Pa. CISO Unfairly Fired
By Tony Kontzer
I'm writing today to bring your attention to the case of Bob Maley. In case you haven't heard--and you probably haven't since very few IT news outlets have picked up on his--Maley was the chief information security officer for the state of Pennsylvania until this week, when he apparently was let go for comments he made during a presentation at last week's RSA IT security conference in San Francisco.
What were Maley's offending remarks, you may ask? It seems he shared information about an incident last month in which a driving school in Philadelphia hacked into the Pennsylvania Department of Transportation's scheduling system, booking up swaths of appointments in an attempt to gain an advantage over the competition. Only problem is, the Pennsylvania DOT says no hack occurred, though a spokeswoman reportedly acknowledged that state law enforcement officials are investigating an "anomaly."
The incident came to light when Eric Chabrow, managing editor of Government Information Security (and former editor of CIO Insight), reported Maley's comments on his blog, "The Public Eye." I only found out about the whole affair when I happened to log onto Twitter at the right moment to see a post from danielkennedy74--himself a CISO--that can't be shared in our family-friendly format. Kennedy's irritation with the development was reflected in dozens of other posts on the topic Wednesday.
Let this blogger join the chant: whoever made the decision to fire Maley was dead wrong. It's not that I don't understand the thinking. Yes, Maley may have spoken out of turn and embarrassed the Pennsylvania DOT, but he did so in the name of enlightenment. He did so in an effort to help other CISOs make better decisions about protecting their own IT domains. He did so because he thought he was doing the right thing.
Mr. Maley, if it helps, I think you did do the right thing. Remember, the very conference at which you made your comments featured a series of federal government officials all calling for more cooperation from the private sector if the IT community is to get the upper hand on cyber criminals. And I don't believe that should only refer to companies cooperating with the Feds. It should also mean companies cooperating with each other, by sharing information on attacks, opening up best practices, and not living in fear that merely discussing an exposed vulnerability will invite more attacks.
In fact, Mr. Maley, your first call should be to Homeland Security Secretary Janet Napolitano. I hear she's looking for some IT security help, sharing encouraged.