Maley Mayhem: Was Firing Justified? Five Perspectives

Pennsylvania CISO Robert Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses. Since then, he has been described as everything from a martyr in the cause of full disclosure to a careless exec who should have known better.

Maley said his comments never put the state’s data at risk and he talked because he wanted to promote the success the state has made in the information assurance world. Others, like CSO columnist Ira Winkler, suggested the lesson is that sometimes, it’s better to keep quiet.

CSO reached out to other security executives and asked if they would have done what Maley did and if, in the bigger picture, he deserved what he got. The majority view was that his firing was justified. Here are five verbatim responses that explain why people feel this way:

Jeffrey Bardin, IT security veteran and CSO blogger

From a purely procedural perspective, i.e., assuming he had signed documents requiring permission to speak on such subjects, then yes he should be fired. On the other hand, all too often CISOs are muzzled to the point where their personal and professional integrity is not only under attack, but expected to break. These become ethical questions that then require great thought and soul searching.

His disclosure is not seen in the security industry as a big deal; just another in a long line of what we see daily and are not allowed to speak of. Some may see this as a major gaff or breach of conduct. On the other hand, how many other issues is the State of PA hiding (like most organizations) that put the information of their constituency at risk?

Where is the organizational rule that says the CIO must deliver code the is free from defects? How many other internet facing applications are full of the same or other holes? How do we get them to take responsibility and accountability for delivering code that is defect free?

Overall, I do not believe he should have been fired for this infraction of organizational rules when I see many in the C-Suite grossly violate them regularly without recourse. His firing is just another warning shot to all CISOs that you had best tow the line regardless what you see. Now that he is fired, I would be interested in a full disclosure of all activities at the State of PA. Where there is smoke there is fire.

Rafal Los, Chicago-based security specialist

Unless you’re a whistleblower you keep your mouth shut and tow the line. If you take a job that has very specific rules you don’t get to whine about it once you break them, no matter how important you are to the community. The fact is, the guy should have kept his mouth shut, or at least not thought of himself as so important to RSA attendees.

Ron Baklarz, CISO at Amtrak

I have to agree that Maley was not authorized to discuss matters relating to an ongoing investigation. From what I read, the alleged “hack” was really a system anomaly within a specific system (e.g., putting in a 9/9/9999 date which defaulted to today’s date). If this is accurate, Maley’s disclosure didn’t add much if anything to alerting the community to any sort of heinous and common vulnerability that we all should be aware — other than shoddy coding practices. In other words, there really wasn’t any actionable intelligence to be gleaned from his disclosure.

Read about related issues in Data Breach Fallout: Do CISOs Need Legal Protection?

Bob West, CEO of Echelon One and former CISO at Fifth Third Bank

It all depends on what was in his agreement. As a matter of principle, a CISO shouldn’t be fired after a security breach unless there was negligence on the CISO’s part. In the legal community, general counsels don’t get fired after their company is sued and, in a similar vein, they can’t prevent lawsuits from happening. Their responsibility is to create the right legal environment and work with their executive team to minimize the legal risks they face. The decision to accept the risk, mitigate it or transfer risk is a business decision and the general counsel never accepts the risk.

Similarly, the CISO can’t prevent security breaches but can do what is commercially reasonable for the corporation. The CISO should be advising the executive team and board about the technology risks they face. As with legal risk, the business should be making the decision about absorbing the risk. Businesses exist to make money, and in order to make money businesses need to take risks. The risks need to be calculated, and that’s where the CISO comes in. The CISO needs to coach the business but it’s the business that needs to make general technology risk decisions.

Martin Fisher, manager of the Computer Security Incident Response Team at Delta Airlines

Maley deliberately revealed and discussed issues involving his employer at a conference where he was not pre-cleared to speak at – that’s it. He took a risk and lost his job – just like someone on his staff would have.

This isn’t about CISOs being muzzled or being held responsible for breaches (what he reported wasn’t even a breach – just some bad acting code) it’s about a senior executive not following the rules.

As information security leaders we *must* abide by the rules. And when we choose to violate the rules we *must* accept the consequences.

To Maley’s credit he hasn’t (as far as I know) tried to escape responsibility for his decision and I laud him for that.