Thursday, December 21, 2017

The Sound Of Music

Okay, so I can’t let this one go. I know I’m way late to the game on this since I wasn’t able to blog about it when it happened. One of my big takeaways from the Equifax hack is that we still have a long way to go in the information security community in educating the public and the media about who we are particularly as it pertains to the digital forensics and incident response world. 

What spun me up this time wasn’t the predictable post-incident speculative blamestorming and vendor preening. I suspect most of us have long since grown numb to self-appointed information security experts trying to bring attention to themselves by speculating on things they don’t have much knowledge or credibility to speak on.

What vexed me about the post-game analysis on this one was the freak out in regards to Equifax’s Chief Security Officer having a - gasp - music degree.  Not to put too fine a point on it, but questioning someone’s qualifications in the information security world because they don’t have a technical degree is flaming nonsense on stilts.  There are tools and knowledge that we use daily in this community that were created and taught to us by people who didn’t have technical degrees or any college degrees at all.  Some of the finest technical people I’ve worked with didn’t have anything more than a high school degree or had college degrees that had nothing to do with technology.  What they did have was a burning passion for information security which drove them to become great at what they did and to contribute to the larger community.  One of the reasons why some of these people don’t have college degrees is because they just didn’t see the point in spending time going into crushing debt while languishing in general elective classes on Babylonian astrology while they could be teaching themselves skills like networking, coding, and how operating systems worked.

That isn’t to say that we haven’t gained an immense amount from people in our community who have highly technical degrees.  People whose last names I don’t need to use such as Harlan, Lenny, and Kristinn all have engineering degrees and we’re all the better for their academic backgrounds and their contributions when it comes to education and tools. 

I’m all about people who are passionate about getting into digital forensics and information security taking advantage of all of the various academic paths and options they have available these days.  With the increased demand for information security talent, we’ve seen plenty of quality purpose built information security degree programs in addition to the traditional degree programs in computer science, electrical engineering, computer engineering, and the like.  If you are interested in getting into fields like information security or digital forensics, you’ve got many more options than I ever did.  You’re only limited by your imagination and debt management.

Speaking of technical degrees, I think one of the things that really rubbed me the wrong way on this was the lack of understanding on what a long, hard slog a music degree is for someone to complete.  I don’t think music degrees are considered STEM degrees, but completing one tells me that your brain is formatted for working in technology because of all of the analytical work you had to do for the degree.  I remember back in the 1990s when employers were desperate for technical employees and hiring anyone with a Microsoft certification.  The employers in my area figured out that music majors made for awesome technical hires and started to actively recruit people with these degrees.

Even the United States Navy has gotten into the act.  It doesn’t surprise me at all that in 2016, they accepted someone with a music composition degree to their highly selective Navy Nuclear Propulsion Officer Program.  This is a program where the Navy seeks out the best and brightest people early in their college careers to get them onto the path of joining the nuclear portion of the United States Navy.

So, what is the take away for us? Be sullen and angry when the media gets it wrong? Nope. We need to be happy information security warriors and just realize when this sort of thing happens, we have to use it as an opportunity to educate others about our community and all of the wonderful people with diverse interests, abilities, and career paths who make it great.


  1. I'd really hoped that the news cycle had left this issue far behind...

    I, and others, have posted the " to get started in DFIR..." articles, and I don't remember ever having said, "...start by getting a technical degree...".

    Yes, I do have technical degrees, but no, I've never actually had to use them. Sure, in my MSEE program I went through exercises where we actually computed CRC values, the "Hamming distance" (note: Hamming was in attendance at my school, as was Gary Kildall for a short while...), and even MD5 hashes. Beyond that, the degrees have only served to get me past the "gate keepers" of HR and recruiting, because in coming off of active duty, I didn't have a network of folks in the field to turn to.

    The simple fact is that, in many cases, the degrees themselves are irrelevant.

    1. If a young Harlan Carvey would have gotten degrees in English rather than engineering, would he have had the same skill set that we have all benefited greatly from today?

  2. You could argue that having a degree completely unrelated to infosec may actually been beneficial for your CISO "afterlife" once all the blame has been lumped on your shoulders as the company fall guy/girl, and no one wants to hire you for the next decade or so.

    Might be easier to find a job as a musician than a job in cyber security.

    1. If I ever see a resume with a major in puppetry with a minor in information security, I'll know someone took this advice.