By Corey Moss
Some of us in the AV industry talk cybersecurity. Ransomware I believe was the latest hot topic to be discussed in certain corners (I discussed it too), however try this one on for size.
By now you’ve likely heard of the massive Equifax breach that lasted from mid-May through July of this year, as hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. They were also able to obtain personal information of people in the UK and Canada too.
Here are the full details from the Federal Trade Commission.
Equifax’s CEO is Richard Smith. If you look on LinkedIn you’ll notice this executive, who you would think might have an in-depth profile, shows up like this:
Yes, that’s it. Better yet, if you look up the company’s Chief Security Officer (CSO), she no longer exists on LinkedIn. Well actually, someone did grab a screenshot of the CSO’s profile before it was taken down, here it is:
You’ll notice the Education portion circled, and while The University of Georgia is prestigious enough for a person in a CSO position for a major organization like Equifax, it’s the Music Composition major that’s nowhere in line with someone accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, operational, strategic, financial and reputational security risk strategies relating to the protection of people, intellectual assets and tangible property. *
And we are talking about the consumer credit reporting agency Equifax, which collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.
Imagine, a music major left to oversee such policies and programs for this worldwide agency?
In MarketWatch Opinion: Equifax hired a music major as chief security officer and she has just retired, it begins:
Susan Mauldin, whose identity is being scrubbed from the internet, studied music composition
When Congress hauls in Equifax CEO Richard Smith to grill him, it can start by asking why he put someone with degrees in music in charge of the company’s data security. And then they might also ask him if anyone at the company has been involved in efforts to cover up Susan Mauldin’s lack of educational qualifications since the data breach became public.
Interestingly though, the CSO and CIO both retired from the company immediately, while Mr. Smith remains as the agency’s CEO. The article specifies how it would be fascinating to hear Smith try to explain these extraordinary situations, and that if those events don’t put the final nails in his professional coffin, accountability in the U.S. is officially dead.
I wholeheartedly agree.
This is now what you get when you do a lookup of Ms. Mauldin’s LinkedIn professional profile. As for CIO David Webb, here is his LinkedIn profile, where in my research on Google pointed to him. Notice his professional Experience ending as Chief Operations Officer at Silicon Valley Bank Jan. 2008 to Jan 2010, and previous to that, CIO. There is no picture there, however he is still listed among the Corporate Leadership, which verifies that he worked for Silicon Valley Bank (with this picture on the website). It was there when I checked it, if no longer then Equifax has removed it. Susan Mauldin is of course not, the former CSO now a distant memory.
As for CEO Richard Smith and the Board? The Street has reported that they are pretty cozy, as Board tenure at Equifax exceeds the average, with one director serving for 25 years, and Smith has benefited from a long relationship with the majority of the company’s independent directors. This all however questions whether the board was providing the right checks and balances on Smith and his executive team. Along with being the CEO of Equifax, Smith is also a member of the advisory board of venture capital-backed DocuSign Inc., valued at $3 billion in its last fundraising round.
What’s more, as reported by The Street, three executives, including CFO John Gamble (listed as John G. on LinkedIn as certain executives are now), sold stock worth almost $1.8 million a few days after the company discovered the breach in July and six weeks before the breach was disclosed. Equifax said those executives were not unaware of the breach at the time of the stock sales.
36 U.S. Senators have asked the Federal Trade Commission to “conduct a thorough examination of any unusual trading, including any atypical options trading, for violations of insider trading law.” The FTC is already investigating the breach itself. The attorneys general of 31 states and the District of Columbia also criticized Equifax in a letter.
The new interim CIO Mark Rohrwasser only joined Equifax last year, when he began to lead the company’s international IT operations. Russ Ayres, vice president of Equifax’s IT organization, will be interim chief security officer and will report to Rohrwasser.
We in the AV industry deal with major client organizations day in and day out, and it’s unknown to us in most instances who we are dealing with concerning their backgrounds. When working with the CIO, you normally determine that this person has the know-how in one way or another (education-wise, experience-wise) to hopefully understand the ins-and-outs of the system, especially the network. This looked to be the case with Equifax with a person having former employment as CIO/COO for almost 5 years at Silicon Valley Bank. However imagine dealing with a Chief Officer, entrusted with policies and procedures touching on security and risk, having nothing but Music Composition degrees. Maybe the cause for looking up a client and connecting with them on LinkedIn, if of course for nothing more than to add them to your network. It does give you a better idea of who you are working with, and they could certainly appreciate that as well.
This is not to say that such will have any affect on your client activities, however hopefully those organizations with people in certain key executive positions that are wholly unqualified to satisfy the objectives, like Equifax’s former CSO, will take notice.
This is by no means a lesson learned for Equifax, it’s a grand mistake corrected, though only after a massive breach had been exposed months afterward. For the agency, it’s actually a major blunder that has had an effect on many, though as The Street says, Smith and the Board could likely skate through this — that is until the FTC makes its determinations.
In the end, it will hopefully force major corporate and organizational institution executives to finally take cybersecurity seriously. Read the TechRepublic article, and especially take note of the Bozo security practices invite hacks section. You think we had problems with the AMX incident?
Use LinkedIn wisely in your business dealings, and never hesitate to find out more about who you’re working with.
With over 20 years in audio visual integration and IT/computer sales and consulting, Corey Moss is the owner of Convergent AV. Corey writes for the publication and hosts/produces podcasts – The AV Life, Convergent Tech Talk and Making a Marketer. He has written for numerous industry publications about AV, IT, unified communications and collaboration (UCC), cloud and software, IoT, cybersecurity and more. He has also conducted interviews with AV and IT executives and global influencers.