The legal department is an increasingly important presence when it comes to making cybersecurity decisions in an enterprise. Security leaders need to know how to work with them effectively. To get the perspective of a leader in a legal department, we interviewed Joel Smith, Senior Vice President of Legal and General Counsel at Trustwave.
Q: What’s the role of the legal department when it comes to cybersecurity? How has it changed over time?
Joel: Ten years ago, an in-house legal team didn’t have a huge role in confronting cybersecurity risk with the exception of some large companies. But it’s been something the legal field has had to develop quickly in response to data protection laws that have become front of mind for many people and companies, changing the role of an in-house legal team when it comes to cybersecurity.
Q: What does that look like for your team?
Joel: Our legal team interacts with the cybersecurity team fairly frequently to identify risk as it relates to two distinct areas.
- Data protection and compliance - GDPR, HIPAA, CCPA and other data protection laws that are emerging in most jurisdictions around the world.
- General cybersecurity - for a company like Trustwave it’s about storing our data securely and in a way that protects against regulatory and litigation risks. This is where a good legal team should work closely with an information security team.
Q: How does a legal team think about cybersecurity generally?
Joel: It’s changing quite rapidly. Five to ten years ago, most laws and regulations mentioning cybersecurity would say something broad. You’d need to have “reasonable security practices” or have to comply with some basic standard. But we’re getting to the point where laws like California’s IoT Security Law, and the new government mandate, the Cybersecurity Maturity Model Certification (CMMC), are more prescriptive in nature.
They tell you more exactly what kind of measures you need to implement. Now if the legal team doesn’t have cybersecurity expertise, it can’t properly advise on the risk. How legal teams approach cybersecurity will continue to change as various states and even the federal government enact their own GDPR-style of laws.
Q: How does cybersecurity play a role in your department on a regular basis?
Joel: How the roles of each department (cybersecurity and legal) shake out vary between any given company. Trustwave is interesting because cybersecurity is our product so there’s an overlap where the lawyers need to have a good understanding of cybersecurity just to negotiate contracts and assess vendors.
For example, we expect any law firms to maintain good security postures and we talk to our procurement teams to make sure that Trustwave vendors have security standards built into contracts.
Internally, legal departments rely on cybersecurity teams to keep the company’s data safe and help advise on various regulations. Our mutual goal is to avoid data breaches and regulatory issues. We must be aligned and educated in order to meet our customers’ expectations.
Q: What’s the difference in perspective between the leaders of a cybersecurity and legal department and how they can work together?
Joel: Essentially, they’re two sides of the same coin. Both are trying to prevent and mitigate risk. The Chief Legal Officer (CLO) or general counsel is focused on mitigating legal risk while the Chief Information Security Officer (CISO) is focused on mitigating cyber risk. Their knowledge of law and technology can be combined to de-risk the company from legal risk and intrusion. A CISO should have the technical security expertise to help guide and enable the CLO to give legal guidance relating to the company’s legal posture. The best case is the CLO and CISO have separate but overlapping expertise to confront the various risks posed by cyber threats.
Q: How can cybersecurity departments work best with legal teams when tackling different cybersecurity scenarios?
Joel: There should be an open line of communications between the two, so we can respond to any level of risk and know how to protect ourselves from that risk as changes in laws and technologies arise.
Each department should also include each other in certain internal processes like when we negotiate contracts with customers and vendors. During these negotiations, many companies will have specific data use and security policies and we need to make sure our systems are compliant, at a minimum. The legal team relies on the information security team to assist in answering these questions.
Likewise, when a new vendor is considered, the security team asks “does this vendor have good security?” while the legal team asks “does this vendor follow GDPR, and all applicable data storage laws?”
These teams also collaborate when a company tracks and classifies the regulated data that flows through the company, like GDPR requires. A CISO should know where it’s stored, how it’s secured, who has access, and how it’s processed. The legal team should opine on how that complies with GDPR.
If a company is faced with some sort of breach or incident response, that’s when several departments - legal, corporate communications and public relations, and cybersecurity - need to work hand in hand to manage data risk, legal risk, and reputational risk. Those require a strong incident response system in place, hopefully setup in advance, where all those teams need to work together.
Finally, both the CISO and CLO should engage in an ongoing conversation regarding changes in laws, types of systems, and prioritize areas where the company could do more. Those are the kinds of scenarios where the two department heads would work pretty closely together.
Q: How does the legal team work best with the cybersecurity team?
Joel: In-house lawyers must have a basic understanding of security technology and practices to protect the company from cyber risk and legal risk. With that understanding you can have productive conversations with the cybersecurity team and design legal processes accordingly.
Q: What would you recommend department leaders avoid doing?
Joel: You should avoid any scenario where you position each other in a way that’s adversarial. The CLO and CISO are trying to answer the same questions and solve the same problems: How do we make our customers happy and how do we protect our company? The CISO does it via managing a technology and policy framework and the CLO from a legal framework.
Q: What are some common friction points between the two departments?
Joel: Many lawyers tend to communicate with legal concepts and language and CISOs speak within a heavy security context. That’s a challenging bridge to cross. When you have a deep understanding of your own industry, it can be hard to have a productive conversation and reach an understanding. Resolving this requires both sides to thoroughly explain their perspective.
There’s inherent conflict at times as to who owns certain issues, especially as laws are becoming more prescriptive in terms of what’s required. A legal team may feel that the interpretation of certain laws is within its purview when it has been the CISO’s in the past. As cybersecurity and privacy regulations evolve, this is going to overlap more and more.
Q: How can a company resolve those issues of ownership?
Joel: I find the legal department works best when it works as the advisor to the business and not the decision maker. We provide the guidance, what we think it means for the company, and what the potential issue is. If the CISO disagrees, but it’s risky enough, it gets escalated to the CEO or whoever the CISO reports to.
Like with any profession, there are lawyers who have huge egos and think it’s their call. In my opinion, it works better if lawyers act as subject matter advisors for the client making the final decision. If you follow that guiding principle, things will work better.