Anxiety among corporate legal teams about data security is at an all-time high. As shown by an August 2012 survey by Corporate Board Member and FTI Consulting, more than half of general counsel (55 percent) rate data security as a major concern, as do 48 percent of directors. This growing concern feeds upon an ever-rising tide of publicized data breaches, government sanctions against offending organizations, high-profile international policy disputes and myriad regulations. There are also the constant reminders of threats to intellectual property, high-tech financial crimes and thefts of private customer data. Yet, while working with your chief information security officer (CISO), there is much you can do much to mitigate concerns.
What CISOs Don’t Need
Attorney panelists at a recent, highly anticipated conference for CISOs discussed all the hot topics of information security: cloud security, EU data privacy, data breach responses, recent case law and regulatory updates. To the CISOs’ dismay, however, the discussion devolved into debates in which panelists took opposite sides and hotly advocated their personal views. Many CISOs came away disillusioned. They wanted practical guidance about compliance and best practices, but got minutiae and theory.
What CISOs Want
Of course, CISOs should understand the reasons for regulations and stay abreast of trends for information security compliance. Yet, to be able to act, they need clear guidance on practical questions that impact business decisions. Answering these questions will significantly boost both your partnership with the CISO and your company’s ability to comply: What requirements apply to your industry? Are all requirements created equal? What factors matter when analyzing competing regulations? What regulations are being vigorously enforced? How does the size of your company impact obligations or enforcement? Are there varying degrees of regulatory enforcement within industries? Across industries? What are the penalties for noncompliance? How are industry peers approaching compliance? What are the root causes of noncompliance? How does one compliance approach compare with another? Can less expensive approaches be good enough?
These questions are tough, to be sure. They require sound judgment, understanding your industry, assessing risks and predicting trends. You should specify the reliability of your advice, for example, by stating your level of confidence in your answers. But answering these practical questions in plain terms will increase cooperation and give CISOs the counsel they are seeking. Working together, you can craft a compliance approach attainable and tailored to your company.
The Evolving Role of General Counsel
KPMG’s recent Global General Counsel Survey highlights several trends, including:
- General counsel need to become more involved in operational details, gaining a better understanding of how the business works.
- Successful general counsel understand what the business is trying to accomplish and can offer reasonable approaches to controlling risk.
- Partnering with senior leaders to understand common challenges and contribute to an understanding of how today’s investments may prepare for tomorrow’s risks and regulatory challenges.
- General counsel will arrive at enterprise risk strategies jointly with specialist input from a variety of corporate knowledge domains, and will do so in simple, crisp language familiar to the stakeholders.
Each of these trends applies to information security compliance.
Getting to Know Your CISO
Avoid the tendency to feel overwhelmed by the complexities of information security. CISO and in-house counsel are both highly specialized, each commanding arsenals of knowledge, analytical tools and techniques, but pursuing a common objective: managing risk. Take the time to understand your CISO, the business problems he or she is trying to solve and the looming obstacles. By collaborating, you need not become an expert on IT, a tendency that all too often subverts the CISO-GC relationship by stepping on toes. Rather, you can wed your existing skills to those of the CISO.
CISOs must prioritize funding and staff to reduce risk, achieve compliance and defend their enterprises. CISOs desks are stacked with the latest white papers and analyses of the latest regulations. While they need plain-English interpretations of regulations, this is only the beginning. CISOs also want guidance on reasonable, acceptable and practical approaches to compliance. They need forward-looking strategists who can help them do more with less, in a reasonable and defensible way.