By Dennis Fisher
March 11, 2010
The news that Pennsylvania CISO Bob Maley lost his job for publicly
discussing a security incident at last week's RSA Conference really
shouldn't come as a surprise, but it does. Even for a government agency,
this kind of lack of understanding of what actually matters is appalling
and it is a glaring example of the sickness of secrecy that's infected
far too much of the security community.
Maley was the Pennsylvania CISO for four years and essentially started
the state's information security program from scratch when he took the
job. He brought the dozens of state agencies and thousands of employees
into the 21st century with a massive project to install intrusion
prevention and an identity and access-management system. When he got
there, Pennsylvania didn't even have a standard desktop OS image. And
this is a network that was seeing more than a billion security events a
month in 2007.
As a result of his success in transforming the state's infrastructure,
Maley became a sought-after speaker and interview subject, a fact that
led directly to his firing. At RSA, Maley was on a panel that discussed
security issues facing state governments. During the session he talked
about a recent incident in which the owner of a driving school in
Pennsylvania allegedly figured out a way to game the state's motor
vehicle exam scheduling system in order to get his students to the head
of the line.
Maley didn't give explicit details on the problem and didn't even really
describe it as a security issue, according to news reports. He simply
cited it as an example of the issues he deals with every day. And as a
result he no longer has a job because, as Jaikumar Vijayan reports in
Computerworld, Pennsylvania has a policy requiring employees to get
explicit permission to discuss state business publicly.
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!