Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pennsylvania CISO Fired Over Talk At RSA Conference

Posted by timothy on from the perfecting-the-art-of-the-ham-fist dept.

An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."

11 of 147 comments (clear)

  1. Good job... by kurokame · · Score: 5, Insightful

    Firing the guy will absolutely convince the public that you've fixed your security problems.

  2. His story is NOTHING to my story by Anonymous Coward · · Score: 5, Funny

    (had to make sure I hit the "Post Anonymously" button...)
    I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice.
    I hope I don't get fired for sharing this amazing story with Slashdot

  3. Re:Motormouth failed his talking test? by DoofusOfDeath · · Score: 5, Insightful

    What's the story here? He blabbed on a security issue without approval, and got his ass roasted.

    The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.

  4. reasonable? by DaveGod · · Score: 5, Insightful

    Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.

  5. The key paragraph by Wintermute__ · · Score: 5, Informative

    The important paragraph in TFA:

    "Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."

    Now there's a good plan: If you don't talk about it, no one will know you have a problem, and you can save all that money you were spending on those annoying security types.

    1. Re:The key paragraph by timothy · · Score: 5, Insightful

      Howard County, Maryland (back when I was living there -- might be many other places like this, too) decided to make the local parks "trash free." By removing the trash cans. I leave the results as an exercise for the reader ;)

      timothy

      --
      jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
  6. Re:Motormouth failed his talking test? by firewrought · · Score: 5, Insightful

    What's the story here? He blabbed on a security issue without approval...

    The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions? Who knows... maybe he shared some sort of special classified/secret/private data that he really ought not to have, but it sounds like good old bureaucracy + control freaks at the top who think it's all about militaristic need-to-know.

    --
    -1, Too Many Layers Of Abstraction
  7. Re:Motormouth failed his talking test? by Hatta · · Score: 5, Funny

    Apples and oranges, one is a health risk, one isn't.

    Which one is it?! Who knew picking from the fruit basket would be like playing russian roulette?

    --
    Give me Classic Slashdot or give me death!
  8. Maybe sometimes, but not always by Mathinker · · Score: 5, Interesting

    If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

    If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.

    Some "internal" things are more internal than others....

  9. Re:Motormouth failed his talking test? by plover · · Score: 5, Insightful

    There is a distinction between "acknowledgment" of an already known problem and the "announcement" of a brand new one. Hackers know about the problem already, and apparently it was widely known how to game the system, so this was only an acknowledgment. The CISO didn't reveal anything new, although it was apparently new to this particular audience.

    By making future CISOs afraid for their job, the governor has poisoned the CISO's ability to actually perform their duties.

    --
    John
  10. Re:Motormouth failed his talking test? by plover · · Score: 5, Insightful

    Do you really want the taxpayers having the root password?

    I'll give them to you. There are actually two root passwords to the Constitution: "terrorism" and "child pornography". By using either password, you can bypass any of the security protections or protocols built into the document, and you can invalidate its signatures.

    --
    John