How To Get a True View of Cyber Risk
Perspectives From the General Counsel and Chief Information Security Officer Can Help Determine Your Security Strategy
July 24, 2023
Firewalls and other technology are often considered the front line of a robust cybersecurity defense strategy. One of the most important elements in ensuring data is kept safe is sometimes underemphasized: a strong and productive relationship between the general counsel (GC) and the chief information security officer (CISO).
Fortifying this relationship can enable quick and efficient handling of cyber incidents, which will inevitably arise. A strong GC-CISO duo can also circumvent subtle pressures to present a positive but potentially inaccurate perspective to the board of directors and ensure board members have a realistic understanding of the company’s cyber risk.
To Each Their Own
The GC brings a holistic view of the organization the CISO may lack. Typically, a GC has more regular conversations with upper management and a better grasp of the organization’s values, culture and priorities than a CISO.
“Cybersecurity is no different from physical security,” says Anthony J. Ferrante, a senior managing director and global head of cybersecurity at Washington, D.C.-based FTI Consulting, one of the world’s top business advisory firms. “It is risk management, and the general counsel should absolutely be spearheading the efforts to drive how the organization looks at, understands, evaluates and addresses risk. In other words, cybersecurity should be viewed in the same light as the traditional risk that falls within the purview of general counsel.”
At the same time, the CISO can help the GC understand the nuances and technical aspects of cyber risk. Working together, the CISO and the GC can hone a cybersecurity strategy that meshes with the organization’s risk appetite and priorities.
“We all know that software needs to be patched,” says Miriam Wugmeister, co-chair of the global privacy and data security group at Morrison Foerster, a leading global law firm. “A real conversation between a GC and a CISO goes beyond that to address things like how long it takes to patch a critical vulnerability. Because one of the ways in which organizations get in trouble is they have a vulnerability, a patch comes out and they don’t put the patch in quickly. In the meantime, the bad guys get in.”
Such seemingly straightforward topics can be layered. Is patching being appropriately tasked based on the risks to the organization? Are the right number of people and resources being prioritized? The CISO and GC can shape a sound cybersecurity strategy by working through a host of issues, such as the correct balance of security and usability based on the organization’s culture and needs.
The GC can be the focal point for developing a task-force mentality to deal with cyber risk, Ferrante says. The companies that deal with cybersecurity best involve stakeholders throughout, and even outside, the organization in the cybersecurity and incident response plan.
“There is no one-size-fits-all solution,” Ferrante says. “We see organizations staff their cyber task force with professionals from across the enterprise, to include marketing, human resources and other nonobvious stakeholders. It’s all to gain a holistic view of potential risk, which is needed to keep pace with evolving tactics from threat actors.”
Building a Culture of Transparency
The GC can help ensure there are regular check-ins and open lines of communication between the stakeholders, breaking down fiefdoms across an organization where varied approaches to data and cybersecurity can increase risk.
“Creating a culture of trust and transparency in the organization might sound easy, but it’s not,” says Sonia Cheng, who leads the EMEA information governance privacy and security practice at FTI Consulting. “We have worked on compliance transformation programs where the CEO, the GC and other executives from different lines of business make videos about what data protection is and what security means to them, connecting these efforts to people’s day-to-day jobs.”
Building a culture of trust and transparency will encourage people throughout the organization to communicate concerns without fear of reprisal. “The person who manages the server might be aware of a particular issue or vulnerability but not the downstream legal risk the vulnerability brings, so they need to feel empowered to speak up rather than be afraid to speak up,” Cheng says.
This culture of transparency should extend to the board and upper management, but right now that isn’t usually the case. In an October 2022 survey from FTI Consulting, CISO: Communications Redefined—Navigating the Journey from Control Room to Board Room, 82% of CISOs claim they feel pressure to present a positive picture to the board.
“A lot of times the CISO goes to the board with dashboards that lack context and meaning to the board,” Wugmeister says. “If the GC and the CISO are having regular, honest, open conversations about the risk they face and how to mitigate it, the GC can help the CISO provide realistic context. For example, the GC could be the one to articulate to the board that the company faces more risk because they just got rid of 5% of the IT department.”
By being in lockstep about the cyber risks they face, GC and CISOs can ensure their company’s data is protected and locked down.
First published by Custom Content from WSJ on June 9, 2023. Custom Content from WSJ is a unit of The Wall Street Journal Advertising Department. The Wall Street Journal news organization was not involved in the creation of this content.
Most Popular Insights
- 10 Global Cybersecurity Predictions for 2024
- Global CFO Survey 2024
- Bridging the Gap Between Artificial Intelligence Implementation, Governance, and Democracy: An Operational and Regulatory Perspective
- The Power of Positive Paranoia: A Key Trait for Every CEO and General Counsel in 2024
- A Targeted Approach is Key to Implementing AI