![A gavel rests on open law book. [law / regulation / compliance / legal liability]](https://images.idgesg.net/images/article/2020/09/gavel_mallett_rests_on_open_law_book_legal_liability_risk_regulations_compliance_by_andreypopov_gettyimages-1021544574_2400x1600-100860121-large.jpg?auto=webp&quality=85,70)
Every CISO needs access to skilled legal counsel, a trusted advisor who can address the challenge of protecting enterprise and customer data as well as complying with an ever-growing maze of international industry and government mandates. Finding an attorney who understands the serious issues CISOs face can be a formidable task. Only a relative handful are knowledgeable in technology, security and privacy issues.
That’s a good reason for CISOs to participate in the hiring of a general counsel (GC). The following five questions will help CISOs cut through the candidate crowd and find the legal counsel who's best equipped to help your organization and its customers and business partners stay safe and secure.
1. How will you respond to our call for help?
Time is of the essence when a breach occurs. For most enterprises, the cost created by mismanaging legal risks far outweighs the expense of technical fixes and recovering lost systems. "Having an experienced law firm on retainer and preparing for an incident response in advance is critical," says Leo Taddeo, CISO at data colocation provider Cyxtera.
It's particularly important to determine who will make the key decisions in the minutes and hours after a breach begins. If no management representatives are immediately available, will the attorney be empowered to take the actions necessary to protect critical enterprise resources?
Most GCs are comfortable making risk-sensitive decisions, but rarely are those decisions also time sensitive, observes Steve Zalewski, deputy CISO at Levi Strauss and Co. "If a GC is pulled into a cyber crisis, it's usually because a host of containment measures have already failed and drastic measures may be required to neutralize the attack," he notes. "During an escalating cyber incident, GCs may have minutes, if that, to make an important call." Since the GC is often the designated second in command when the CEO is unavailable, the CISO needs to find someone who's comfortable with making critical calls, such as shutting down email, retail websites, or billing systems.
Zalewski suggests looking for a GC who has a track record of making tough decisions without hesitation. "I've found that [attorneys] with military experience will often have a better perspective and preparation for being in the decision seat," he says. "The focus on mission and the training they receive in operating under crisis situations both dovetail well into cybersecurity incident response."
2. How strong are you in regulatory and incident response law?
Privacy and security laws and regulations are evolving rapidly, even as enterprises face a seemingly endless torrent of emerging challenges. From a security/privacy standpoint, it's important to find a GC who specializes in regulatory and incident response law. "Too often, technology attorneys who are very experienced in IP licensing don't view data privacy or data security as within their own wheelhouses," explains attorney Kimberly Verska, CIO at law firm Culhane Meadows.
If a GC isn't fully versed in key security and privacy issues, it may be necessary to allocate funds to have the GC meet with privacy/security law experts to gain knowledge about emerging privacy and security trends. "This can become very expensive if the attorney selection process hasn’t resulted in a technology attorney who can handle all the issues presented," she notes.
3. Do you understand our technologies and business model?
An attorney specializing in technology law should have deep insight into each client's business model, systems, and potential vulnerabilities. "It's important that a corporate lawyer for enterprises holds the ability to operate efficiently with limited information in an expeditious manner, with confidence," says Matthew Rogers, CISO at IT management software provider Syntax. The attorney should also have the ability to occasionally challenge new laws and regulations, possibly setting new precedents for future industry guidelines. "Many of the situations they will be litigating are in uncharted waters, so they'll need to find some comfort and confidence in that space," he adds.
To find suitable GC candidates, Rogers suggests seeking advice from CISOs at enterprises in similar industries that aren't direct competitors. "That way, you can explore their history of litigation experience with ... new privacy and security laws," he notes. Experience with regulations like HIPAA and having a complete understanding of NIST 800-171 requirements is crucial."
4. What makes you a good communicator?
The CISO and attorney need to be able to work together as a team. A lawyer who's arrogant, stubborn, hard to reach or simply doesn't like to talk is a major liability. "Constant communication between the CISO and the legal advisor can help the organization identify any legal risks that the CISO was not aware of and, of course contribute to documenting policies, SLAs [service level agreements], and achieving security compliance," says Victor Kritakis, CISO at online learning platform provider TalentLMS. He adds that it's also important that the attorney be able to communicate insights in a way that exhibits "a solid understanding of the basic threats a company can face in a rapidly changing and evolving cyberspace."
Zalewski suggests looking for an attorney who has the ability to listen first and talk second. "A lot of corporate lawyers like to tell people what to do and are used to giving orders, but a cyber crisis always has a unique set of circumstances," he says. The GC must be a good listener, not simply a one-dimensional order giver. "During a cyberattack, or really in any crisis, it's hard for anyone to make good decisions or provide sound leadership without context and situational awareness, which requires a conversation—especially at 2 am."
5. Can you describe a challenge that you were able to resolve with a novel approach?
Many cybersecurity and privacy issues are complex and can't be quickly addressed with a generic solution. This is why it's important to have access to an attorney who can think differently, unconventionally, or from a new perspective. This is particularly true when navigating the increasingly complex web of state, national, and international laws and regulations. "CISOs and enterprise decision makers need pragmatic solutions that responsibly enable the organization to address evolving regulatory requirements," advises Nevin Markwart, CISO at FutureVault, a cloud-based data and document management platform provider.
Rather than looking to past precedent, enterprise leaders need a corporate counsel who can creatively respond to new challenges in a rapidly evolving legal landscape, says Karen Walsh, CEO of cybersecurity compliance advisory firm Allegro Solutions. "For example, plaintiffs’ firms have been getting more creative, looking for ways to establish class action privacy lawsuits under wiretap laws, as evidenced in the June Brown, et al. v. Google lawsuit," she notes. "CISOs need legal counterparts who can understand technology’s impact on business outcomes as opposed to the technology’s inner workings."