March 11, 2010

Pennsylvania CISO's dismissal not in good judgment

The information security industry took a step back this week with news that the CISO of the state of Pennsylvania, Bob Maley, lost his job, likely over remarks he made during a panel discussion last week at the RSA Conference.

In an industry where information sharing is widely agreed upon as one of the paramount ways to combat the world's cybercriminal element, it is truly upsetting to see a security pro lose his job over doing just that.

Although a spokesman for the Pennsylvania governor wouldn't admit it, that is exactly what appears to have caused Maley's departure from a role he held for five years.

On a panel at the RSA show last week, on which he was joined by three other state CISOs, Maley offered details into a recent intrusion affecting the state's Department of Transportation website. He didn't get too specific, but it was specific enough to surely prove instructional to the scores of conference attendees in the audience.

He described, according to a report on govinfosecurity.com, how the owner of a driving school in Philadelphia used a Russian-based proxy to hide his identity as he exploited a vulnerability so that he could schedule his students for driving exams. (The wait list to take the test usually runs up to six weeks).

Maley, an SC Magazine CSO of the Year finalist, has always been a candid, shoot-from-the-hip kind of guy. I learned this from our conversation last summer when I interviewed the former cop for a cover story on data breach response. For the story, he recounted a number of breaches that have affected the state, rarely holding back details.

I'm assuming that this particular incident touched a nerve with state officials because the hacking was relatively recent, and there was still an investigation underway.

But even so, I find the firing to be counterproductive to what the security community is attempting to accomplish. The key to winning the battle against sophisticated hackers is with details and anecdotes, exactly what Maley appears to have been doing. Speaking generally just doesn't cut it, not in this industry. And especially not at the world's premiere gathering of information security professionals — one of the few times in the year when practitioners get together to swap stories on life in the trenches.

It's a shame, too. We were only just applauding Google for its transparency over the China attacks. Many had lauded the internet giant for coming clean about being the victim of a massive intrusion.

We seemed to be turning a corner...and then this.

In 2010, remaining mum, or too close to the vest, about incidents benefits nobody. Every organization in the country is being probed on a daily basis. Vulnerabilities are going to be there. Hacks are going to happen. Data is going to be exposed. The criminals are going to be one step ahead. Let's move on from this prevailing wisdom that any one organization is immune from attack.

Once we do that, and only then, can we take back the internet.

Previous Post
Next Post
Related Articles
Related Topics
close

Next Article in The News Team Blog

Advertisement

How to Prevent Insider Threats!

POLL

More in The News Team Blog

The power and danger of using the cyber "T" word

Referencing the Boston bombings as terrorism prompted an unprecedented manhunt for the suspects that included a citywide lockdown. What would a similar scene have looked like on the internet?

Here are eight cyber crooks who got less prison time than Andrew Auernheimer

Here are eight cyber crooks who got less ...

The security researcher and self-proclaimed internet troll earned 41 months behind bars Monday for his role in using a script to retrieve data on roughly 120,000 Apple iPad users from ...

The White House thinks Julian Assange and Jeremy Hammond are no different ...

Whistleblowing organizations like WikiLeaks and accused hacktivists like Hammond are not foreign spies lusting to plunder intellectual property from U.S. corporations and government agencies in order to profit and gain a competitive advantage.