The CSO apparently graduated with a music major. Not that it should it disqualify them, many in tech didn't graduate with a CS degree but in light of the incident one has to wonder.
In general it would not be, now that the personal data of 100+ millions of people have been stolen from these clowns, it seems relevant.
Leadership sets the priorities, and expectations. They get paid disproportionately more than other employees and I think they should be scrutinized and bear responsibility correspondingly.
But I have no doubt they probably found someone lower in the ranks as a scapegoat.
"Joe was in charge of patches. And we are all equally disturbed and horrified by his behavior. But we've reached out to him and let him go. Now give us more of your personal information so you can get free credit monitoring for 6 months [+]. -Sincerely and with deeper regrets, the Executive Team [++]"
[+] (fine print) then charged as $49.99 a month until cancelled. To cancel please visit one of the 3 Equifax location in person on the first Wednesday of the month. Accepting
[++] (even finer print) by accepting the free credit monitoring you agree to binding arbitration and forfeit your rights to participate in a class action suit against Equifax and its subsidiaries.
I'm not saying we shouldn't have serious questions about his competence after this breach. Rather, my point is that we should be questioning his competence (and that of the rest of the executive team's) due to this breach, not his credentials.
If he had a CS degree, that wouldn't make him any less responsible for this massive data leak.
Usually, the larger the company, the deeper processes go, shielding it from individual incompetence (so the company can hire for easy to measure attributes, like compensation, and protect itself from difficult metrics, like technical competence). Unfortunately, processes also prevent individual competence to have a noticeable impact on the company.
If I got the story right, this bug was present for the last 9 years and patched upstream a couple days before the leak. Some measures could have prevented its exploitation or reduced its impact, like throttling by IP, one-time session keys and so on - and should be in place for any serious application - but it's entirely possible they had fixed schedule for patches and mis-evaluated this flaw as non-critical.
A LOT of companies carry obsolete dependencies for a long time.
That's very common at all non-tech institutions: the top technology management positions are held by people who don't have a technical background and may know very little.
Reasons are:
• It's hard to find technically skilled people who want to spend all day doing management tasks.
• It's easy to find essentially unskilled people who do want to spend all day doing management tasks.
• There is a large set of unwritten rules and social expectations that the people who created and run such companies use as proxies for competence. Do you dress nice, can you play an enjoyable game of golf, are you married, how old are you, etc. These proxies invariably de-select the kinds of people who have a deep understanding of their field (i.e. single young men who are able to devote enormous hours to their craft).
Edit: note the recommendations in her LinkedIn page. Every single one talks about her collaboration and communication skills, not a single mention anywhere of technical skills. It's tempting to shoot "Susan M" here but the real issue is a boardroom culture in which management is seen as a skill entirely divorced from the effort being managed.
So sad, that is so true these days that it shouldn't even be funny.
A meritocracy is not born when rich corporations (buyers of labor) select vendors (sellers of labor) based on personal connections and not ability to do the job
I'm reasonably sure that "tech" companies try to save costs just as much as "traditional" companies. The difference might only be that they how to formulate their requirements better.
I am 100% certain that "tech" companies have an entirely different attitude towards engineering costs than non-tech companies. The former want the best people working on problems and will pay what it takes (within reason), the latter want problems solved for the lowest price.
This is extraordinarily evident in the distribution of engineer salaries.
Which part is a massive reach? The fact that certain companies (which I choose to classify as "tech" companies) are willing to invest 2-3x as much into their technical employees?
A "tech" company is a company for whom technology (ie. developers) is a profit center rather than a cost center.
Which means each and every line of code was written by the lowest bidder.