Chief Information Security Officers (CISOs) and their equivalents differ in their reporting structure. Information security groups may roll up to the CIO, CEO, CFO and COO functions and collaborate with numerous other groups within the organization. I’d like to make a case for aligning the CISO position with the organization’s Chief Legal Officer (CLO), often called General Counsel.
The Role of General Counsel
General Counsel typically occupies the following roles, according to The Discrete Roles of General Counsel by Deborah DeMot (PDF):
- "Legal adviser within the corporation to its constituents in an individual professional capacity
- Officer of the corporation and member of the senior executive team
- Administrator of the corporation’s internal (or ‘in-house’) legal department
- Agent of the corporation in dealings with third parties, including external (or ‘outside’) counsel retained by the corporation”
Performing these duties involves keeping an eye out for risks that might put the organization at jeopardy from a legal perspective.
CISOs + General Counsel = ?
Considering that much of today’s information security spending is driven by regulatory and contractual compliance obligations, CISOs can find allies and champions among their organization’s legal professionals.
The following are some of the ways in which the goals of CISOs and General Counsel intercept:
- Legality of established security policies: Both roles have an incentive to confirm that the policies don’t violate laws while providing sufficient documentation to meet legal obligations.
- Protection of intellectual property: Both roles are often tasked with safeguarding the organization’s intellectual property.
- Balancing the risk exposure with business objectives: Both roles usually have the responsibility to identify and address factors that might put the organization at risk.
- Meeting compliance obligations: Both roles need to be mindful of regulatory and contractual compliance obligations imposed upon the organization.
- Critiquing decisions made by other groups: Both roles benefit from the freedom to oversee and critique the actions and decisions of other teams. (CISOs who report to CIOs often lose this independence and are at a disadvantage.)
General Counsel can be a valuable ally to the CISO, because in-house attorneys are exposed to most aspects of the organization’s function, and often have more clout than the CISO to affect change. In some cases, this means the organization’s information security program might benefit from the CISO rolling up to General Counsel. In others, informal collaboration might assist both roles in furthering their causes.
For more thoughts on the reporting structure of CISO, take a look at:
- Who Should Infosec Report To? by Dave Shackleford
- CISO Reporting to Board of Directors: Myth or For Real? by Dhwani Pandya
- A Current View of the State CISO by NASCIO (PDF)