Maley Mayhem: Was Firing Justified? Five Perspectives
We asked CSOs and other security execs if the former Pennsylvania CISO deserved to be fired for disclosing an incident at RSA. Here's how five peers view the outcome.
By Bill Brenner, Senior Editor
April 02, 2010 — CSO —
Pennsylvania CISO Robert Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses. Since then, he has been described as everything from a martyr in the cause of full disclosure to a careless exec who should have known better.
Maley said his comments never put the state's data at risk and he talked because he wanted to promote the success the state has made in the information assurance world. Others, like CSO columnist Ira Winkler, suggested the lesson is that sometimes, it's better to keep quiet.
CSO reached out to other security executives and asked if they would have done what Maley did and if, in the bigger picture, he deserved what he got. The majority view was that his firing was justified. Here are five verbatim responses that explain why people feel this way:
Jeffrey Bardin, IT security veteran and CSO blogger
From a purely procedural perspective, i.e., assuming he had signed documents requiring permission to speak on such subjects, then yes he should be fired. On the other hand, all too often CISOs are muzzled to the point where their personal and professional integrity is not only under attack, but expected to break. These become ethical questions that then require great thought and soul searching.
His disclosure is not seen in the security industry as a big deal; just another in a long line of what we see daily and are not allowed to speak of. Some may see this as a major gaff or breach of conduct. On the other hand, how many other issues is the State of PA hiding (like most organizations) that put the information of their constituency at risk?
Where is the organizational rule that says the CIO must deliver code the is free from defects? How many other internet facing applications are full of the same or other holes? How do we get them to take responsibility and accountability for delivering code that is defect free?
Overall, I do not believe he should have been fired for this infraction of organizational rules when I see many in the C-Suite grossly violate them regularly without recourse. His firing is just another warning shot to all CISOs that you had best tow the line regardless what you see. Now that he is fired, I would be interested in a full disclosure of all activities at the State of PA. Where there is smoke there is fire.
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- The CISO's Survival Guide to Securing Data
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- New PCI Tokenization Guidelines with QSA Expert
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
