I read, with some small amount of discomfort, an article by Bill Brenner on CSO Online, wherein he interviewed several other CSOs and other "Security Execs" on their opinions on the firing of Pennsylvania CISO Robert Maley. For those who haven't heard about this, Mr. Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses.
The first thing that struck me was the "tow the line" posture by everyone interviewed — but then again, I agree that in such a position as Mr. Maley was in as CISO, it certainly violates certain aspects of confidentiality, etc., which his job may have required regarding such an incident.
The second thing that struck me, of course, was that if a mandatory U.S. National Breach Disclosure law existed, Mr. Maley would not have found himself in such a position to begin with.
Another issue which falls within this controversy are large corporations which try to keep secret the fact that they were involved in serious IT security breaches, and keep their customers in the dark.
We are seeing more and more cases of unauthorized information disclosure day after day, month after month, year over year in all areas — finance, health information and medical records, and other sorts of personal identity theft.
We are long overdue on a national breach disclosure law which makes it mandatory for companies and other organizations to publicly disclose these incidents have occurred. Long overdue.
I would appreciate hearing thoughts from readers on this issue — please leave your comments.
By Fergie, Advanced Threats Researcher, Emerging Threats & Operational Intelligence. Visit the blog maintained by Fergie here.
Related topics: Cyberattack, Cybercrime, Law, Policy & Regulation, Privacy, Security
To post comments, please login or create an account.
SecuritySponsored byVerisign | |
Top-Level DomainsSponsored byMinds + Machines | |
MobileSponsored bydotMobi | |
IPv6Sponsored byNominum | |
DNS SecuritySponsored byAfilias | |
DNSSponsored byNeustar UltraDNS |
Fergie makes the right call for the wrong reasons. While I was generally aware of the firing of Robert Maley, I didn't go looking for the details until after reading Fergies post.
Mr. Maley was apparently let go for speaking on the topic after being specifically told (after a previous incident) that he was required to get prior approval. The fact that he was technically on vacation further muddies the waters. It appears that under the circumstances Mr. Maley would have had an issue even if there were a breach notification law in place.
I'm speaking as someone who is required to get prior approval when speaking about anything related to my employer. There are two media contacts for our organization and anyone else (including executives) has to go through the appropriate process.
Presenting at a conference is not the same as breach notification.
Fergie is correct though that there is a need for stronger breach notification laws - what happened with Mr. Maley is the wrong reason to justify strengthening notification and disclosure laws .