There are a lot of noise in the last couple of weeks regarding Equifax’s data breach. Equifax is one of the big four credit rating bureaus in the United States. You can imagine the type of data stored and the gravity of the data breach! The data breach was massive as the current investigations determined that at least 143 million user data were captured including Personally Identifiable Information (PII) such as names, address, social security numbers and driver’s licenses.
Specific details on how to monitor potential fraud and mitigate risks brought about by the data breach can be read in Krebs on Security while SANS has created a management communication on the data breach. Lastly, a consumer update on the cybersecurity incident is maintained by Equifax to provide essential information and assistance.
In management perspective, the accountability of any untoward incident is on the manager or the executive. Firstly, they are paid way, way more. Secondly, they are the ones doing the decision making for the department. That’s why the role of the manager is crucial during events like a data breach.
Now, there are questions that need to be answered during investigations involving data breach. The basic is, did the company exercise due care and due diligence in implementing the security controls to prevent, detect and mitigate the incident? Initial claims stated that it was a Zero-day vulnerability that cannot be detected. However, it appears that the Apache Struts vulnerability was already discovered last March 2017 at least 2 months prior the breach occurred. This means the attack could’ve been prevented by following the recommendation from a vulnerability scanner. Another question is, how can massive amounts of data be transported or copied without raising any alarms for anomalous traffic or bandwidth utilization?
These questions mentioned are some of the major lapses that investigators have observed in the Equifax data breach. Of course, the company will give conservative values to stop the bleeding in their reputation damage.
Now, I could’ve just let the data privacy issue pass because there are a lot of security companies and law enforcement agencies that are conducting their comprehensive investigation about the matter. Yesterday, while I was browsing LinkedIn, I saw a post from a certain CISO (Chief Information Security Officer) of a company in USA where the LinkedIn profile of the Equifax CISO was posted and the undergraduate and graduate degrees (both in Music) were emphasized. The post implies that the reason why Equifax was breached was that the CISO studied Music instead of IT or infosec etc. (Screenshot from https://www.hollywoodlanews.com/equifax-chief-security-officer/)
There was a heated discussion below the post that came from various users where majority of them were information security professionals. I scrolled through the discussion and majority were bashing the CISO (like how people do it in Facebook). One commented, “That’s what happens when you sing and dance.” Another commented, “How can you protect the organization with that kind of course.” And the bashing continued.
I sighed and felt really disappointed. Do academic degrees matter when you have so many years of related work experience? It is a fact that non-technical managers look like fools in vendor or department discussions especially during planning and analysis stages. Some of these managers will just Google some jargon words prior to the meeting to have some “inputs.” But these end up terribly.
It is also a fact that executives are hired because of their soft skills and less of their technical skills. They can sell out something by explaining it in the simplest way possible. Finally, when shit happens, they are the ones that get fired or blamed immediately. Again, that’s the reason why they are paid higher.
Going back to my point, do academic degrees matter during incidents like massive data breach? Let’s assume that the vulnerability exploited in the attack was a Zero-day. Will it make a difference if the CISO has a PhD in Computer Science compared to a graduate of Music?
Because it is Zero-day, it cannot be detected and cured. It has not been discovered yet. It will happen even if you have a dozen PhD’s or a SANS certified-filled team. Would it make a difference if the attack happened in Equifax and the CISO was a graduate of Computer Science? Information Technology? Would your comment change from “That’s what happens when you sing and dance” to “Oh crap, he did his best but the attack was just bad?”
Do academic degrees matter when combatting security incidents?
Well for the record, I graduated with a degree in Computer Science and finished my Master’s degree in Information Systems. I also was able to find the same Apache Struts vulnerability in one of my security assessments back in March and I was able to help the development team fix it. But I don’t find anything significant in academic degrees stopping security incidents.
I would rather bet on experiences than academic degrees. We’re not in the academe. This is the industry we’re talking about.
I can no longer access the thread in LinkedIn. It looks like they deleted it after a heated discussion.