Editorial: Sometimes Honesty Doesn’t Pay

Pennsylvania's CISO was dismissed for failing to obtain permission before discussing a security incident
Pennsylvania's CISO was dismissed for failing to obtain permission before discussing a security incident

Honesty – it’s a worthy virtue, almost without a doubt. But Bob Maley was honest, and it got him fired. For those of you who don’t know Bob Maley, he’s the former CISO of the Commonwealth of Pennsylvania. That is, until his dismissal shortly after the RSA Conference in March. His story is a cautionary tale of what can happen when sharing information with peers, especially if you work in the public sector.

By all accounts, Maley is responsible for building Pennsylvania’s IT infrastructure from the ground up, implementing security protocols that simply did not exist before his arrival. He and his department are the recipients of numerous commendations and awards in the field of IT security, and his ability to deliver results has never, to my knowledge, been placed in question.

The Pennsylvania CISO attended the RSA Conference and, according to Maley, did so on his own dime, as the commonwealth has issued a moratorium on such travel to help ease its financial burdens during the fiscal crisis. Nevertheless, as an employee of Pennsylvania, Maley was still responsible for statements he made during a conference panel in which he reportedly shared information on a security ‘anomaly’ in the state’s driver testing system.

According to Maley, the information he conveyed at RSA was freely available to the public. He shared the information, he claims, in order to inform his colleagues, and therefore contribute to the body of knowledge that is of interest to all security professionals.

"Letting go of one of the truly great professionals in the field is a disservice to Bob Maley, to the Rendell administration, to the security profession, and, most of all, to the residents of Pennsylvania"

As a reward for his frank and open discussion of this security incident, Maley was promptly dismissed by the commonwealth when he came back to work, due in part to the fact that he discussed state business without obtaining prior approval.

Honesty, openness, sharing of information – these were all common themes that I heard over and over again from the security community that gathered at RSA, and they are topics that have come up over and over again in my time here with Infosecurity US thus far.

So, I reiterate – Bob Maley was honest, open, and he shared information on a security issue, and this type of behavior, so often lauded by professionals in this industry, led to his dismissal.

I couldn’t help but wonder why such drastic measures were taken by Governor Ed Rendell and his administration. After all, the information Maley shared was part of the public domain, and as a servant of the people, he surely has a right to impart this knowledge, no matter the audience.

To his credit, Maley acknowledges that he was wrong to discuss the issue without seeking approval from the administration he served. He did not attempt to pass the blame, or call out the Rendell administration for any differences the two sides may have had. Regardless, in a society that often jokes about the ineffectiveness of its public servants, letting go of one of the truly great professionals in the field is a disservice to Bob Maley, to the Rendell administration, to the security profession, and, most of all, to the residents of Pennsylvania, who no doubt deserve the best person to secure the state’s vital IT infrastructure.

Although I’m speculating, it’s likely that Maley will obtain future employment in the private sector, as his accomplishments will no doubt land him another role in a security capacity. I can’t help but wonder, however, what he’ll do next time he is faced with the question of whether to share information on a security issue with peers in the industry. No doubt he will think twice, and perhaps he will choose not to be as honest and open. But, I could be wrong. For now, Bob Maley is a paragon for openness in the information security industry, and we should all be thankful for his example.


Drew Amorosi is the US Bureau Chief for Infosecurity

What’s Hot on Infosecurity Magazine?