{"id":1855,"date":"2025-02-10T06:00:00","date_gmt":"2025-02-10T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1855"},"modified":"2025-02-10T06:00:00","modified_gmt":"2025-02-10T06:00:00","slug":"cisos-stop-trying-to-do-the-lawyers-job","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1855","title":{"rendered":"CISOs: Stop trying to do the lawyer\u2019s job"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

There\u2019s a joke that\u2019s been floating around boardrooms for years: \u201cWhat\u2019s the difference between lawyers and engineers? Lawyers don\u2019t think they\u2019re engineers.\u201d<\/p>\n

This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into technologies nobody trained them to handle. Lawyers, on the other hand, aim to find problems, navigate gray areas, and anticipate risks.<\/p>\n

While these differences might seem like a recipe for conflict between the two professions, they can often lead to a strong partnership. By combining their skills, these two groups can navigate the ever-evolving intersection of technology, innovation, and regulation.<\/p>\n

\u201cCybersecurity and data breaches are not just technical issues,\u201d says Michael Welch, former CISO and managing director at MorganFranklin Consulting. \u201cThey can be intertwined with legal, regulatory, and reputational risks that require a collaborative, proactive approach.\u201d<\/p>\n

While the relationship between CISOs and their legal teams is essential, things don\u2019t always go smoothly. Differing priorities and communication gaps can create tensions or even lead to conflict. However, strengthening this partnership is not just beneficial \u2014 it\u2019s critical for the organization\u2019s ability to manage risks and respond to complex cybersecurity and compliance challenges. And CISOs can do a few things to make this partnership work.<\/p>\n

CISOs must have a relationship with Legal<\/h2>\n

When it comes to cybersecurity and privacy, new legislation<\/a> is emerging at a swift pace across the globe. For companies, particularly those with international operations, staying informed about these changes is mandatory to ensure compliance. Having constant conversations between CISOs and their legal team can help organizations stay on top of things.<\/p>\n

\u201cIt\u2019s good to be mindful in advance of the security and privacy requirements in the jurisdictions the organization is operating within, and to prepare possible responses should there be incidents that violate those laws and how to respond to those,\u201d says Christine Bejerasco, CISO at WithSecure.<\/p>\n

Of course, the conversation between the two parties can go smoothly if there\u2019s an existing relationship. If not, that relationship should be built. \u201cReaching out to legal experts should be as straightforward as reaching out to another colleague,\u201d Bejerasco adds. \u201cJust talk to them directly.\u201d<\/p>\n

When the relationship is just getting started, WithSecure\u2019s CISO suggests finding some common ground to connect on. She also points out how important it is to communicate clearly and keep things straightforward. \u201cFor instance, during an incident, it\u2019s good to get the facts on the table at the start of the conversation: the issue, the jurisdiction, the company impact of the incident and your intended response,\u201d she says.<\/p>\n

CISOs should frame conversations with lawyers as solution-oriented discussions focused on both immediate and long-term risk management, adds Welch. \u201cBy framing the conversation as a partnership where both sides are working toward the same goal of protecting the organization, the CISO can ensure that legal counsel is equipped to offer timely, informed advice that aligns with both security and business objectives.\u201d<\/p>\n

Avoid the \u201crubber stamp\u201d mentality<\/h2>\n

Legal teams are not there to simply greenlight decisions but to provide insight, mitigate risks, and to help the company adhere to regulations. \u201cOne sure way to damage a relationship with Legal is by treating Legal as a \u2018rubber stamp,’\u201d says Trevin Edgeworth, red team practice director at BishopFox and former CSO.<\/p>\n

When lawyers are expected to simply provide approvals, they may feel frustrated and undervalued. CISOs who fail to involve them throughout the process risk unintentionally signaling a lack of respect for the critical expertise these professionals have.<\/p>\n

\u201cIf they feel their role is reduced to mere approvals without meaningful engagement, they\u2019re unlikely to prioritize your efforts or view them as collaborative,\u201d Edgeworth adds. \u201cA successful partnership requires mutual respect, open communication, and ongoing collaboration.\u201d<\/p>\n

Don\u2019t try to \u201chandle it\u201d\u00a0<\/h2>\n

Of course, sweeping issues under the rug is not the way to go. Legal departments must be involved early on in case of a crisis to guide the tech teams through regulatory and compliance complexities and to help them protect confidential information.<\/p>\n

\u201cDon\u2019t follow the fix it first, tell them later mentality,\u201d says Welch. \u201cEngage Legal at the outset to ensure a coordinated response and document everything.\u201d He adds that waiting before engaging the Legal department could cause delays in meeting mandatory reporting deadlines, which can lead to risks for the organization.<\/p>\n

Transparency should also be part of the mindset. \u201cThe CISO needs to be transparent, sharing relevant information without overwhelming Legal with technical jargon,\u201d says Welch.<\/p>\n

When it comes to full transparency, Bejerasco recommends that CISOs be open about what they know and what they don\u2019t know. \u201cThese lawyers are there to protect the organization the same way as you, the security people, are there to protect the organization,\u201d she says. \u201cAt a high level, you have the same mission. When in doubt, remind yourselves to go back to that common mission so that the job gets smoother moving forward.\u201d<\/p>\n

Stay in your lane<\/h2>\n

Some CISO have a legal background of have an extensive amount of experience working with general counsel. However, this does not mean they should act as legal advisors or take on responsibilities outside their role.\u00a0\u201cIt is important to respect boundaries and not overstep job functions,\u201d says Stacey Cameron, CISO at Halcyon. \u201cThere\u2019s nothing wrong with differing opinions, interpretations, or healthy discussions, but for legal matters, it will be the lawyers\u2019 responsibility to make a case on behalf of the company, so we need to respect each other\u2019s roles and stay in our respective lanes.\u201d<\/p>\n

According to Cameron, overstepping boundaries is one of the biggest mistakes CISOs can make, when they are trying to build a relationship with their organizations\u2019s lawyers. \u201cLawyers spend the bulk of their time staying current on laws applicable to the organization, building\/reviewing contractual agreements, SLAs, MSAs, company policies, business structure, patents, and additional tasks to make sure the company is operating successfully and maintaining a strong reputation,\u201d she says. \u201cWhen CISOs begin making internal\/external decisions that conflict with other areas within the organization, it can cause confusion and may lead to future legal problems.\u201d<\/p>\n

Whether done intentional or not, this can strain the relationship between the CISO and the legal team \u2014 a situation that might prove tough to mend. \u201cThe lack of trust is often difficult to rebuild and can lead to organizational-wide difficulties,\u201d Cameron adds.<\/p>\n

Organize cross-training sections<\/h2>\n

Both teams \u2014 lawyers and security experts \u2014 can collaborate by sharing their expertise and educating one another. \u201cRun tabletop exercises that simulate data breaches or security incidents,\u201d says Welch. \u201cThis will help the CISO and the legal team understand each other\u2019s roles and responsibilities in such situations.\u201d<\/p>\n

Andy Lunsford, founder of BreachRx, suggests running incident simulations across the business in quarterly intervals, in which both Legal experts and security experts are involved. He also suggests conducting realistic training sessions that expose teams to legal scenarios: \u201cRun a deposition workshop for CISOs\/security teams to show them how easily the work that is done by their teams can be used against them in court.\u201d<\/p>\n

While security and legal teams might be worlds apart, it\u2019s useful to keep in mind that they share common ground. \u201cBoth are focused on protecting the organization by identifying, assessing, and mitigating risks. Both ensure adherence to external and internal rules to avoid regulatory or reputational harm. And both face the ongoing challenge of balancing organizational protection with supporting strategic business objectives,\u201d Edgeworth says.<\/p>\n

Build collaboration into your daily routine<\/h2>\n

In their book The Friction Project, Stanford professors Robert I. Sutton and Huggy Rao argue that great leaders \u201cmake the right things easy and the wrong things hard.\u201d If we follow this advice, it becomes clear that one way to foster collaboration between CISOs and legal teams is to create systems and processes that would help streamline it.<\/p>\n

\u201cImplement a secure out-of-band communication platform specifically designed for incident response, crisis management, and ongoing security discussions,\u201d Welch says. \u201cThis will enable real-time updates, document sharing, and collaborative decision-making.\u201d<\/p>\n

He also recommends organizations set up a clear process for escalating security issues to legal to ensure that legal experts are brought in early when things like a potential breach are detected. \u201cBy creating a structured channel for communication, separate from email or informal messaging, you can be aligned without the risk of missing crucial details, ensuring timely and informed decision-making during high-pressure situations,\u201d he adds.<\/p>\n

Edgeworth suggests going a step further. He invited the company\u2019s legal experts to attend his red team\u2019s weekly calls once every month. \u201cWhen I first mentioned this change, my team looked at me wide-eyed questioning my sanity, but they quickly recognized the value,\u201d he says. \u201cLegal helped us avoid mistakes in planning, executing, and reporting adversarial operations, particularly by encouraging factual, objective reporting.\u201d<\/p>\n

Knowledge transfer can also happen whenever needed, even outside of structured activities. Cybersecurity experts don\u2019t typically have formal training in the legal aspects of their work, and they need it. \u201cThe letter of the law is alien to most of them,\u201d Bejerasco says. Her advice is to be open to learning and ask questions whenever they need clarifications.<\/p>\n

Involve legal experts as often as needed<\/h2>\n

Legal teams can offer their perspective on a wide array of tasks. They can review contracts with third-party vendors or service providers to ensure that data protection and breach notification clauses are included. They can help with compliance and offer their insights when it comes to potential risks the organization might face.<\/p>\n

\u201cTry to involve Legal in discussions about emerging risks, key strategic decisions, and projects such as red team operations that tend to uncover or potentially even create organizational risks if you\u2019re not careful,\u201d Edgeworth says.<\/p>\n

Legal teams can help the CISOs identify risks early and avoid operational or financial inefficiencies before delivery to the business. \u201cConsider involving your Legal team early in the development and execution of security initiatives,\u201d says Welch\u2019s colleague, Kevin McGovern, who is a senior director for strategy and risk. \u201cEndorsing this kind of partnership will build mutual trust and shared institutional knowledge that results in better, more effective solutions for the business.\u201d<\/p>\n

Bond over beers<\/h2>\n

Don\u2019t underestimate the power of a good chat over coffee \u2014 or a beer. Sometimes, collaboration happens in a relaxed setting. \u201cLegal folks are people too,\u201d says Bejerasco. \u201cHaving beers and discussion with them makes you see a different perspective to the work they have, and how they perceive some of the legislation that has caused compliance pains to the rest of us.\u201d<\/p>\n

After doing this herself, she was surprised that legal experts \u201care not as frustrated with the increased requirements as I was! Mind blown.\u201d<\/p>\n

Cameron agrees, noting that one activity that helped her team build a strong bond with legal experts was none other than karaoke nights.\u00a0<\/p>\n

Edgeworth also sees the potential of informal activities for building stronger relationships: \u201cBuild personal rapport with Legal by treating Legal as a vital partner rather than an obstacle,\u201d he says. \u201cA strong interpersonal connection just tends to make collaboration so much smoother.\u201d<\/p>\n

By stepping out of formal settings, both sides can gain fresh perspectives and build the trust needed to tackle challenges together. Sometimes, just sitting down and having a laid-back conversation can yield impactful results.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

There\u2019s a joke that\u2019s been floating around boardrooms for years: \u201cWhat\u2019s the difference between lawyers and engineers? Lawyers don\u2019t think they\u2019re engineers.\u201d This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into […]<\/p>\n","protected":false},"author":0,"featured_media":1840,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1855","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1855"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1855"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1855\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1840"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}