Manage Learn to apply best practices and optimize your operations.

Talking with lawyers: How to manage information security legal issues

Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues.

An executive mandate for the security team this coming year is to work more closely with the legal department to...

ensure our compliance efforts, breach procedures, security policies, etc., could stand up to litigation. Do you have any tips for a CISO who needs to work with corporate lawyers? What do I need to know going in?

As a former CISO, I would have been thrilled if my executives mandated closer work with the legal department!  What I’ve historically had to do is make time and setup meetings just to introduce my role to the legal department and to explain how I thought we could work together to deal with information security legal issues.

Anyway, that said, this should be viewed as an exciting opportunity for the CISO to expand his or her dialogue with the legal department.

So, what would the CISO talk about with a bunch of lawyers?  Frankly, the topics would range from broad and general to specifics.  Here are a few thoughts:

  1. The CISO should introduce himself to the general counsel and key members of the legal team.  This could be a simple one-hour meeting over coffee or lunch to talk about backgrounds, experiences, alma maters, etc.  This is also a good time to compare key challenges each organization faces and look for synergies. 

    This initial meeting is a good time to find out who the “geeks” are in the legal department who have an interest and background in computers, networks, computer security, etc.  Perhaps they could be your key liaisons for future meetings.
  2. Understand the best way for the CISO and legal team to work together on a cybersecurity incident response.  Ascertain when legal wants to be involved and if human resources and public relations should also be brought in on certain key incidents or events (e.g., data breaches, termination of key employees with data access, etc.).
  3. Do some deep-dives on how information security and legal can work together on such issues as Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), and state data breach laws.  Understand not only the roles played by each organization in order to meet and achieve the necessary requirements, but also figure out ways the right “experts” can be brought to bear for different problems that arise in these areas.
  4. Ascertain when legal and the CISO should work together when developing security policies, standards, procedures and guidelines.  Also, see if the CISO can be part of some of the legal reviews to ensure there are no subtle infosec issues to be addressed.
  5. Consider such meetings as “lunch and learns” where the office of the CISO and the legal department can meet to discuss recent reports like the Verizon Data Breach Investigations Report or the recently issued Verizon PCI Analysis.

Of course, there are more topics once the conversation starts.

Overall, feel blessed that the executive management team wants you to work closer to the legal department!  This sort of ongoing conversation will have many benefits for the CISO both professionally and personally.

This was last published in January 2012

Dig Deeper on Security audit, compliance and standards