CISOs Can Find Allies at the General Counsel Office

Chief Information Security Officers (CISOs) and their equivalents differ in their reporting structure. Information security groups may roll up to the CIO, CEO, CFO and COO functions and collaborate with numerous other groups within the organization. I’d like to make a case for aligning the CISO position with the organization’s Chief Legal Officer (CLO), often called General Counsel.

The Role of General Counsel

General Counsel typically occupies the following roles, according to The Discrete Roles of General Counsel by Deborah DeMot (PDF):

  • "Legal adviser within the corporation to its constituents in an individual professional capacity
  • Officer of the corporation and member of the senior executive team
  • Administrator of the corporation’s internal (or ‘in-house’) legal department
  • Agent of the corporation in dealings with third parties, including external (or ‘outside’) counsel retained by the corporation”

Performing these duties involves keeping an eye out for risks that might put the organization at jeopardy from a legal perspective.

CISOs + General Counsel = ?

Considering that much of today’s information security spending is driven by regulatory and contractual compliance obligations, CISOs can find allies and champions among their organization’s legal professionals.

The following are some of the ways in which the goals of CISOs and General Counsel intercept:

  • Legality of established security policies: Both roles have an incentive to confirm that the policies don’t violate laws while providing sufficient documentation to meet legal obligations.
  • Protection of intellectual property: Both roles are often tasked with safeguarding the organization’s intellectual property.
  • Balancing the risk exposure with business objectives: Both roles usually have the responsibility to identify and address factors that might put the organization at risk.
  • Meeting compliance obligations: Both roles need to be mindful of regulatory and contractual compliance obligations imposed upon the organization.
  • Critiquing decisions made by other groups: Both roles benefit from the freedom to oversee and critique the actions and decisions of other teams. (CISOs who report to CIOs often lose this independence and are at a disadvantage.)

General Counsel can be a valuable ally to the CISO, because in-house attorneys are exposed to most aspects of the organization’s function, and often have more clout than the CISO to affect change. In some cases, this means the organization’s information security program might benefit from the CISO rolling up to General Counsel. In others, informal collaboration might assist both roles in furthering their causes.

For more thoughts on the reporting structure of CISO, take a look at:


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more