The business world was incredibly interconnected before the pandemic. Now that COVID-19 forced five years of tech adoption in three months, and with new technologies on the horizon, this trend isn’t reversing any time soon.
And while this global upgrade has many uses, and enables you to move huge parts of your life online, it also brings an increased focus on information security. Necessarily so.
Information security (Infosec) plays a vital role for all businesses that handle customer, client, or employee data. Nowadays, that’s pretty much every business.
Security breaches can seriously damage a company’s reputation, if not end their success altogether. Conversely, good cybersecurity can be a competitive advantage.
- Enables teams to build and implement their applications safely
- Allows the business to build trust with their customers
- Enables the organization to protect the data they collect and use
- Protects the tech used by teams within the company
What does Infosec have to do with GCs?
As the CEO and Co-Founder of Juro, I know how in-house legal teams work, particularly the General Counsel. The top lawyer in a company is increasingly focused on ‘adding value to the business’ as lawyers seek to bring their commercial savvy to bear to help with strategic projects.
But the first duty of a GC is to protect the company from legal risk – and in an interconnected world, the risks associated with breaches of information security loom large, both in terms of commercial and reputational impact.
It’s imperative that General Counsel work with Chief Information Security Officers (CISOs) to protect the business from an ever-growing array of risks.
“It's essential that legal ensures information security doesn't just live on paper. Instead, everyone needs to understand the measures businesses implement to protect data. This is becoming more crucial as the world becomes even more digitized, with the pandemic acting as a tremendous accelerator to this trend.”
The lawyer – CISO dynamic
Lawyers don’t always play well with others. Historically, lawyers and CISO have kept their distance. The IT department of a traditional business was one of the last places you’d expect to find the General Counsel.
But over the years, the need for a CISO has grown, and the dynamic between the two roles has changed, for several reasons:
1. A huge explosion in SaaS businesses
Even pre-COVID, the increase in automating processes – which moved traditional industries like finance, healthcare and legal into the cloud -drove an upsurge in adoption of SaaS tools.
Sales moved into Salesforce, marketing into HubSpot, and even legal teams moved online by embracing matter management and contract negotiation tools, alongside stalwarts like Zoom and Slack which seem to be ubiquitous to every business.
Since the advent of COVID and universal lockdowns, it can often seem like collaborative SaaS platforms have become the rule, rather than the exception, such is their rate of adoption. But all these exciting changes present their own unique challenges when it comes to information security.
With so many verticals becoming digital-first overnight, their exposure to malicious (and negligent) actors both in and outside of the organization has led to a corresponding increase in legal risk.
Tessian research shows that 48% of employees say they’re less likely to follow safe security practices when working from home, and 84% of security leaders data loss prevention (DLP) is more challenging when their workforce is working outside of the office.
It’s vital that GCs and CISOs help the business navigate the new world safely – together.
2. The ever-changing privacy landscape
Most of these applications and SaaS tools require personal information of some kind, making privacy a key concern from day one. The complexity around this challenge only grows as the business does, which is why it’s essential that lawyers work with CISOs to manage that data security risk.
Layered on top of this is the regulatory environment for personal data.
GDPR was a slow-moving iceberg that many businesses still haven’t fully reckoned with; the future is set to become even more complex thanks to developments like the Schrems II decision.
“GCs need to understand the data that their organizations capture and the systems that process them. The relationship between GCs and their CISOs is critical to ensuring that there is that common understanding to marry the legal framework with the organisational reality.”
What can GCs do to protect their company’s information security?
Taking a leading role in information security doesn’t need to be daunting for legal counsel – in fact, a few simple steps can make all the difference.
1. Support CISOs
GCs can ensure that they’re giving information security the attention it deserves by supporting and advising on any issues that arise. Often at a smaller business, there’s a single person assigned to manage Infosec – and much like the first lawyer at a scaling business, they have a mountain of work to do. Even in larger enterprises organizations, security teams can be thinly-stretched and resource-constrained.
Supporting CISOs through proactively dedicating a set amount of time and having regular check-ins can ensure that both lawyers and CISOs aren’t buried under this work in the future, as the business continues to grow.
Tone at the top dictates how others respond – it’s important for leaders to set the right example.
Looking for a framework to help you establish better relationships with the right people? Use this template.
2. Offer training
It’s important to emphasize that Infosec is a shared responsibility across the whole business – while one person may have ownership of it, it’s every employee’s responsibility to ensure the information processed by the business is secure, and data isn’t vulnerable to common attacks like data exfiltration and spear phishing..
GCs can help CISOs with this task by setting up training sessions with other teams in the company, to keep everyone up to date with the latest techniques.
For better or worse, lawyers are often seen as ‘bad cops’ in the business – having their backing for, and involvement in, data compliance training should reinforce the seriousness with which colleagues should approach the issue. Training shouldn’t be a one-off, of course – it should be part of every employee’s onboarding, and revisited on a regular basis.
The bottom line: as the threats in Infosec constantly adapt, so should the methods used to mitigate risk and keep data safe. GCs and CISOs should work together to review the policies, frameworks and training in place, and iterate where necessary.
Falling behind on this will expose the business to risk. By prioritizing these tasks and placing security at the heart of everything they do, lawyers can ensure that their businesses continue to handle data securely as they scale.
Written by Richard Mabey, CEO and co-founder of Juro.