It’s the only chart you’ll ever need for this. You’re welcome.
The InfoSec industry is full of top talent that has no degree, art degrees, and STEM degrees. It’s also full of bottom talent in all those categories. You simply can’t tell how good someone will be at their job based on how much—or what type—of formal education they have.
You might think you can, but you’d be wrong.
Google thought they could too, and they did a massive study on it several years ago to find the magic education level, the magic school, the magic whiteboard skills, etc.
Turns out there was no magic degree, no magic school, and no magic puzzle question that could predict how good an employee would be.
So it might be fun to talk about how the Equifax CSO had a music degree, because we automatically—as human pattern matchers—want to assume that this was the reason the company got hacked on her watch.
But the truth is that I don’t know why it happened, and you probably don’t either.
Maybe she was incompetent and she was hired for political reasons
Maybe she was incompetent and she was hired as part of the buddy system
Maybe she was competent and got unlucky
Maybe she was competent but negligent in this case
Maybe she was competent but faced the most elite hacker ninjas in the world and there was nothing she could have done
It could have been a lot of things, but—like the Google hiring issue—precisely zero of these options hinge upon whether she had a music degree.
We as the InfoSec need to take guidance from the intelligence community and realize that you look like an idiot when you give strong opinions on topics without the facts needed to form those opinions.
We can do better.