Pennsylvania CISO Fired Over Talk At RSA Conference

An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."

C Level Sec Exec is Fired?

[introspekt.i]

Who fired him? Sounds like he made the wrong people look bad. Rules are rules, I suppose, but if the problem has been fixed, isn't talking about security and attack vectors generally a good thing?

Spill the rest of the beans

[Archangel Michael]

If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.

I mean any and every item. I'd expose every stupid supervisory move that compromised security and my ability to protect the network. EVERYTHING would be exposed.

Nothing worse than people getting their panties all in a wad over a "talk" about a well publicized incident, of which all the bad guys already knew about.

There is only one thing these people understand, and that is how to look good. Ruin it for them.

Re:Motormouth failed his talking test?

[OzPeter]

What's the story here? He blabbed on a security issue without approval...

The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions?

Do you want this happening while there is apparently an on going investigation? There are reasons why there are approval rules and they aren't about old bureaucracy and control freaks

Maybe sometimes, but not always

[Mathinker]

If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.

Some "internal" things are more internal than others....

Re:"Lockdown" is the problem with Security

[chill]

Except this is an ongoing police investigation. There is a difference. And a panel discussion isn't necessarily the best way to network with peers on issues like this. He made a mistake and paid for it. It was a bit harsh, but not totally out of line.

hack or not to hack

[Anonymous Coward]

However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

Don't you hate it when people imply that their system was not "hacked" simply because they didn't provide the proper precautions to stop the leaking of internal data or changing database information in a way it was not intended?

According to our current definitions... IT WAS A HACK. Whether something is a hack is not determined by the ease in which they are preformed or the impact size of the damage no matter how minimal.

She is describing "hack" in terms of ramifications.

This is concept is almost as silly as attempting to make breaking DRM code illegal without considering the quality of code or logic/math behind it. For example, I could take code an increment each character. ie: a => b, b => c, ... z => a. and then call this "DRM". Now if any pre-teen tries to run this through their decoder ring to "break it"... they get a free pass to jail.

Re:Motormouth failed his talking test?

[Fjandr]

Every time the media has reported on something I knew about personally, I was always shocked at the number and magnitude of factual errors they made, the twisting of focus away from the main issue.

I agree 110%. The stories I've seen broadcast about events I had personal knowledge of made it so I trust the media story about as much as I'd trust a junkie with the safekeeping of a kilo of heroin.

I was mostly responding to the theory that if someone screws up once in a (seemingly) minor way they are untrustworthy to do anything ever again. Hell, even if they screw up in a major way (assuming something short of gross negligence). If that was the case, there would be almost nobody employed anywhere. The story was taken at face value simply for the sake of argument. It's unlikely that a single person here actually knows the real story to any major degree, so discussion is pretty meaningless without taking it at face value. It all ends up being theory and conjecture anyway.

Re:Motormouth failed his talking test?

[Anonymous Coward]

I work for a state agency in IT. Not a bench tech but up the chain a bit. We have all signed forms saying that we will not divulge anything about our environment - what we run, any breaches, etc. Talking to the media is out of the question. Talking to a group is allowed IF the content is very general. One of our guys talked to the media once (and slammed the state in the process) and got slapped so hard he ended up leaving.

I have to wonder if the person who fired him was a real IT person who would learn from him sharing his story or someone who was appointed after years of doing something else and thought that his talk revealed a hack. I used to work for an IT person who was a social worker and climbed the ranks.