[ISN] Why Bob Maley's Firing is Bad for All of Us

From: InfoSec News <alerts_at_private>
Date: Fri, 12 Mar 2010 00:12:15 -0600 (CST)

By Dennis Fisher
March 11, 2010

The news that Pennsylvania CISO Bob Maley lost his job for publicly 
discussing a security incident at last week's RSA Conference really 
shouldn't come as a surprise, but it does. Even for a government agency, 
this kind of lack of understanding of what actually matters is appalling 
and it is a glaring example of the sickness of secrecy that's infected 
far too much of the security community.

Maley was the Pennsylvania CISO for four years and essentially started 
the state's information security program from scratch when he took the 
job. He brought the dozens of state agencies and thousands of employees 
into the 21st century with a massive project to install intrusion 
prevention and an identity and access-management system. When he got 
there, Pennsylvania didn't even have a standard desktop OS image. And 
this is a network that was seeing more than a billion security events a 
month in 2007.

As a result of his success in transforming the state's infrastructure, 
Maley became a sought-after speaker and interview subject, a fact that 
led directly to his firing. At RSA, Maley was on a panel that discussed 
security issues facing state governments. During the session he talked 
about a recent incident in which the owner of a driving school in 
Pennsylvania allegedly figured out a way to game the state's motor 
vehicle exam scheduling system in order to get his students to the head 
of the line.

That's it.

Maley didn't give explicit details on the problem and didn't even really 
describe it as a security issue, according to news reports. He simply 
cited it as an example of the issues he deals with every day. And as a 
result he no longer has a job because, as Jaikumar Vijayan reports in 
Computerworld, Pennsylvania has a policy requiring employees to get 
explicit permission to discuss state business publicly.


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
Received on Thu Mar 11 2010 - 22:12:15 PST

This archive was generated by hypermail 2.2.0 : Thu Mar 11 2010 - 22:19:31 PST