[jedberg]

They're making fun of the fact that during the data breach the CISO was someone with a music degree and no background in security.

[raydiatian]

Holy fuck, I never knew this detail.

[qzx_pierri]

I used to work for the government on systems with extremely sensitive data. I’m talking… penitentiary consequences for data leaks. 90% of the Information Security employees didn’t even have a background in tech OR security.

You’d be surprised how incompetent an auditor can be if the security framework simply requires them to blindly fill in responses on boilerplate spreadsheets based on the department’s word alone.

For example, risk assessments are performed for all new applications requested by employees. InfoSec: Does this COTS web application have X security control which protects data in transit via encryption acceptable for use in our operating environment?

Some bozo from marketing: Yeah, I’m pretty sure.

In truth, neither of them are sure. The requester didn’t check, and the auditor saw the word “encryption” on the vendor’s website along with a green padlock in the address bar and that was good enough.

The auditor doesn’t even know how check the ciphers being used for this sketchy web application. The control also requires TLS 1.2+ due to the sensitive nature of the data. The auditor marks the security control as “Met” and approves the software request.

The auditor is completely incompetent, but is used as a pawn in an elaborate game of “security theater” to abstract away liability.

Also, even if the hypothetical security control in the example above wasn’t met, the head of marketing (System Owner) could request an exception be created to skip that security control.

Wait, qzx_pierri, you’re telling me that the security control can be skipped? How the hell is that a security CONTROL?

I don’t know, and that’s why I quit that depressing industry. To everyone reading this: Stay paranoid, and protect your data yourself if it’s on someone else’s server. "Security" (in America, at least) is often complete bullshit.

[prvit]

It's a nasty sexist lie.

The person had no relevant degree (as is the case for most people working in security roles, because such degrees didn't exist until very recently).

The person did have a literal decades of relevant experience, working in security.

[sirsinsalot]

You're going around the threads trying to make this a gender issue. It's a valid criticism of anyone.

In this case they happen to be female.

That doesn't mean the criticism is motivated by gender.

Your gender also doesn't excuse you from criticism.

[prvit]

It's not a valid criticism of anyone. Essentially zero people with that kind of work experience have infosec degrees.

It's hard to get a formal degree on a subject which isn't taught anywhere!

For example: HN loves Mudge, who also happened to just leave a CISO post, and also only holds a music degree from Berkelee.

[sirsinsalot]

Another data point, I was reading just yesterday on a HN post about fake qualifications about many male director level people without proper education.

They were criticised too.

I guess we all see the world as we wish.

[prvit]

We're specifically talking about a field where even a decade ago "proper education" was only offered by a couple of schools in the world.

Compsci is not an infosec-related degree.

[thwayunion]

> They're making fun of the fact that during the data breach the CISO was someone with a music degree and no background in security.

> It's a nasty sexist lie.

LMAO It is literally true.

[prvit]

But it's literally not true. The person had decades of experience working security roles.

[thwayunion]

It is literally true that she had no relevant formal training.

It is also true AFAIK that when she got her first role as an executive in charge of security, she had no formal training or IC experience in security. All of her "security" experience was in executive roles. Which is insane. That never happens with other types of technical leadership roles (legal, law, finance, accounting, engineering, etc.).

[prvit]

>It is literally true that she had no relevant formal training.

Yes, but that's also true of almost all BigCo CISOs.

>It is also true AFAIK that when she got her first role as an executive in charge of security

By "AFAIK" you mean that this is just what you assume without checking, right?