Several security executives today expressed surprise over the firing of Pennsylvania's chief information security officer (CISO) , apparently for publicly speaking about a security incident involving the Commonwealth's online driving exam scheduling system without getting the required approvals first.
However, more information would be needed to know what other factors might have led to the action, they added.
Robert Maley was terminated from his job as Pennsylvania's CISO on Monday. According to a source close to the matter, the action stemmed from Maley's participation in a panel discussion at last week's RSA security conference .
During the session Maley mentioned a recent incident in which a Philadelphia-area driving school had gained access to the Department of Transportation's online driver's test scheduling system by exploiting a system "anomaly." The school then used its access to schedule several of its own students for driver's license exams ahead of others in the line.
Maley's disclosure of the incident, without the required clearances, led to his dismissal, the source said. Commonwealth rules require all employees to get approval from the appropriate authorities before they publicly disclose official matters, the source said. Maley was Pennsylvania's CISO for more than four years. A trade magazine had nominated him as one of its candidates for security executive of the year.
A spokesman for Pennsylvania Governor Edward Rendell's office yesterday confirmed that Maley is no longer employed with the Commonwealth. But he refused to confirm if Maley had been terminated, citing privacy rules.
The news of Maley's sudden firing and the apparent reason for it are prompting some to ask if there is more to the story than meets the eye. "When it comes to discussing things publicly I've always had to get permission and have it vetted whether in the private sector or in government," said a former DHS security executive who requested to remain anonymous.
While such vetting is standard protocol, it still seems "pretty harsh to terminate someone's employment," for an infraction of the rule, he said. "It makes you wonder if it is due to [Maley] potentially jeopardizing a criminal investigation or if there are other legal issues they're concerned about."
"It's hard to really know what all of the facts are around this case or if there were other factors at play," the former DHS security executive said.
David Jordan, chief information security officer at Virginia's Arlington County, said that Maley should have known that he could get into trouble for not complying with the vetting requirement. Even so, it's surprising that someone at the level of a CISO would get fired for talking without permission on what was essentially a relatively minor security incident, he said.
There have been other instances in the past where states have suffered far more serious security lapses, and where nothing has happened to the CISO, he said. "It makes me think there's something going on here that we don't know about," Jordan said.
Disobeying a standing rule is often adequate grounds for dismissal, said Alan Paller, director of research at the SANS Institute, a security certification and training organization. But the question that also needs to be asked here is why the Commonwealth has not publicly disclosed the security incident that Maley spoke about at RSA, Paller said.
Rather than try and keep a lid on the incident, "public officials have the responsibility to tell the world [about such events]," Paller said.
Karen Evans, the former de facto federal CIO during the Bush administration, said its normal practice within the government to get approval prior to speaking. "That is a rule in government," Evans said.
In this case, however, it's hard to "render any type of judgment" without knowing what Maley's employment terms were, she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Knowledge Center.
This story, "Security execs express surprise over CISO's firing following RSA talk" was originally published by Computerworld.