Transparency in the security industry is more an ideal than a reality.
Just ask Bob Maley, who served as the state of Pennsylvania's CISO – until he ran into trouble with higher-ups over publicly disclosing some of the security goings-on within his own state.
The turning point came last February at the RSA Conference in San Francisco. Maley was sharing the stage with fellow CISOs from California, Colorado and Nevada during a panel titled "The Front Lines: Cybersecurity in the States." The discussion focused on challenges they faced, the evolving nature of their state cybersecurity programs, and how government and industry are working together to make a difference.
Maley (left), a former police officer, had gained respect in the security industry as a result of his success in transforming his state's infrastructure, and had become a sought-after speaker and interview subject. At RSA, he shared an investigation unearthed within the Pennsylvania Department of Transportation. Maley told the audience that a hacker, who owned a driving school in Philadelphia, used a proxy server in Russia to mask his identity and then exploited a system bug so he could schedule driving exams for his students, jumping them to the head of a line, which normally involved a waiting list of up to six weeks.
In attempting some transparency to improve strategies within the security community, Maley went against a policy that employees obtain explicit permission before discussing state matters publicly. The man who was instrumental in developing a statewide strategy for preventing data-leakage incidents after some 500,000 state records were compromised in 2007, soon found himself out of the post he held for five years.
At his session at SC World Congress, "Data protection strategy," to be held at 9 a.m. on Nov. 10, Maley – who was a finalist for SC Magazine's CSO of the Year award in 2009 – will detail many of the problems he faced in his state and explain how those challenges were mitigated. He also will present tangible ways attendees can create and execute major cybersecurity strategies – even with a shoestring budget.
"I'm very big on intelligence gathering, knowing what the bad guys are doing ahead of time," Maley told SC Magazine in a July cover story. "We developed a multifaceted program that has a lot to do with being very proactive. Anybody who believes they're never going to have a potential breach is kidding themselves. Data is so ubiquitous today."
At his session, Maley plans to offer specific, useful technologies to be used in the fight to keep confidential data protected.