CISOs Can Find Allies at the General Counsel Office

CISOs who build strong working relationships with General Counsel gain a powerful ally for navigating compliance obligations, protecting intellectual property, and managing risk. The regulatory landscape, from privacy laws to SEC cyber disclosure rules, makes this collaboration more valuable than ever.

Chief Information Security Officers (CISOs) and their equivalents differ in their reporting structure. Cybersecurity groups may roll up to the CIO, CEO, CFO and COO functions and collaborate with numerous other groups within the organization. I’d like to make a case for aligning the CISO position with the organization’s Chief Legal Officer (CLO), often called General Counsel.

The Role of General Counsel

General Counsel typically occupies the following roles, according to The Discrete Roles of General Counsel by Deborah DeMott:

“Legal adviser within the corporation to its constituents in an individual professional capacity
Officer of the corporation and member of the senior executive team
Administrator of the corporation’s internal (or ‘in-house’) legal department
Agent of the corporation in dealings with third parties, including external (or ‘outside’) counsel retained by the corporation”

Performing these duties involves keeping an eye out for risks that might put the organization at jeopardy from a legal perspective.

CISOs + General Counsel = ?

Considering that much of today’s cybersecurity spending is driven by regulatory and contractual compliance obligations, CISOs can find allies and champions among their organization’s legal professionals. The following are some of the ways in which the goals of CISOs and General Counsel intercept:

Legality of established security policies: Both roles have an incentive to confirm that the policies don’t violate laws while providing sufficient documentation to meet legal obligations.
Protection of intellectual property: Both roles are often tasked with safeguarding the organization’s intellectual property.
Balancing the risk exposure with business objectives: Both roles usually have the responsibility to identify and address factors that might put the organization at risk.
Meeting compliance obligations: Both roles need to be mindful of regulatory and contractual compliance obligations imposed upon the organization.
Critiquing decisions made by other groups: Both roles benefit from the freedom to oversee and critique the actions and decisions of other teams. (CISOs who report to CIOs often lose this independence and are at a disadvantage.)

General Counsel can be a valuable ally to the CISO, because in-house attorneys are exposed to most aspects of the organization’s function, and often have more clout than the CISO to affect change. In some cases, this means the organization’s security program might benefit from the CISO rolling up to General Counsel. In others, informal collaboration might assist both roles in furthering their causes.

Regulatory Trends That Strengthen This Alliance

Several developments reinforce the case for CISO-General Counsel collaboration:

Privacy regulations: GDPR, CCPA, and a wave of state privacy laws place legal counsel at the center of data protection decisions that directly affect security programs. This dynamic also creates opportunities for security and privacy teams to break barriers together.
SEC cybersecurity disclosure rules: Public companies must report material cyber incidents and describe board-level oversight of cybersecurity risk, pulling legal and security teams closer together.
Breach litigation: The volume and cost of breach-related lawsuits and regulatory enforcement actions continue to grow, making the GC’s risk management role more intertwined with the CISO’s.
AI and data governance: Regulations around AI systems and cross-border data transfers create additional overlapping responsibilities for both roles.

Whether through a formal reporting relationship or informal partnership, CISOs who invest in building a strong working relationship with General Counsel position themselves to navigate these challenges more effectively. The overlap in responsibilities is too significant to leave to chance. Start by identifying a specific compliance or risk concern you share, and use it as the basis for an ongoing conversation.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →