Equifax CEO Hired a Music Major as the Company's Chief Security Officer 430
Susan Mauldin, the person in charge of the Equifax's data security, has a bachelor's degree and a master of fine arts degree in music composition from the University of Georgia, according to her LinkedIn profile. Mauldin's LinkedIn profile lists no education related to technology or security. If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Earlier this month Equifax, which is one of the three major consumer credit reporting agencies, said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's license numbers. On Friday, the UK arm of the organisation said files containing information on "fewer than 400,000" UK consumers was accessed in the breach.
UPDATE (9/16/2017): CSO Susan Mauldin has abruptly 'retired' from Equifax.
Yes and no... (Score:5, Insightful)
Re:Yes and no... (Score:5, Insightful)
Re: (Score:3, Interesting)
but what in her profile would suggest that she would be even remotely qualified to have an entry level IT position? she's barely qualified to to pour coffee.
equifax fucked up. the pitchforks are totally justified.
Re: (Score:2)
Well, if you do not want the security person stand in your way, use somebody unqualified or very junior. They will not cause problems, because they will not dare to speak up. I have seen that principle in action several times. The IT security problems at those companies were impressive.
Re: (Score:2, Insightful)
Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
Nah waht's suspicious is that it's now hidden badly.
If she was able to hide her education history from the prying eyes of the Internet that's be a practical demonstration of her relevant skills. Failing to do so, not as much.
Re: (Score:3)
The same is true for brain-surgery. Sure, there may be the one exceptional talent that can do it without a specific degree and years of training, but does that claim make sense? No, it does not.
Down here in actual reality, you need that degree and that decade or two of on-topic training and experience to be any good in that role.
Re: (Score:3)
Sorry, but the degree is almost irrelevant. It's the experience that counts. Of course, you shouldn't be able to get the degree without some experience in the process...
Re: (Score:2)
Re:Yes and no... (Score:5, Informative)
Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
Well, as it turns out, her "resume" prior to Equifax lists
* Senior Director of Information Security, Audit and Compliance at HP
* Senior Vice President and Chief Security Officer and First Data Corporation
* Group Vice President Sun Trust Bank
Sounds to me that she worked up the "vice-president" track (easy to do in a bank as everyone is a VP) and stumbled on to security from the audit/compliance side of the house. This is like a VP of engineering coming up from the marketing/product specification side of the house. All most of these folks know how to do is check the boxes... They might have learned some buzzwords along the way, but you would never trust them to actually *do* anything...
Re: (Score:3)
Yes nothing says she (or anyone with a liberal arts degree) can't be a good security officer. But it is suspicious that all of her background is now hidden. It might have been she was CSO for political reasons as one would find in big companies that the person who plays politics is promoted over people who have experience or skill.
And the extra really super suspicious thing is that she oversaw the biggest data breach we know of.
If you are going to be a CSO, you really need to be a little paranoid, and you need to run a hellava lot of penetration testing, install some honeypots, and know some stuff. I'd wager that most music majors will not have the mental outlook to do that.
But Equifax promises that their next CSO will be a Women's study major, which should fix everything
Re: (Score:3)
Agreed. A music major could be a great security officer. She clearly wasn't. They're trying to hide it.
The conclusion here should not be you need a technical degree to fill a technical role. It should either be
1. that the idiots at Equifax are also sleezebags.
Or 2. that the sleezebags at Equifax are also idiots.
Clearly both are logically true, but which states the case with the proper emphasis?
Re: Yes and no... (Score:2, Insightful)
That's the problem with Affirmative Action and Diversity hiring. You're affirming the suspicion that these people are not qualified by merit, and get jobs because of their sex or skin color.
You can't even dispute it, because you don't actually know for sure, and it's not even unlikely.
Re: (Score:2)
It seems you think that "Affirmative Action and Diversity hiring" means that any minority or female that applies for a job will get the job, regardless of their qualifications. In reality, it's usually used to help minorities/females get an interview and may be used as a tie breaker amongst similarly qualified candidates.
In this case, it is much more likely that if she's drastically under-qualified it was more of a political decision.
Re: Yes and no... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
In this case, I would say the breaches and some of the practices in place being reported would indicate that seh was unqualified, regardless of how she got the job. (I'm going with knowing the right people, not being a diversity hire)
Re: (Score:2)
That's the problem with Affirmative Action and Diversity hiring.
These aren't supposed to involve hiring unqualified people. It means that you make an effort to ensure a good mix of qualified people.
Re: (Score:2)
No it doesn't. Her past could indicate that she'd worked or been at previous institutions in close proximity to other higher-ups at Equifax, and with the proper searching, someone might find out there was some sort of inappropriate relationship. In fact, that's much more likely than any sort of diversity hire.
Re: (Score:3)
You do know that diversity hiring doesn't mean we just hire anybody? The qualifications for the job don't just become "A woman" or "A person of color". That is not how it works in the real world, even if you for a second honestly naively believe that devoid of diversity hiring policies, employers hire the person with the best qualifications or most experience in the first place.
Actually, there is a whole real world that does not conform to yours. We went far out of our way to hire women who were qualified, but not remotely the best candidates for the job. Entry level qualifications were beatng out 15 year veterans. I lost out on several promotions because we had to promote the women as fast as possible, including one promotion where the woman did not meet the minimum qualifications of time in grade.
Sorry, but in academia at least, men are being marginalized in favor of women. B
Re: (Score:2)
seasing on this (and idiots
Ah, the irony...
Re: (Score:2)
I was thinking this too...
Re: (Score:3)
Well I'd start by expecting professional qualifications such as CISSP [isc2.org] or at least one or more GIAC [giac.org] certifications...
Particularly GIAC Security Leadership [giac.org] or GIAC Strategic Planning, Policy, and Leadership [giac.org].
-- Pete
Re:Yes and no... (Score:5, Insightful)
I've worked with some brilliant software engineers and engineering managers at my current job, and here is a list of the non-IT degrees they have:
B.S. in Political Science
B.A. in Media Design
B.A. in English
These are guys that are designing and implementing financial software for a Fortune 500. Sometimes what your degree is in has the square root of jack shit to do with what you are currently doing, and how well you do it.
Re: (Score:2)
I agree partly (I came out of Electrical Engineering), but it certainly helps if one's resume shows increasing experience in the field before you, say, become a C-level executive over that field in your company, yanno?
It's doubly odd when one finds that her history on linkedin is now hidden/blocked, no?
Re:Yes and no... (Score:5, Insightful)
Re: (Score:2)
And very likely none of them will have what it takes to be a reasonable CISO. That job is a bit more difficult than just being able to write good software. I also doubt that "brilliant" qualifier very much. In a pool of massive underperformers, somebody somewhat average will look "brilliant". (And yes, I have reviewed software created by supposedly "brilliant" people that did not have an IT related degree. It was functional but not good at all beyond that. And yes, this was critical software in about the sa
Re: (Score:3)
Re: Yes and no... (Score:4, Insightful)
It depends on the kind of work.
Does she have a CISSP, or similar.
How many years in security?
Or maybe the experience is in the office back room, or CEO's office with the doors closed.
Either way, with Insider Trading allegations, info coming out 4 or months out, bonehead releases and f**ked up websites, poor patching policies, etc. He's going to have to kiss a lot of politicians butts to get out of this one.
Re: Yes and no... (Score:5, Funny)
Either way, she's in real deep Treble right about now...
(...I kid! I kid!)
Re: Yes and no... (Score:5, Funny)
That was very clefer.
Re: Yes and no... (Score:5, Funny)
Re: Yes and no... (Score:4, Funny)
bassed on what, exactly?
Re: Yes and no... (Score:5, Funny)
I don't want to string anyone along here, but let's not harp on her minor credentials. While they struck a chord in some people, joining the chorus of citizens at fever pitch won't fix Equifax's systems that are baroque and in need of fiddling on a scale we haven't seen B4. It's important to note that the movement of filing key lawsuits will work in unison and reach a crescendo at some point. The drum beat of progress will necessitate major reforms that will even the score and serve as the prelude for improved security. The measure of any company in a situation like this is whether they change their tune and raise the bar, or have their finale.
Re: (Score:3)
I don't know, but he probably had to take a rest afterwards.
Re: (Score:2)
The CISSP is a joke. I did with 5 days of preparation in the first try and I could realistically have done it with far less. I have removed it since from my resume, because the things asked are just extremely shallow and worthless.
Re:Yes and no... (Score:5, Informative)
She was previously Senior Vice President and Chief Security Officer at First Data Corporation for four years
Re: (Score:3)
Next target hackers! We now know the former CSO wasn't the sharpest tool in the box. Rot is almost certainly there too.
Re:Yes and no... (Score:5, Informative)
Next target hackers! We now know the former CSO wasn't the sharpest tool in the box. Rot is almost certainly there too.
Hackers don't need some additional notice or incentive to go after First Data. First Data is one of the biggest, tastiest and most potentially lucrative targets in the world. But you haven't heard that, because they do a very good job on security.
I worked several security projects at First Data when I was doing security consulting, and I was consistently impressed with quality of their people, systems and processes. I was also a little appalled at how many eggs are in the First Data basket. They issue and manage a large majority of the credit and debit cards in the United States. You almost certainly have a card they issued in your wallet, and they also generate your statements, process your payments and potentially even operate your bank's web site.
The largest project I worked for First Data was directly supervised by the NSA (in their role of protecting the nation's data infrastructure, not their role of spying on everyone -- two very different organizations within the NSA) because the security of First Data systems is essential to national security. They're that big and that important to the country's credit and banking infrastructure. More important than Equifax, I'd say.
The fact that she was CSO for First Data changes my perception of the headline considerably. I can't see First Data hiring someone unqualified for a role like CSO. Security is way, way too important there, and they have a lot of people who know how to do security.
Or family connections (Score:2, Interesting)
Re: (Score:2)
To be fair, Equifax is a credit reporting bureau, and not FireEye, Tripwire, Qualys, F-Secure, PC-Matic (for consumers), etc. (though you are correct in that security is an incredibly high priority for a credit reporting bureau, or at least one would think so... but they got popped via a way outdated version of Struts, FFS.)
A company like Qualys or Tripwire getting popped would spell certain doom for that company.
Equifax on the other hand will likely survive this (as long as nothing else happens in the next
Re:Yes and no... (Score:5, Insightful)
Unless you are getting hired directly out of school for a tech job, whether or not you have a degree in tech means almost nothing. It's your experience that counts. If Mrs. Mauldin majored in music, graduated, found that was a dumb idea and worked her way up through the ranks over 20 years before landing the Chief Security role at Equifax, I have no problem with that.
This woman may have to take the fall, but often, even senior security staff don't get to dictate everything you think they should. Cost considerations can override their wishes, inconvenience can override it. They can often set guidelines for IT staff that do not report to them and feel no obligation to do what they say.
I wouldn't skewer this woman just yet.
Re: (Score:3)
Agreed, but she'd damned well better have at least one email in her possession showing that she (or one of her subordinates) had previously tried to warn the company to update their version of Struts...
(...and if she does, then the devs will be in the hot seat for ignoring that one.)
Re:Yes and no... (Score:5, Informative)
Devs don't patch live systems at a company that size. Devs shouldn't touch live systems at a company that size.
Re: (Score:2)
...but they should at least show evidence of patching test/staging systems, no?
Re: (Score:2)
The devs? No. That would be admins.
At that size, there should be small team just testing patches then applying them.
Re: (Score:2)
Agreed. They provide the applications that are put into an environment that the Operations teams manages. This is only after the application has gone through rigorous testing, many time through multiple test environment. Devs ONLY do unit test in a development environment. All other tests (Certification, Integration, Regression. We even added two more separate tests of Performance and Release) go through a different group of folks with environments setup for each. Each with specific set of tests in m
Re: (Score:2)
If Mrs. Mauldin majored in music, graduated, found that was a dumb idea and worked her way up through the ranks over 20 years before landing the Chief Security role at Equifax, I have no problem with that.
From her LinkedIn profile it appears she went from unemployed music student to Chief Security Officer in roughly ten years. Pretty impressive career.
Re: (Score:2)
Re: (Score:2)
I have a degree in photography, it did not take long for me to realize I was not a professional photographer. And thus began my 20 years in IT.
Re: (Score:3)
Unless you are getting hired directly out of school for a tech job, whether or not you have a degree in tech means almost nothing. It's your experience that counts. If Mrs. Mauldin majored in music, graduated, found that was a dumb idea and worked her way up through the ranks over 20 years before landing the Chief Security role at Equifax, I have no problem with that.
This... I, too, majored in music, but focused on audio engineering. I ended up building and maintaining radio stations, including repairing solid state and analog transmitters and rewiring audio consoles, building multi-site audio and data links, building automation computers and maintaining data networks, etc. In the course of doing that, I studied electrical engineering and programming, passed the FE, and eventually become a patent attorney specializing in communications and security.
If she had no experi
Re: (Score:2)
Yet, basic things weren't done on her watch. Keeping your servers patched is very basic, but it's the kind of corner a non-technically proficient manager, like her, will cut.
Proof of the pudding and all. She's done and deserves to be unemployable.
Re: (Score:2)
Bullshit. To be any good at IT security, you need 10-20 years of experience on top of a relevant degree (MA or PhD) that already included IT security. If you do not have that degree, you cannot, in a human lifetime, acquire enough experience to compensate for that. This stuff is hard.
Re: (Score:2)
Having a liberal arts degree doesn't disqualify you from working in IT. If you only have a liberal arts degree, no technical certifications and no previous IT experience for a high-level role as CSO, you must have really nice legs.
Or, you know, she worked for 4 years as a Chief Security Officer for First Data Corporation just prior to this job and has a 15 year history in tech related industries, including HP. Perhaps you should read the article before spouting off sexist crap like that.
Re:Yes and no... (Score:4, Informative)
Judging from her profile, she had 11 years working in IT positions starting at HP in 2002 and including two banks and a major credit card processing company.
It is not inconceivable that a person with such a background would acquire the necessary skills on the job; back in 2002 there weren't many (if any) degree programs in IT security, and to be frank a CS degree doesn't really prepare you to do security work much better than a music degree. So would you rather hire a recent grad with the right degree for this position, or someone who'd been working in the field since before the degree was commonly offered?
On the other hand, Equifax just had a major security screw-up and did not handle it very professionally. So while nothing in her background precludes her being qualified for the job, her actual job performance calls her competence into question.
Re:Yes and no... (Score:5, Funny)
but thought she was the cat's meow when it came to managing high-tech companies
To be fair, slaying 30,000 serfs is pretty much the same in the 2000's as it was in the 1400's
Let's not be hypocritical (Score:5, Insightful)
A good share of this site's users do very important technical work--quite competently--without the educational credentials.
Let's judge people here by their actions, not their degrees.
Re:Let's not be hypocritical (Score:5, Insightful)
How quickly you forget.
Why are they in the news again? Incompetent administration, unpatched systems, no emphasis on security?
Her results are on the record.
Re: (Score:2)
Her results are on the record.
I think that was the point.
Re: (Score:2)
Why hasn't she been fired then? Maybe she warned them and the bean counters decided it wasn't worth it.
We simply don't know, and speculation is pointless.
Re: (Score:2)
CSO is a responsible position. She can't just pass the buck. It was her job to take it to the board and resign over not being allowed to do her job (assuming that's her story).
Three letter people don't get fired. She'll 'take time off to spend with her family' shortly. Likely followed by the COO and CEO.
Re: (Score:2)
Why are they in the news again? Incompetent administration, unpatched systems, no emphasis on security?
C-level execs bring home huge paychecks because of their (alleged) vast, exquisite expertise and the tremendous amount of responsibility they must bear. You can't collect a paycheck of this level while at the same time playing dumb and throwing underlings under the bus. Well, I guess you can, but you shouldn't.
Re: (Score:2)
If the company survives this, they will certainly need to replace the entire security team. Find the ones that quit in disgust and hire them back.
But it's ultimately on her, the CTO, COO, CEO and board. They are fully responsible for the team in place, it's budget and the priorities they operated under.
When your servers aren't getting patched, it goes to the top. That's just basic.
Having been around, I bet patching Struts (and all the rest of the server software) was nobody's 'job', a low priority si
Re: (Score:2)
do very important technical work--quite competently--without the educational credentials
Well, it's not much of a stretch to extrapolate from that that you feel that educational credentials are, in effect, meaningless for technical work. Do you feel that way about all fields or just technology?
Yeah but (Score:2, Insightful)
Isn't there anyone else in the organization that knows the vpn user/pw is admin/admin that can blow the whistle before hackers dump your sack?
Organizationally it shows these companies have no blue teams looking for red teams. And they have your mortgage documents.
Having a degree in a different field isn't wrong (Score:5, Insightful)
I myself am a music major and have since gone on to be a highly certified security individual. What a person takes as their post-secondary degree when they are 18-24 and starting life doesn't imply they haven't SINCE developed a full suite of skills and certifications making them perfectly suited to the job.
Re: (Score:2)
What does being at the wheel when infosec Chernobyl happens imply?
Re: (Score:2)
Agreed - too bad she didn't have her LinkedIn profile sufficiently updated to reflect her current skillset BEFORE the big breach happened.
Re: (Score:2)
Certification is utterly worthless. In fact, certification makes things worse. When actual IT security experts work with people that just have "certifications", we not only have to explain how things actually work, we have to overcome all those wrong ideas first. It is utterly pathetic.
Musicians can make good computer scientists (Score:2, Insightful)
Re: (Score:2, Informative)
One of the early pioneers in Tech, the man that interviewed Bill Gate and was given the infamous "64K" quote, is a world class composer. (yes Dennis [wikipedia.org] I'm referring to you!).
Re: (Score:2)
Coders are routinely bad at security. It is a different skill. Also, self-taught coders usually suck badly as soon as the least bit of actual CS comes into it.
I suppose but (Score:5, Funny)
Majors don't mean shit (Score:2, Insightful)
You wanna bet the people that hacked Equifax didn't major in security too? Like she would have learned anything in college that would have prevented this. No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
Re: (Score:2)
There are plenty of CS and Engineering people that wouldn't have known any better.
But there are also some that would have. Music education had no chance of teaching her what she needed to know. She was almost setup to be a perfect victim of some security company's 'magic bullet marketing'.
The practicals of security are tough and not taught in school. But 'three letter' executives aren't expected to be in the trenches, they are expected to set policy. For example: 'All patches should be tested and deplo
Re: (Score:3)
No, this mistake was made by someone much lower in the org than her and they probably had certs/degrees.
Probably not...
I'm in InfoSec as well, and it almost always goes like this:
1. InfoSec - we need to do X, Y and Z to address these weak points. It will cost $A. (or potentially involve B amount of dealing with user gripes)
2. Upper management - no, that's too expensive (or to much trouble, or whatever)
3. InfoSec - well, ok, we have enough resources to partially address the worst offenders X and Y...
4. Attackers - Z is weak! All your bytes are belong to us!
5. Upper management - !?! Here's a stack of money, an
Found this interview (Score:5, Informative)
Re: (Score:2, Insightful)
So, there are two ways you could interpret this.
One is that she's got a competent and well-developed perspective on the security industry. She's put a lot of thought into many new and upcoming problems, has kept herself on the leading edge, and is well-appraised of many deep and complex topics in information security. On top of all that, she also has excellent taste in music.
The other is that she's a woman and obviously doesn't know what any of those big words she's using actually mean.
The major deba
Re: (Score:2)
Will you let me know what sub to watch for the debate, or will it just make the front page? Or do I have to wait for the whining thread in r/conspiracy about how the mods conspired to kill the debate on CIA mind control music ruining internet security?
Re: (Score:2)
is well-appraised of many deep and complex topics in information security
Well, considering they were running an unpatched version of Apache struts and using "admin" as their passwords, we can pretty much rule that out.
doesn't know what any of those big words she's using actually mean
So you must be saying option B.
I love the smell of moralizing high-and-mighty white knights painting themselves into a corner in the morning.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, she at least knows the right words... (Score:2, Interesting)
It seems she's not a complete novice, she's uses some of the right words and is familiar with the idea of tokenization for securing PII in "the cloud" (which is f*cking stupid idea that adds complexity and increases the attack surface but all the rage with a lot of the security groups I've worked with). This statement also stood out for me "In today's environment, fully funded, well staffed adversaries can pretty much get to any asset that they decide to target." Oddly enough, I usually consider an attitu
Re: (Score:2)
Yes, they'res a lot of it about.
So? Also better reasons for hiding profile (Score:5, Insightful)
I've got grade 2 piano and no IT qualifications, and yet I'm working in IT instead of busking my way through chopsticks.
If that wasn't enough, news outlet MarketWatch reported on Friday that Susan Mauldin's LinkedIn page was made private and her last name was replaced with "M", in a move that appears to keep her education background secret.
I doubt it has anything to do with keeping her education background secret, and more to do with simply wanting to disappear until this particular shit storm blows over. Lot of (rightfully) angry people out there, some of whom might do (unrightfully) angry things.
Musicians and algorithms. (Score:3)
In my humble experience, musicians and mathematicians can converse very coherently upon the subject of algorithms. It's truly something to be a fly on the wall for one of those conversations.
However, back to the matter at hand. I suspect that we will learn that Equifax was a shell of a company that is still running XP or even NT and that the business people treated the tech side of the company as janitors who basically had to keep the place looking tidy and those credit card transactions coming in.
Only occupation with too many (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, a lot of people here have a lot to lose. But the abysmally bad state that most current software is in is due to the abysmally bad skills of most coders. And this cannot continue.
Re: (Score:2)
I fully agree. It is pathetic. I just recently had to explain to some 5-year web application developers at a really large company where they write mission-critical software, what an HTTP-header looks like. These people have zero understanding what they do. They can use some frameworks for implementing simple business logic, but ask them whether a variable is actually stored on client or server side and they just look at you without any understanding at all.
What we need in software creation is _engineers_. Y
Keep it classy, /. (Score:5, Insightful)
Personal experience with Equifax (Score:3)
At least a couple of the funny mods were slightly merited, but I'm pretty baffled by the "insightful" on this one. Something about the financial model of Slashdot? What's to say beyond "It's broken"? Maybe some deeper insightful suggestion on how to improve it?
So after scanning all of the "funny" and "insightful" comments, I did another round of searches for relevance and eventually wound up back at your post for the "personal" embedded in "personally". As of now, it's the only match in the visible part of
Seriously?!? (Score:2)
This is an insult to anyone working hard to make the best of information security. Equifax deserved it!!
Meaningless equivalency ... (Score:2)
... of formal vs informal education.
I am a retired IT guy. I never went to school for a goddam thing.
I started as a hobbyist in 1978 (TRS-80) and LIVED the digital revolution.
I have an aptitude for it that school would probably have fucked up.
Infosec and backup were my two nightmares.
I handled them both with best practices, limited only by management's lack of infinite resources, including common sense.
...played good note (Score:2)
A Master's in Music Composition, you say... (Score:2)
There's lots of valid career paths that could lead to a job in IT, and I would normally accept any reasonable explanation for how she got the job
They tried to cover her academic qualifications up, though, which leads me to a slightly different conclusion...that she got the job by composing an original piece with a title something like, "Duet for Skin Flute and Tulips".
In her defense... (Score:2)
So many on here seem to think that a college degree is not required for certain IS/IT related positions. They taut how college degrees are useless.
Well, here you go - she had a BA and MFA. She is obviously intelligent and capable of learning. Her work background had her working in at least two tech related positions given the companies for which she worked.
The comments made by former coworkers indicate she is organized and able to lead her teams. Ultimately, that's what get you an executive job.
However,
Obligatory XKCD (Score:3)
Re: (Score:2)
Could be useless feedback, could be broken hiring process. Not enough information.
Re: (Score:2)
Well. "CISO" is ancient Geek for "the lamb that is slaughtered first". I know a guy that resigned from a really well paying CISO position after a few months, because they would not let him look at anything or have any information or impact at all.