I met Bob Maley a year ago at Black Hat when a mutual friend introduced us. I'd learned about him 18 months earlier when former colleague Dennis Fisher interviewed him in the pages of Information Security magazine. His was a noteworthy story; Maley, CISO of the state of Pennsylvania at the time, built the state's information security program from nothing. In four years on the job, Maley oversaw an overhaul of ancient security policies for the state's 47 agencies. He brought in intrusion prevention technology to the state's networks and introduced identity and access management in order to get a handle on who was doing what with the state's digital assets. He did outreach with the security community in order to stay abreast of what was happening in a very fluid environment, and took what he learned to best introduce security concepts to the state government culture.
And that outreach cost him his job and smudged all that good work.
Maley took part in a panel at the recent RSA Conference alongside other state CISOs. He made a mistake during the discussion and talked about someone circumventing a state Web application to send driver's license applicants to a particular driving school that said it would facilitate quicker license exams. Reports say Maley shared very little detail about the intrusion and only did so in order illustrate a point he was making on the panel.
According to state spokespeople, this is a policy violation; state officers must get permission to publicly discuss state matters. This trip-up apparently cost Maley his job. Looking beyond the tragedy this is to Maley and his family, this is a travesty for the information security industry. Talk about taking two steps backward. The irony of the situation is that the conference room where Maley made his misstep was a scant hundred yards away from the keynote room where none other than cybersecurity coordinator Howard Schmidt and FBI director Robert Mueller made very public pleas for information sharing for the greater good.
Yeah right. Nice try. Tell that to Bob Maley.
The short-sighted people responsible for Maley's dismissal have stuck a dagger in the sharing business and the greater good business. Why would any of you dare sit on a panel and talk about attacks, disclosure, research or anything else that teeters on the line of titilating? Why would you, if you're Google for example, blog about the Aurora attacks or the Chinese hacking into Gmail accounts? If you're Adobe, why talk about a foreign government trying to poke around your source code? If you're a defense contractor, could you imagine again sharing details about stolen jet fighter blueprints? Nope. Look at what happened to Bob Maley. "That's not happening to me," you'd collectively say. And no one would blame you.
Now let's not relieve Maley of blame; he screwed up. He violated policy. But is it a firing offense? Take him out to the figurative wood shed and let him have it behind closed doors. Make it understood that this isn't the way to do things, sure. Suspend him if you must. But to let him go and send this message is unconcienable. It wasn't thought through. And it illustrates the disconnect that still exists between information security and decision makers. It illustrates that companies and governments, no matter their size, still don't put a premium on information security.
I'd imagine Bob Maley made a difference to the state of Pennsylvania. And he was trying to make a difference to his profession. But the management that's supposed to support him let him down and let him go. Misguided decision makers and bureaucracy got in the way again of a security professional doing his job--again. Just when we think we're taking steps forward in information security…
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.