As the founder and CEO of Polymer, I’ve had the opportunity to work with multiple organizations looking for more tools to secure their sensitive data. A common theme that emerges from my conversations is how legal and security teams working effectively together can have a material and positive impact on an organization's data governance.
As an enterprise consultant I saw the merging of security and legal functions 8 years ago. I was conducting a data mapping exercise at a large investment bank sponsored by the GC. Eventually, the demand for the inventory and data catalog we were compiling grew beyond just the legal function. For example, the security team used the same outputs for their access management projects. We had managed to accidentally combine 2 different budgets towards the same outcome of risk reduction.
When the TechGC team came up with the idea of creating a practical webinar around Security & Legal, I was incredibly excited to share from my experience, and also learn from other seasoned GCs. We had a lively discussion with great panelists around 3 key areas.
We all know that, in this environment, data security remains top of mind for most organizations, and likely remains top of mind for most GCs. While the practical insights from the discussion are best captured by watching the recording of the webinar, I have tried to capture the high level takeaways here.
● Moderator: Yasir Ali (Founder & CEO Polymer)
Is Security a Legal or Technology Function?
Security function is first and foremost a risk role and the reporting lines are often influenced by the maturity of the business. Security risks to a business can be from any of the following
1. People: Inadequate training, communication between employees, or human errors are often the most overlooked areas of risk..
2. Process: Processes around customer support, audit findings or how the product roadmap is designed not incorporating security and legal input.
3. Technology is generally coming from external threats due to infrastructure, Contracts with partners, diligence of 3rd party systems and related SOC functions across the enterprise.
While a GC’s purview can encompass all of the above as well as other legal risks from all business functions within the organization.
Security posture and risks need to be surfaced to senior management and the board of directors. This can only happen when legal and technical know-how comes together to build a robust risk management function within the organization.
The size of the security teams and who the head of security reports into depends on the maturity of the business. For example, information security reported to Lisa (as the General Counsel at a prior company) at a time when the business was expanding to the Cloud.
Security function has evolved into not just touching technology but also people. For example, privacy used to be a purely compliance function that has now evolved to be part of the security frameworks at many orgs. “Legal ends up becoming the go-between to the technical risks to business risks.” Liz
The industry vertical of the company has a lot of bearing on what risks the GC/Security function is solving for. For example, in a technology company, the risks are technical and contractual vs a healthcare company where they could be more around data. This can determine if the CISO reports into a GC, CTO or CEO directly.
“Security is not a function that should report to a CFO though.” Danielle
How to achieve good working relationship between Security & Legal Roles
Regular communications or meetings are a must to start building a common nomenclature on basic terms. For example at Flexport, Kevin and his legal counterpart can reference the following ontologies:
● Privacy data
● Customer data
● Payment Data
This framework of standardized definitions allows templates of addendums and common SLAs across the enterprise. Since GC is where the buck stops, they end up on the cross roads of many functions and key decisions within the company. This can vary from being CCed in every email related to customer success or being involved in product roadmap meetings on a quarterly basis. A GC needs to decide what cadence works within the organization.
“A weekly touch point between Legal and InfoSec is a fantastic way to keep an open dialogue and build a strong partnership.” Lisa
In Carbonite’s early days, Danielle talked about using a checklist manifesto in sharing the security risk responsibilities. Anytime there was a product release the checklist had to be cross referenced. This process continued for some time before the team decided it was time to hire a CISO who would take on that responsibility full time.
“In the absence of budget to hire a full time CISO, using a part time virtual CISO is a viable option for companies to jump start their security functions” Kevin Security is an ever evolving area with an expensive balance between solutions and risk.
A GC needs to be somewhat up to speed on the tech to be the ‘translator’ of technical risks into legal risks. This can be valuable in negotiating insurance, contracts and vendor SLAs.
How to Build a culture of compliance and security
Polymer team has seen 5% of employees contribute to 71% of all data breach risks in organizations. Having the culture of individual responsibility in sharing data or security practices is crucial in keeping organizations safe.e
Alliances of the GC and Security with the wider organization helps the wider team to be the ears and eyes of the infosec function where culture can be built on decision making that occurs with a lens of security. Active dialogue is hugely important in creating this culture.
Conversations need to be open and have to take into account the reality of the security landscape in the marketplace. For example senior management should talk about ‘living wills’ in determining what happens when there is a data breach or a ransomware request.
Quick Round of Questions
1) Security training: At Flexport, Security handles remediation. At Totango, the CEO gets up on the stage and discusses it with the wider employee base.
2) Cyber Insurance:The cyber insurance/ransomware policies generally have a lot of moving parts. It's imperative that this is negotiated proactively (Danielle). There are a lot of variations on rates and payoff SLAs across industries so working with a good broker is necessary (Kevin). On the other hand, E&O , D&O are fairly standard so do not require too much haggling.
3) PenTesting: GC needs to get involved in determining the goal and outcomes (‘what is it that we are trying to verify?’) of the pen testing exercise (Lisa).
4) Handling Contracts:GC needs to draw on knowledge across the enterprise for various contractual addendums such as security & data privacy (Liz).