Want to be a Great Security Leader? You Need a Great Lawyer

Information security continues to evolve as a profession, and this is certainly evident in the role that legislation, privacy, third-party risk and incident management play in the daily life of the information security leader. More often, as I meet with clients to discuss security strategy and risk, security leaders are struggling with the myriad of compliance requirements, various state and national privacy laws, and their relationship with the information security program. Nowhere is this more prevalent than in conversations related to the European Union General Data Protection Regulation (GDPR) which goes into effect on May 25, 2018. In many of these conversations, another important stakeholder is present on a more frequent basis: Corporate Counsel. This is a positive development for our industry, and as cyber security professionals we should embrace this evolution of both our role and the role of legal professionals in our work.

Hear No Legalese, Speak No Cyber Security

As cyber security professionals, we’re often first in line to interpret new legislation and its applicability to our information security program, applicability to our industry, and other considerations. I myself in the early years of HIPAA, Sarbanes-Oxley and FISMA spent time pouring through these laws in order to help answer questions about how a particular piece of legislation would affect my organization. Equally in common was getting questions from corporate counsel regarding what security capability we had in place to help with a particular legal requirement. My first real exposure to the interface between the legal and cyber security profession was in dealing with the requirement for litigation holds, which used to be a monumental challenge from a technology point of view and was a critical requirement coming out of the legal department. What I learned during this time was that cyber security professionals and lawyers have one very interesting trait in common: Neither one of our professions speak English as a native language. Our professions are full of jargon which is incomprehensible to the lay person and professionals outside our vernacular. It became obvious that I had obligations as a cyber security professional to learn how best to provide information to my legal partners, and it was incumbent upon me to learn how best to respond to their needs. As cyber security professionals we are often well-suited to adapting our approaches to communicating complex problems, and we should continue to hone this skill in working with our legal partners. 

Managing the Security Program in the Age of Privacy and Consent

Perhaps the most acute effect of recent privacy laws (such as GDPR) is that they contain language relevant to both corporate counsel and the cyber security professional. Article 32 of the GDPR is a fantastic example of this effect, where the law calls upon us to “ensure a level of security appropriate to the risk.” This is a statement which requires, by its very nature, a risk management exercise to determine what’s “appropriate.” Many other regulations have language in them using terms such as “reasonable” and “appropriate.” As a security leader, determining what’s reasonable and appropriate in a vacuum is not only ill-advised, it is risky and unnecessary. While it’s important for us to know what security technologies, methodologies, frameworks and processes are likely to be relevant in a particular regulatory situation, it is our very expertise which becomes invaluable when placed in the right context; that’s precisely why we need sound partnerships with our legal partners. In short, being a great security professional is less risky, more effective and perhaps even a bit easier when we have a great lawyer by our side. Lawyers help us set thresholds, analyze both applicability and consequences, determine legal exposure and alternative scenarios. Conversely, our legal partners are digesting these new regulations which contain terms such as encryption, pseudonymisation and other technical terms. It’s incumbent upon us to be reliable interpreters of these terms and assist our legal partners as they analyze new regulatory requirements.  

Building the Business Case

One of the areas where a great partnership with corporate counsel is important is in building business cases for the information security initiatives and the subsequent budget requests which go along with those initiatives. As referenced earlier, we security professionals don’t always speak English as a native language, and we often find ourselves in an uphill battle to justify projects to executive stakeholders. In our experience at Optiv, clients who leverage their corporate counsel as a partner for solving problems have already cleared one hurdle, which is the reasonableness test. We’ve seen many instances where passing the “reasonable” mark with corporate counsel for security projects is a tough challenge—lawyers can ask tough questions and require us as cyber security professionals to be on our game when we’re trying to solve problems. Clearing this initial litmus test increases the likelihood of success as we build budgets to solve security and compliance problems. Walking into the C-suite with the lawyer(s) already on your side increases the odds of success significantly.

Incident Management and the “B” Word

History in our industry is fraught with examples of what not to do when responding to incidents, and in general the post-mortem includes a communication breakdown or misstep between the cyber security professional, corporate counsel and the outside world. Nowhere is this more prevalent than in the ubiquitous breach notifications we’ve all seen. It’s at this point, when something bad has happened, that the relationship between the security leader and the legal professional becomes critical. The very word, “breach” has very specific legal implications, and it’s for that reason that as cyber security professionals we should commit ourselves to never using this word during any phase of incident response unless this word is agreed upon by our legal partners and us. Fleshing out some of these rules of engagement and agreed-upon swim-lanes is exactly why performing incident response tabletop exercises is critical, and we should always ensure our legal partners are a key part of these exercises. A very bad sign is when an actual incident begins to get serious and the first “big meeting” begins with an introduction between the security and legal professionals. Of course, we want to avoid this at all costs.

Don’t Go it Alone

Security leaders have a great deal of responsibility, and it’s often a very lonely and thankless role. The same could be said for corporate counsel. Both of these roles require significant use of judgement, failure has real and tangible consequences, and both are looked upon as authoritative sources in their respective domains. In our experience at Optiv, security leaders who have great relationships with their lawyers are more successful in accomplishing their security program objectives. In short, if you want to be a great security leader, you need a great lawyer.