The idea of having a CISO with a legal degree came to me some years back, while I worked as a travelling security consultant. I lost count of the times that a legal opinion was needed to confirm some area of liability or inquire about the propriety of certain methods used to reach certain objectives. It always seemed to me that although most security consultants had a very good idea of what would be legally acceptable, none of the individuals I worked with had the professional qualifications to offer this type of guidance. The result was that corporate counsel, or an outside attorney, would need to be called in to confirm what we all suspected.
This need created new challenges: an outside attorney now had to be brought up to speed on what we were trying to accomplish and the nuances of the situation so we could get an accurate legal opinion. Depending on the attorney’s schedule and individual understanding on matters, this could also create project delays and difficulties between any needed working groups that now had to get acquainted and work together. An additional item was cost: Depending on fees, a project could become paralyzed or a team might accept the risk and simply continue without the benefit of legal counsel.
In view of this, what are some potential benefits to hiring a CISO with legal training or past legal experience?
In researching this article, I came across some information about the benefits of hiring in-house counsel. I noticed that across multiple articles on this subject, authors all seemed to point to similar benefits which I believe can be applied and augmented by having a CISO with legal training. For the purposes of this article, I’ll call this position a “CISO-LT.”
Benefit 1: Supporting the Business’s Growth
According to Forbes Legal Counsel, hiring an in-house attorney increases opportunities for business growth and development. They can also proactively spot legal issues so these problems can be avoided.
These benefits can be expanded by hiring a CISO-LT. An individual who understands the complexities of information security and the law can quickly identify any shortcomings in an approach to security, as well as the exact legal repercussions of failing to close these gaps. This in turn can help a business more accurately understand its risk and social responsibility.
For example: How much risk can a company accept before it begins to fall into a category of “legal negligence”? The answer to this question could deeply affect an organization’s public reputation and perceived integrity.
This type of insight could also benefit a company in regard to its competitive advantage. Understanding legal risk and developing customized security solutions can quickly demonstrate the maturity of a given organization. This, in turn, can be seen in how it handles the confidential information of its clients, partners and business practices. In an age where data breaches, lax controls and lack of accountability seem to run rampant, improving a business reputation in this manner can lead to increased business opportunities.
Benefit 2: Intimate Strategic Knowledge of the Business
Another interesting benefit that Forbes Legal counsel pointed out was the fact that an internal attorney’s knowledge of the business is “priceless.” This spoke to the attorney’s familiarity with the business, intimate details of its relationships and how this would support the identification of legal liability.
In the case of a CISO this benefit is magnified, as these individuals are usually heavily involved in deeper details of these same business relationships. From a technical level, a CISO and his subordinates would need to understand the methods of any internal or external communications, intended recipients and the type of business data involved. The details needed to fully understand these exchanges give the CISO deep insight into how the relationship works.
Additionally, CISOs and their teams normally work closely with other business and technical groups and are made aware of emerging threats and attempted methods to breach the company’s defenses. A CISO-LT would understand not only the technical aspects of this situation but also how a breach could legally impact multiple business units, diverse business relationships and the company reputation.
In the unfortunate case of a breach, a CISO-LT could immediately determine company responsibilities in terms of disclosing the issue and start to formulate an immediate course of action. This is crucial because in the case of a data breach, how long does the company have to act before penalties start to accrue? Different states have diverse laws on breach disclosure and specific actions that need to be taken from a legal standpoint to avoid any wrongdoing.
Perhaps other incidents can be lowered in risk in view of other laws that do not require reporting of the issue. Having a deep knowledge of the law coupled with information security provides the company with a very powerful ally, which brings me to my next point …
Benefit 3: Knowing How to Balance Business Needs Against Requirements
This last benefit speaks to “emotional intelligence.” What does this mean? In the case of an in-house attorney, Forbes explains that this speaks to their ability to work with different business stakeholders, understand their needs and develop customized legal solutions.
In the case of a CISO (and frankly any information security pro worth their salt), being reasonable and finding elegant solutions to problems in a balanced way is an invaluable skill. This can be very tricky when dealing with immediate business need, security requirements, navigating potential penalties and — of course — good old-fashioned human emotions. Since a CISO is normally working hand-in-glove with many different components of a business, they are able to determine what these business areas need to protect from a security standpoint. This understanding combined with business need helps the CISO arrive at a balanced preliminary decision.
(I use the term “preliminary” since corporate counsel may need to be involved to confirm the legal compliance of a given approach.)
In the case of a CISO-LT, the additional legal knowledge would assist this individual by clarifying not only how the aspects of a given approach provide security, but also how they satisfy the detailed implications that would involve any legal obligations.
Please note that this article is not meant to detract from the valuable service provided by CISOs, but simply to explore a possibility. As technology constantly evolves, different forms of leadership may help a company to keep itself secure.