Sometimes, You Should Just Keep Quiet

Ira Winkler on why Pennsylvania's CISO firing was no surprise

I have to admit that for a while, I really wasn't sure about what I thought about the firing of Robert Maley, the now former Chief Information Security Officer of the Commonwealth of Pennsylvania. The stories varied, but it initially sounded like he was fired for discussing a specific incident during the recent RSA conference. While I think that CISOs should be held to a higher standard, everyone can commit a faux pas. However the fact is he knew that by speaking at all, he was violating orders in the first place and could be fired, no matter what he said. That is just outright stupid.

At face value, there is a lot to getting out to a conference and meeting your peers. I find that RSA is much more about catching up with old friends, making contacts, talking with people, and just learning. It is impossible to not learn something at RSA if you're looking. I hope I added something to the event as well.

Also see Winkler's column I Was Wrong: There Probably Will Be an Electronic Pearl Harbor

At the same time, you have to consider that Maley's first responsibility was to his employer from a professional perspective. He was a very senior executive in a government organization. Information coming out of any government agency is controlled by policy for a wide variety of reasons. It is a condition of being in the government.

To a large extent, you are not allowed a personal opinion, and anything you say to the outside world is supposed to be cleared. That is pretty much a fundamental requirement of employment for a government agency. Short of covering up crimes, waste or abuse, there really is no justifiable reason to violate this basic policy, especially for a senior executive.

My first professional experience was at NSA. The policy for discussing anything related to the agency was clearly forbidden. There was the blanket statement we were given, "I can neither confirm nor deny anything." The only other alternative we were given was, "I'll only speak to Andy Rooney." That was it. Then when I left NSA, I was told that everything I wrote or said to the outside world had to be cleared. It frankly wasn't until I left a large organization that I was able to really speak my mind.

After I went back to large companies, I had to work out a deal where I would speak to whomever I wanted to as long as I didn't mention that I worked for the company. At the time, I already had a well established reputation that was independent of any company that I worked for. That is clearly not the case with Robert Maley, who is possibly only known because of his position with Pennsylvania.

It was good that Maley's interview [with Computerworld's Jaikumar Vijayan] began with him admitting what wrong he did, and why he was fired. That was good. Then it went downhill from there.

Specifically, Maley went into how he was there to share his expertise with everyone else. He went into the grandiosity of how RSA attendees were the leaders of the field. I can go on, but if you read the interview, it was all about him presenting his expertise and his experience. It wasn't about him learning or improving the processes in Pennsylvania. He actually said that he wanted to promote the successes of Pennsylvania's security program. However, Pennsylvania told him that they didn't want to be promoted. I came away with the opinion that it was more about him promoting himself.

One of the most telling issues about Maley's side of the story is the actual results of the talk. I didn't see one article or hear a single comment about anything insightful that Maley had to say. He didn't provide any real clear value to the attendees. The only thing we heard about is a security failing of Pennsylvania. I cannot find one unique thing that a company can take away and implement to improve their security posture that they could not have otherwise found. Again, the only thing that came out of the talk was Maley promoting himself as a speaker.

In my opinion, one of the most fundamental abilities a security professional must have is good judgment. It is more important than technical knowledge. After all security people are supposed to be examples for others, as they should be able to walk the walk. This ability is even more critical for a CISO.

Knowing that you were forbidden from talking at a conference about your work, and then specifically going out and doing that, when you clearly understood that, clearly demonstrates poor judgment, if not outright defiance.

Copyright © 2010 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022