Slashdot Mirror
Pennsylvania CISO Fired Over Talk At RSA Conference
An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."
Firing the guy will absolutely convince the public that you've fixed your security problems.
The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.
Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.
If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.
Now all your remaining security issues will fix themselves. But, don't worry, I'm sure Robert Maley will be happy to help you out - at 5 times what you were paying him.
Pain is merely failure leaving the body
The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions? Who knows... maybe he shared some sort of special classified/secret/private data that he really ought not to have, but it sounds like good old bureaucracy + control freaks at the top who think it's all about militaristic need-to-know.
-1, Too Many Layers Of Abstraction
This is probably one of the most specious arguments anyone ever trots out about someone breaking (or overlooking) a rule, especially in organizations known for coming up with rules for every single thought or action one engages in (e.g. a bureaucracy). Unless the incident was actually ongoing, or had the potential to risk the security or integrity of the systems it was his job to oversee, talking about a past incident germane to the topic of the conference is what people do at conferences. That's the entire point. Yes, he violated a minor rule. "Oh lordy lordy, who will he kill next?" is not really the best response to the situation.
Government (and bureaucracies) tendency to not fix anything like that until they have to.
Public outcry over the situation is one way to increase the 'have to' value.
Also, keeping problems secret has always been a major dodge for not having to deal with an issue.
There is a distinction between "acknowledgment" of an already known problem and the "announcement" of a brand new one. Hackers know about the problem already, and apparently it was widely known how to game the system, so this was only an acknowledgment. The CISO didn't reveal anything new, although it was apparently new to this particular audience.
By making future CISOs afraid for their job, the governor has poisoned the CISO's ability to actually perform their duties.
John
Do you really want the taxpayers having the root password?
I'll give them to you. There are actually two root passwords to the Constitution: "terrorism" and "child pornography". By using either password, you can bypass any of the security protections or protocols built into the document, and you can invalidate its signatures.
John
Howard County, Maryland (back when I was living there -- might be many other places like this, too) decided to make the local parks "trash free." By removing the trash cans. I leave the results as an exercise for the reader ;)
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5