What happened to Tulsa’s CIO could happen to you

Tulsa CIO Tom Golliver kind of reminds me of Chief Brody in the second JAWS movie. He sees what he thinks is a Great White, yells at everyone to get out of the water and fires away at what turns out to be a school of bluefish.

In this case, the shark Golliver saw was an apparent data breach, and the school of bluefish was a security company that was merely testing the city’s network for holes.

The comparison ends there. Unlike Brody in JAWS 2, it’s far from certain that the real menace — an actual breach — will ever surface to vindicate Golliver as the shark did in the movie. By all accounts, the city seems to be doing the right things as it investigates what happened. Here’s the basic story from Tulsa World:

Tulsa’s chief information officer, Tom Golliver, was placed on paid administrative leave Monday after it was revealed that the city’s website hadn’t been hacked after all. A third-party security firm that was hired to do periodic, unannounced tests of the city’s networks for vulnerabilities used an “unfamiliar testing procedure” last month that city IT personnel misinterpreted as an unknown breach, according to a city statement. The city’s website was offline for more than two weeks as an investigation was conducted and additional security measures were taken. Some website functions, such as the public meeting agenda postings, are still not working.Read more from this Tulsa World article at http://www.tulsaworld.com/news/article.aspx?subjectid=334&articleid=20121002_11_A1_CUTLIN325691

City officials didn’t realize that the apparent breach was caused by the security firm, Utah-based SecurityMetrics, until after 90,000 letters had been sent to people who had applied for city jobs or made crime reports online over the past decade, warning them that their personal identification information might have been accessed. The mailing cost the city $20,000, officials said. The letters encouraged those contacted to closely monitor their credit reports for suspicious activity.

Some or all of you will give me a verbal lashing for this, but I have to say it: I feel bad for Golliver.

It was indeed a costly false alarm for the city, but isn’t a false alarm better than no alarm when the real attack comes?

There are different angles from which to explore this. On the one hand, you could argue that there can be no mercy for the guy who oversees a false alarm, because the city’s reputation was twice tarnished: first, when the public was made to think a breach happened; then when the false alarm left officials with egg on their faces. But one could also argue that the Incident response worked as designed, going off at the first sign of trouble.

Of course, it does look foolish when you see abnormal activity and don’t check first to see if it’s from the company you hired do test network defenses.

That should be a valuable lesson for Golliver going forward, whether he gets his job back or ends up someplace else. I can see him giving a presentation on what happened and what he learned to a packed audience at some future security conference.

My hope is that this doesn’t turn out to be a career killer for the man. As zany as this was, the department at the time was doing what it thought was right.

Money was wasted in the end, but I’ll bet that if you examined the balance sheet of Tulsa or anyplace else, you’d find a lot more wasteful spending on things far more outlandish.