Security execs express surprise over CISO's firing following RSA talk

Say more information needed on why Pennsylvania really fired Maley, however

Several security executives today expressed surprise over the firing of Pennsylvania's chief information security officer (CISO), apparently for speaking publicly about a security incident involving the state's online driving exam scheduling system without getting prior approval to do so.

However, more information would be needed to know what other factors might have led to the action, they added.

Robert Maley was terminated from his job as Pennsylvania's CISO on Monday. According to a source close to the matter, the action stemmed from Maley's participation in a panel discussion at last week's RSA security conference.

During the session, Maley mentioned a recent incident in which a Philadelphia-area driving school had gained access to the Pennsylvania Department of Transportation's online system for scheduling drivers tests by exploiting a system "anomaly." The school then used its access to schedule several of its own students for driver's license exams ahead of others in the queue.

Maley's disclosure of the incident without first receiving required clearances from his superiors led to his dismissal, the source said. State of Pennsylvania rules require all employees to get approval from the appropriate authorities before they publicly discuss official matters, the source said. Maley was Pennsylvania's CISO for more than four years. A trade magazine had nominated him as one of its candidates for security executive of the year.

A spokesman for Pennsylvania Gov. Edward Rendell's office yesterday confirmed that Maley is no longer employed with the Commonwealth. But he refused to confirm whether Maley had been terminated, citing privacy rules.

The news of Maley's sudden firing and the apparent reason for it are prompting some to ask if there is more to the story than meets the eye. "When it comes to discussing things publicly, I've always had to get permission and have it vetted whether in the private sector or in government," said a former security official at the U.S. Department of Homeland Security, who asked to remain anonymous.

While such vetting is standard procedure, it still seems "pretty harsh to terminate someone's employment" for an infraction of the rule, he said. "It makes you wonder if it is due to [Maley] potentially jeopardizing a criminal investigation or if there are other legal issues they're concerned about."

"It's hard to really know what all of the facts are around this case, or if there were other factors at play," the former DHS official said.

David Jordan, chief information security officer for the Arlington County government in Virginia, said that Maley should have known that he could get into trouble for not complying with the vetting requirement. Even so, it's surprising that someone at the level of a CISO would get fired for talking without permission on what was essentially a relatively minor security incident, he said.

There have been instances in the past where states have suffered far more serious security lapses but nothing has happened to the CISO, he said. "It makes me think there's something going on here that we don't know about," Jordan said.

Disobeying a standing rule is often adequate grounds for dismissal, said Alan Paller, director of research at the SANS Institute, a security certification and training organization. But the question that also needs to be asked here is why the state of Pennsylvania has not publicly disclosed the security incident that Maley spoke about at the RSA conference, Paller said.

Rather than try and keep a lid on the incident, "public officials have the responsibility to tell the world [about such events]," Paller said.

Karen Evans, the former de facto federal CIO in the George W. Bush administration, said it's normal practice within the government to get approval prior to speaking. "That is a rule in government," Evans said.

In this case, however, it's hard to "render any type of judgment" without knowing what Maley's employment terms were, she said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon