Home » Security Leadership » Exec. Communication

In Depth

Data Breach Fallout: Do CISOs Need Legal Protection?

Since the security executive is on the hot seat after a data breach, some industry experts suggest CISOs get themselves some form of liability protection. The downside is that such protection could shield those who deserve the blame for an incident

By Bill Brenner, Senior Editor

Page 2

"Within the organization, we have to find the risk, expose it and communicate it to upper management. We have to say 'here are the steps we must take to protect ourselves' and make them sign off on it. Make the executive responsible for accepting the risk," he says. Contract or not, he said CSOs would be wise to document as much of their security program as possible, including who approved or declined a proposed procedure. [Editor's note: One might find a downside to this approach, since the executive culture might not take kindly to the fact that you're documenting their decisions. But some managers do use sign-off forms for accepting business risk.]

Meanwhile, Moraetes says, CSOs have to start brushing up on legal matters they used to be immune from - the gathering of evidence, preparing for legal depositions in the event of an incident, and so on.

"These are things CSOs don't have much experience with today," he says. "They need training on how to deal with the legalities."

Lawhorn says security professionals must familiarize themselves with all the departments and functions within their organization and plant the seed of internal control. This requires, among other things, communicating with the company lawyers.

"CISOs are faced with the internal pressure not to allow security breaches to occur as well as drive the organization to demonstrate control," he says. "It is clear that the trend emerging to offset these issues is originating from the legal side of the house. In an attempt to mitigate liabilities, many CISOs are now finding that the traditional ways of implementing security in an organization are just not working. In fact, many companies forbid the security function to have open discussions with the legal and compliance teams in order to preserve the status quo or for politics reasons."

In the final analysis, experts say, the best insurance policy for CSOs is a security program that keeps incidents from happening in the first place.

Dan Lohrmann, CISO for the State of Michigan, notes that his staff is adequately protected as long as the team is following industry and government security best practices. Besides, he says, state workers are self-insured.

"We have discussed this issue within Michigan state government and have been approached by outsiders offering breach and legal insurance protection, but we turned them down," says Lohrmann, who maintains the Lohrmann on GovSpace security blog on CSOonline. "State employees are [also] protected by the state Attorney General's Office, as long as we are performing our professional duties."

« 1 2 3 »

CSO

RESOURCE CENTER

buy a link »

E-GUIDE

Log Management in a Cyber World

With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.

» Read this eGuide

WHITE PAPER

Comparing Research in Motion and Microsoft Mobile Solutions

Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.