Legal Is from Mars, Security Is from Venus
When the security team and corporate lawyers get together, it's usually a rocky relationship.
By David H. Holtzman
October 01, 2003 — CSO — Lawyers and security officers make for poor soul mates. The security staff gets frustrated by the perceived pettiness of attorneys, and everyday security activities make messes that lawyers have to clean up. It's like the general counsel (GC) is standing in a grocery store with a mop, watching a herd of sumo wrestlers stampede down the dairy aisle to see who can get to the eggs first.
Every action that the CSO takes increases the risk that the company may be sued. If organizations monitor client data to scan for Trojan horses or read employee e-mail to enforce acceptable-use policies, then the target may sue them for invasion of privacy. If companies don't scan client data and an avertable disaster happens, then they could get sued by shareholders or even by the government for noncompliance with the USA Patriot Act.
The nature of a security organization is to protect the company and its constituents from malicious behavior. The department rarely has the authority to unilaterally dictate policy, so a major part of the job is evangelical
The worst part of security requests is that they leave a paper trail. Every ignored recommendation is a headache for the GC because it removes plausible deniability as a defense and raises the spector of big damage awards from a jury.
The legal department usually responds to this with one of two strategies: publishing exaggerated risk disclosures or collecting signed waivers from every entity that deals with the company. This includes strong-arming employment agreements, nondisclosure agreements and invention assignments from insiders, as well as neutralizing customer complaints by papering caveats on every flat product surface. That's why if you read the fine print, cellular services don't commit to connectivity, antivirus checkers aren't promising to find viruses and operating systems say that they may not operate. Legalese sanitizes the corporation by discarding vulnerabilities.
The domestic squabbling continues even if the sky does fall. Security's impulse is to call the cops because it wants to find out what happened in order to prevent a reoccurrence. Legal prefers a private investigation that emphasizes identifying the culprits and the victims, so it can sue the former and get releases from the latter.
Lawyers look at the present but argue based on the past and precedent. Security officers argue for the future by looking at the present. They're not even in the same mental time zone. Legal has only one customer, the company. Its primary mission is to limit its client's exposure. Understanding the legal perspective and its mission of reducing exposure to its one client, the company, can transform the CSO into a better communicator and more effective manager.
One of the chief strengths of lawyers is that they're interpersonally simpatico with the MBA crowd. When they bring up a problem at a meeting, you can be sure they've "socialized" it first. Security officers can adapt this strategy for their own purposes by reviewing their proposed policies with a pseudo-legal eye, suggesting caveats as part of the package, and ideally, asking legal to help with the wording.
Like vinegar and oil, sharp security doesn't mix well with contractual grease. The clashing between the two is not only distasteful but can ultimately neutralize the security guru because inevitably he will lose. The smart and sophisticated CSO, knowing this, will take the best of both and add a grain of salt.
Read more about security leadership in CSOonline's Security Leadership section.