Fired Pennsylvania CISO Speaks Out
Robert Maley sounds a bit contrite and defiant at the same time.
Maley served as Pennsylvania's chief information security officer until a couple of weeks ago, when his bosses fired him upon his return to Harrisburg from San Francisco, where he spoke publicly about a system vulnerability as a panelist at the RSA Conference 2010, violating a state policy.
Maley contended his remarks never put the commonwealth's data or systems at risk. He said the vulnerability he spoke of - the exploitation of a state driver's test scheduling system that was first reported in this blog - was fixed by the time he appeared at RSA. Still, in an interview with Computerworld, Maley admitted he was wrong to speak on the IT security conference's panel with other state CISOs without receiving the blessing from his bosses back in Pennsylvania:
"They terminated me. I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it. So yeah, they told me that, and, yup, I was wrong ultimately doing that.
When asked what message his firing sends to other CISOs, Maley replied:
"I've read a couple of comments in various blogs (again, including this one) about the perceived message. It's a challenge in the balance. In the private sector, the CSOs are responsible to the board and to the stockholders. I think the stockholders in the public sector are the citizens. I think citizens have a right to know about what their government is doing to keep their information safe. Obviously, talking about a vulnerability that exists in a system is bad. If we know about a vulnerability, well, then we need to fix it. But if the information we share with our peers can help others improve their security posture, then I find significant value in that."
Later, Maley addressed the importance of being able to share insights about IT security with his colleagues:
"I remember back three years ago nobody would talk about any security problems. ... That seems to be starting to change. The fact that this incident has gotten some people talking I hope will keep the issue on the table, and I hope we can find ways that we can share incidents like this successfully with our peers. I hope we can be more open about what's really going on to benefit the good guys, because I think the bad guys have no problems sharing information with each other."
What's wrong here isn't that Maley spoke up or that he violated a state rule. What's wrong is the policy itself. It's a ridiculous rule for someone in such a responsible position.
Maley got his job because someone in Pennsylvania's hierarchy recognized his talent and presumably his judgment to run a highly sensitive operation. They trusted him to do an important job, which apparently he did well, and they should have trusted his judgment to decide when and when not to speak about state information security incidents.
Policies such as the one that got Maley fired do more harm than good. As he pointed out, information security professionals need to find more ways to share experiences and ideas. Pennsylvania should do two things: change its policy and rehire Maley.