is BOTH relevant education and also relevant IC experience.
What is inappropriate is a CISO who has never written or read a single line of code, never configured a piece of IT equipment, etc. It would be like a CLO who has never read a legal brief or a chief medical officer who has never treated a patient. They won't even have a basic high-level understanding of what's actually going on in the work they are managing. I've seen this, first hand, from a (male) executive who did not have a technical background.
I took courses on Cryptography, Networking (with a unit on DoS/DDoS mitigation), Operating Systems (with a TON of systems programming that got me intimately familiar with buffer overflows and memory models), and a Software Engineering course that included some discussion of injection attacks.
As term or course projects I implemented or was part of team that implemented: a virus scanner, an intrusion detection system (back before they were common -- we called in 'dynamic iptables' or something like that), portions of an operating system with a bunch of security and permissions relevant stuff, a password cracker, and a bunch of crypto algorithms.
Aside from all of this, a basic understanding of how to program and build software systems is already important background.
But no CS is totally unrelated to infosec and I'm a sexist dick for saying that people in leadership should know about the work they are managing. /s
People in technical leadership roles should have formal training and should have spent some time in the trenches, full stop. We hold most other specialized leadership roles to this standard: Chief Financial Officers, Chief Legal Officers, Chief Medical Officers, etc. Why not CTOs and CISOs?
> nasty sexism... male CISO at other company...
The article is about Equifax. I am commenting about Equifax. This is not about gender.
I'm well aware that this problem is pervasive in American business culture. The article is about Equifax. So I am commenting about Equifax.
> Turns out Susan Maudin at Equifax had decades of relevant experience:
Those are all also management roles. She went from non-cybersecurity into cybersecurity management and then worked her way up the management chain.
She had no formal training in IT/CS, no experience as an IC in IT/CS, and her organization royally screwed up.
Expecting relevant formal education and relevant IC experience is not sexist.