Over the past several years, the number and scope of regulations that protect personal data have been growing around the world. Organizations were feeling pressure to strengthen systems and processes in preparation for effective security incident responses. Then COVID-19 became a fact of life last spring. Workforces that could do so moved to remote work and began relying on web-based file-sharing as well as videoconferencing services – introducing new risks for organizations to manage.
Meanwhile, businesses have accepted the common rhetoric that it’s no longer a question of if but when they’ll become the targets of cyber criminals. Many are already aware that implementing systems and processes won’t be enough without close and constant collaboration between their legal, information technology (IT), and security functions.
Additionally, businesses should provide tools to support more this concerted and secure collaboration within organizations. At Diligent’s Modern Governance Summit, Diligent’s Chief Information Security Officer Henry Jiang conducted a fireside chat entitled “Legal and IT: How Do You Work Together in This Virtual World?” He spoke with Jack Van Arsdale, Senior Vice President and General Counsel at Diligent, who also serves as our Data Protection Officer. The two discussed the risks inherent in a siloed approach to legal and IT security functions and described practices that tighten the links between these teams.
Better Team Alignment
A security incident response team is not just security. It should [include] all different teams: marketing and PR, legal, technology, and even sometimes finance and HR. Security incident response really is very much a collective effort.
– Henry Jiang, Chief Information Security Officer, Diligent Corporation
The siloes that sometimes separate legal, technology and data security functions arise from the history of how business gets done. Historically, these functions intersected only sporadically. Then, information systems began to operate in support of every function and all business processes came to rely on digital platforms. More jurisdictions were tasked with protecting citizens’ data, and cybersecurity became a matter of law and contractual obligation. Smart businesses realized that the duties once cleanly split between legal, technology, and data security had begun to intersect. When a breach or incident occurs, a preexisting pattern of collaboration ensures a rapid and effective response from close-knit and cooperative teams. But building a foundation of continuous communication must happen first.
Ideally, legal, IT and data security teams collaborate to draft and implement the business’ security policies and procedures. They document the roles and responsibilities of each function as components of those policies and procedures. Collectively, they build “muscle memory” by conducting cyber breach exercises together. Tabletop exercises solidify the use of predetermined tools to handle cyberthreats.
To make that ideal a reality, teams must articulate how their roles dovetail with one another’s. For most organizations, these delineations are typical:
- The legal team is responsible for interpreting the regulations that drive cybersecurity policies and procedures. They provide oversight of the company’s data protection strategy and its implementation. They determine breach notification requirements based on regulations and the contractual obligations of the business. They liaise with law enforcement agencies, and work on claims and investigations related to cyber-crimes. When drafting and negotiating contractual security exhibits, they engage the security team as a trusted advisor.
- Cybersecurity teams develop and maintain security policies and standards. Cybersecurity or a separate compliance team ensures the company’s security program is compliant with industry standards.
- IT is accountable for implementing controls that are based on those policies and standards. IT and cybersecurity teams validate the effectiveness of the controls and analyze systems and processes for gaps. They perform routine security operations together and escalate potential security incidents to other teams.
Clarifying roles is one thing, and operationalizing collaboration is another. What does good collaboration among these teams look like, and how do businesses get there?
Working Together for a Better Security Incident Response
Preparation is the most important thing. You want to be organized; you want to have everything in one place […] so when you have an issue, you don’t have to run through the basics. You want to be spending your time focusing on the important things.
– Jack Van Arsdale, Senior Vice President and General Counsel, Diligent
First, develop a robust data privacy program. Invite stake-holding teams to participate in relevant policy design workshops. Conduct annual training on the program to ensure a high level of literacy and awareness.
Secondly, communicate any updates to regulations concerning data privacy and cybersecurity. Then clarify the regulations’ relevance to particular business processes. Next, alert stakeholders about upcoming security and compliance deadlines as well as related business responsibilities.
Thirdly, refine roles and responsibilities through regular tabletop exercises that rehearse data breach scenarios. Implement an incident response system and practice its use in these exercises. Include contractually and legally required notifications in exercises to ensure familiarity with who needs to be notified when, depending on jurisdictions, contracts, and which data elements (such as social security numbers, telephone numbers, health information or even IP addresses) are impacted.
Finally, evaluate the tools and channels that support the organization’s most sensitive communications. In particular, consider what tools are used by the board, the C-suite and their direct reports. In addition, consider tools used by departments such as legal, finance and human resources that also handle classified information. Teams should be using encrypted tools for communicating as a group or one-to-one, as well as for sharing and reviewing documents offline together, and for secure meeting management.
The main way of aligning is just constant discussion about law, and in planning for if something goes wrong. Henry and I often do […] a mock data breach exercise. […] Building the muscle is probably the most important thing […] to get a good plan in place so that in the event that anything bad ever happens, we’ve already got a lot of the kinks worked out ahead of time.
– Jack Van Arsdale, Senior Vice President and General Counsel, Diligent Corporation
Planning, preparation and close teamwork are the elements that sustain organizations when they’re confronted with cybersecurity incidents. Legal, IT and security teams can develop the habit of updating one another and collaborating to rehearse and refine security incident responses. Then, when security incidents really do happen, teams can rely on muscle memory to respond effectively. Such united teams don’t surprise one another and are well-prepared to prevail over cyber threats.