Here Come the Lawyers

Nov. 8, 2001As corporate America grapples with cybercrime, privacy regulations and a potential onslaught of lawsuits over privacy intrusions and failed information security, many executives increasingly view security as a legal issue as much as a technological one. (For more information on liability issues, see CIOs Nov. 1 cover package, “See you in Court”.

The result? A small but growing number of companies are taking some or all of the responsibility for security off the shoulders of the CIO and giving it to the legal team. Often, the legal department is made responsible for writing security policies, while the IT team is responsible for enforcing those policies.

So far, our sources say that this approach is most common at large, heavily regulated financial institutions. But startups and companies in other industries have also taken steps along these lines. At Marriott Hotels, for example, the organizational structure involves a dotted line between the CIO and an information security expert who is part of the legal department. And E*trade actually moved information security out of IT and into the legal department.

That may not be welcome news for CIOs who realize that security is one of the most important things that companies have to deal with in the coming years. But many experts applaud such moves, saying its a conflict of interest for the CIO to be in charge of security.

The CIO is placed in a position of needing to make decisions between conflicting objectives, says Charles Cresson Wood, author of Information Security Roles and Responsibilities Made Easy. When it comes down to a decision between which are you going to have, faster response time, shorter time to market, lower cost or some other objective which is a traditional IT job, security in many cases will be going in the opposite directionslowing things down, reducing time to market. The CIO may make decisions that will indirectly compromise information security.

Nearly everyone recognizes the need for the IT and legal departments to work together, at least on some level. In the ideal world, in the companies that were involved with, were asking them to closely align themselves with legal, says David Remnitz, executive vice president of global professional services at the security firm Vigilinx in Parsippany, N.J. We like to see a [partnership] with the general counsels team to make sure they are in the loop.

The question is, just how tight should that relationship be, and who should be in charge of managing it? For all of its legal implications, information security is a difficult and highly technical joband a job thats done best when its built into every step of a new project and not imposed upon it afterwards. So tell us: What will you say when your legal department comes knocking? Or have you already found a way to work together?