Companies looking to create strong security and privacy protocols have to encourage their IT and legal departments to not only work together, but each should learn a little of the other's job.
Creating a well-oiled IT-legal machine should be a goal of any corporate board of directors, said a panel of experts at the Legaltech 2016 show being held in New York City this week. The main thrust of the session Cyber Security: GCs (General Counsels) on the Front Line was CISOs and GCs will have to work more closely to deal with cyberthreats.
“This is not just an IT issue and you can't expect the CTO to manage it alone,” said Jason Straight Chief privacy officer for UnitedLex.
Edward McAndrew, formerly assistant U.S. attorney, cybercrime coordinator U.S. attorney's office Wilmington Del., said he has seen organizations where legal and IT have had little contact prior to a security event and that can cause problems because neither side knows and understands the other.
“When it comes to cybersecurity IT and GC are in it together. Respecting each others' roles is critically important,” he added.
Panelist Tim Greene, senior editor for Network World, said, “the two departments have to work as a team and keep the big picture in mind. Don't let things develop into a turf war.”
If some level of trust and understanding is not develop before an emergency presents itself all kinds of problems can arise.
One of the biggest mistake is for a general council (GC) to come storming into an on-going security situation and start making threats, instead they should be sensitive to the IT department's personnel, Straight said, adding such an aggressive approach will just make people fear for their jobs and will likely result in less cooperation.
One way to avoid any misunderstandings is for each side to learn a bit about the other.
McAndrew suggested GCs and other executives need to understand the threat landscape, which data is of value in and needs protection, along with where it is transmitted.
On the flip side Greene noted that some CISOs and IT leaders focus so intently on the technical aspect of their jobs that they may not be aware of the legal implications. This can also cause problems and he recommended cross-training for all sides.