Shostack + Friends Blog Archive


Lessons from Robert Maley's Dismissal

A bit over a week ago, it came out that “Pennsylvania fires CISO over RSA talk.” Yesterday Jaikumar Vijayan continued his coverage with an interview, “Fired CISO says his comments never put Penn.’s data at risk.”

Now, before I get into the lessons here, I want to point out that Maley is the sort of enthusiastic guy who used vacation time to speak at RSA. If you’re looking for a CSO or a leader, you should get in touch.

I think there are two important things to notice here. First, when you’re specifically asked not to speak, don’t speak: “I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it.” Regular readers know this pains me as an advocate of openness. However, it’s not your data, it’s your employer’s data. Treat it with discretion.

The second, and more interesting thing is that the firing is news. Things that happen regularly are only news on the Weather Channel. So can we jump to “someone is getting fired for speaking up is actually rare?” Job loss is one of the more challenging questions that I regularly hear. It’s scary, doubly so in today’s fiscal climate. Firing is personal. And we don’t really know how often it happens. A lot of the anecdotes are simply inaccurate. Getting data involves a lot of manual effort and the accuracy is low. I’ve done some of it, digging into web sites and, looking at profiles on LinkedIn, and seen very little evidence that breaches or breach disclosures lead to firings.

I can see three somewhat distinct hypotheses here:

  1. Firings are rare, and thus news
  2. Firings of executives is rare, and thus news
  3. Firings are usually covered up, and thus when they’re not, it’s news

Note that 2 (execs) is strictly a subset of 1 (all firings), and thus less likely as an overall explanation, but firing rates probably differ for execs and staff.

I would be great to have data to help us distinguish, but for now, I consider advocating for #1 a best practice.