On Friday, Equifax chief security officer Susan Mauldin stepped down from her post amid widespread criticism that her company didn't do enough to prevent its massive data breach.
This was the smoking gun that to some proved Mauldin's obvious unfitness for the job. With a bachelor of arts and a master's of fine arts, Mauldin's record betrayed a “lack of educational qualifications” for her job, according to a columnist writing for MarketWatch. Other outlets seized on the point and ran with it. “Equifax Execs Resign; Security Head, Mauldin, Was Music Major,” read one headline from NBC News.
While it's unclear how much technical experience Mauldin may have accumulated during her career — her LinkedIn profile was scrubbed and is now inaccessible — the subtext of the articles was one of shock: How could someone so uncredentialed be leading such a major company?
But the public fury over Mauldin's lack of technology expertise, according to some experienced IT professionals, is misplaced. They argue that although Equifax failed to patch a serious software vulnerability under Mauldin's watch, the fact that she lacked a technical degree explains very little about why she and her company failed. In fact, they say, the rage over academic training risks misleading the public on how information security really works and advances a myopic view of the field.
Mauldin made some bad mistakes, these IT experts argue. But her decision to study music wasn't one of them.
Supporting that view, the hashtag #unqualifiedfortech soon arose on Twitter, started by Alice Goldfuss, a site reliability engineer at Github. Before long, tech workers from across the industry began noting that they came from fields such as writing, film and food. Others said their backgrounds were in construction, conflict resolution, architecture and even plant ecology.
Android Tech Lead here. Was a Religious Studies major, then a cook/chef for 12 years. #unqualifiedfortech
— treelzebub (@treelzebub) September 17, 2017
Undergrad degrees in history, pol sci, French, German. Masters in public policy. Wrote 4 #cybersecurity books, was CISO. #unqualifiedfortech
— Richard Bejtlich (@taosecurity) September 19, 2017
(Bejtlich is the former chief information security officer at Mandiant, a cyber forensics firm that has investigated data breaches at many companies, including Equifax.)
Peter Thiel majored in 20th centrury philosophy. Now he harvests the blood of the young.#unqualifiedfortech
— Joe Uchill (@JoeUchill) September 17, 2017
It is extremely common for such firms to hire workers with nontechnical degrees, said Wendy Nather, the principal security strategist at Duo Security, a firm that provides two-factor authentication and other account protection technologies. About 85 percent of Duo Security's hires do not have a formal background in information security, Nather said, yet the company's clients — which include Facebook, Paramount Pictures, Toyota and Yelp — report being extremely satisfied with their work.
What these people bring to the job is a way of thinking about problems — and then solving them — that draws on the best of other disciplines, Nather said. A person who understands biostatistics tackles computer malware like she would a biological disease, for example.
I know several people in infosec wth a music degree.
— Derek Robson (@asinine_net_nz) September 15, 2017
And a CISO is as much about risk management as CS and tech.
“Just about everybody in my cohort that I worked with in the last 20 years has come from pretty much another field,” she said. “I knew somebody who had majored in Chinese philosophy — and he was one of the best, most creative and well-rounded security consultants that I knew.”
Some, said Nather, didn't go to college at all, yet can code alongside the best, thanks to their hands-on or self-taught experience.
That there could be so many tech workers without high-tech educational backgrounds dovetails with Silicon Valley's longtime economic message to America: Anyone can learn to code. Thousands of independent app developers now build software for iOS and Android, many without formal training. Even displaced Kentucky coal workers have found successful new careers in tech.
Trusting a certificate to accurately describe a worker's qualifications may serve established industries like law, business and medicine. But in technology, that piece of paper you graduated with matters less than many think, according to some practitioners. This is particularly the case with information security, where the threats are constantly changing and adapting.
“Nobody with more than 5 years experience has a cybersecurity degree — they didn't exist 5 years ago,” one Reddit user, /u/fishsupreme, wrote in a top-voted comment about Mauldin's retirement. “And a Computer Science degree from 5-10 years ago didn't cover security topics any more than an MFA in music composition did.”
In 2016, the coder community Stack Overflow conducted a survey of more than 56,000 developers across 178 countries. It found that 69 percent of them were partly or fully self-taught. Barely 40 percent had a bachelor's degree in computer science, let alone a background in information security.
Nather attributes some of these patterns to the fact that cybersecurity is a relatively young field. Academic curriculums are changing as seasoned security professionals have ventured into academia to teach from their experience, said Nather. Still, she said, there are limits to what a computer science degree can tell you about a person.
“It's really important to bear in mind that any sort of static qualification at some point is probably not a good way to judge anybody's contribution to the field," she said.
Credential-focused thinking can lead to a kind of narrow-mindedness, one that can't recognize the potential of college dropouts like Steve Jobs or Bill Gates. It also completely misses how vital soft skills are to the best tech companies. As Yonatan Zunger, a former Google engineer, wrote recently in a blog post, only a novice would think that computer engineering actually means “sitting at your computer and hyper-optimizing an inner loop, or cleaning up a class API.” The reality is far different.
“Fixing problems means first of all understanding them,” Zunger wrote. “And since the whole purpose of the things we do is to fix problems in the outside world, problems involving people, that means that understanding people, and the ways in which they will interact with your system, is fundamental to every step of building a system.”
That's why, to those like Nather, a background in music composition isn't a black mark on a person's record. It's something to be celebrated, because it adds an outside perspective to the technical skills that, while no doubt important, can still be acquired outside the ivory tower.