7 minute read
GC Should Lead Security
GC Should Lead Security Management and Risk
By Thomas Yohannan, Paul Lanois and Brett Williams
Cybersecurity is a board-level issue. A breach of almost any magnitude can put the survival of the business at risk. In 2014, the U.S. Securities and Exchange Commission wrote “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
The Yahoo data breaches are a cautionary tale for any General Counsel’s office. Notably, as indicated in Yahoo’s Form 10-K filing, the in-house legal team at Yahoo was found to have not sufficiently pursued the investigation of a security incident that arose in 2014. In particular, an independent committee of Yahoo found that it was up to the legal department to further inquire into security incidents, to pursue the investigation and analysis, and that failure from the legal department meant that the company was not correctly advised concerning legal and business risks.
This clearly suggests that the GC has a critical role concerning information security and, in this case, failed to execute that role. In fact, in connection with the alleged lack of action from the legal department, Yahoo subsequently accepted the resignation of its GC. As further evidence of the impact of the breach, the acquisition value of Yahoo decreased by $350M from the time the breach was announced to when the merger with Verizon closed.
Enforcement actions taken under data protection laws also relate to cybersecurity issues. For example, the UK’s Information Commissioner Office (ICO) issued in July 2019 a notice of intention to fine British Airways $230 million and Marriott International $123 million, both under the General Data Protection Regulation (GDPR) for a data breach. The ICO criticized British Airways for its “poor security arrangements” and claimed that “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
These are but two examples of the strategic importance that must be given to managing cyber risk.
ROLE OF THE CISO
“Data breaches” have become part of the vernacular. They affect a broad spectrum of society. In response, organizations are reevaluating how they handle and heighten information security and management responsibilities. The Chief Information Security Officer (CISO) role represents a growing leadership focus. This is a positive and essential trend. One question is, how would an organization reach a level of maturity such that the CISO might have a more significant role in the business decisionmaking process? Creating a close relationship with the GC is a clear option.
A successful corporate strategy is not to have concentrated profit with miscalculated risk. A cyber incident is the best evidence of such a gross miscalculation of risk. The unfortunate truth is that a CISO’s value may only be fully realized when an incident occurs. The CISO can become a crucial driver of not only digital transformation but also risk management. Effective information security practices are vital both in preventing a successful incident and responding to one.
Legal professionals understand risk management and its related urgency. Not being aware of statutory requirements can prove costly to the companies, not to mention the harm to reputation that may follow. Again, a clear argument for promoting GC/CISO alignment.
GC’S OFFICE OFFERS VISIBILITY
The GC is broadly aware of an organization’s risks and objectives and maintains a good understanding of its clients and internal stakeholders. Hugh TowerPierce, CSO at Oscar Health, believes that “reporting lines for CISO and CSO roles other than to the technology executive often carry a progressive perception.” When the security organization reports to executives such as the GC or the CFO, there is an inherently stronger alignment on risk management responsibilities. Security’s relationship with the company’s technology leadership will always be key to security success, but a reporting line elsewhere will help level situations where technology and security have competing priorities.
The CISO may be able to exert stronger control outside of technology in areas such as employee cyber awareness and education, policy development and even programs of cultural change.
CEOs recognize the critical nature of cybersecurity and its regulatory demands and risks. While the GC’s office drives risk management strategy, a CISO can find himself or herself to be a well-regarded adviser as the legal department tends to be more engaged in cybersecurity on an episodic basis. The GC’s office also has less interest in security as an operational issue. The best way to handle matters related to information governance and compliance is through the GC, since she/he has an understanding of corporate direction and often serve as board secretary.
In addition, the GC gains a complete perspective of the organization’s overall risk management strategy by taking the lead on security. A CISO’s understanding of how information is protected is vital for organizations as they face security challenges. So, while lawyers can offer the bridge to deliver the message more effectively to the company and external parties, CISOs are best equipped to understand new threats and their attendant results.
AN ALTERNATIVE APPROACH
When it comes to managing cyber risk, there is a tendency to create a new process that is not part of the company’s existing risk management framework. That is a mistake. Cyber risk should be managed similarly to other strategic business risks, while noting there are two key challenges.
First is the gap in language perception and understanding that exists between the typical business leader and most tech leaders. This makes it hard to talk about the risk-benefit tradeoffs of bringing in new technology. Second, organizations do not have the “actuarial” data to adequately estimate the costs to a business resulting from a successful breach — liability costs, intangibles like reputation loss, and increased oversight and regulation. In most organizations, there is not a single leader or group with sufficient depth and breadth to manage cyber risk from a business level.
One way to approach this challenge is to create a cross-functional group whose responsibility it is to integrate cyber risk into the existing enterprise risk management framework. The group is responsible for reporting to the board on the company’s management of cyber risk. The group should focus on developing metrics and reporting that clearly show how well the company executes against the following three cybersecurity value drivers: (1) Do we adequately understand the threat to our business? (2) Can our business survive a successful attack? (3) How do we know we are effectively and efficiently managing our cybersecurity spend?
The GC is an excellent choice to lead this group based on his/her already extensive role in risk management and routine interaction with the board. Key members of the group may include the CIO/CISO, major business unit representatives, HR, corporate communications and perhaps an outside consultant.
This approach drives two cultural changes. First, it makes key leaders across the organization dive in and become familiar with all aspects of managing cyber risk so they may learn the key concepts, terms and language around cybersecurity. Second, this group will naturally translate what they have learned into “business speak,” since most of them are not technology leaders. The result will be more effective communication with the executive team and the board, and a general improvement in dialogue about cybersecurity. This approach works, and it can drive cultural change around how the organization treats cyber risk. But as with any cultural change, tone at the top is critical. The CEO must drive this change until it becomes embedded in the company’s overall approach to risk management.
CISOs face a host of new and emerging challenges, including risks generated by the ubiquity of connected mobile devices, the drive toward cloud-centric services, complying with fractured regulations, the threat of state-sponsored attacks and increasingly sophisticated global cybercriminals. Indeed, organizations are strengthening the role of the CISO so that they are better able to handle the protection of data and response to threats. While the GC will not be expected to understand how security is prosecuted, they do have the normative legal framework and a sense of how to provide risk mitigation.
Successfully meeting risk mitigation obligations is a team effort. A partnership must exist across the enterprise between the GC, IT, and security organizations to establish the proper controls and enlist the proper operating executives. Given the continually changing skills required in each of those domain areas, the GC is positioned to lead this collaborative effort. Reporting to the GC may provide the foundation for what CISOs should be focusing on next: moving beyond the security silo to play a central role in overall business leadership.
Thomas Yohannan is VP, Enterprise Sales for Aon Cyber Solutions focusing on security, forensics and cyber insurance. He serves as a Security Advisor to the U.S.-Israel Economic Mission as well as a contributing author for Thomson Reuters’ threevolume legal treatise, Cybercrime & Security. thomas.yohannan@aon.com
Paul Lanois is a global privacy, data protection and information security professional and is currently a Director of Technology and Privacy at Fieldfisher. Paul.Lanois@fieldfisher.com
Maj. Gen. (Ret.) Brett Williams is a co-founder and the Chief Operating Officer at IronNet Cybersecurity. In his last active duty assignment, he was the Director of Operations for United States Cyber Command. brett.t.williams@icloud.com
