Action #1 Understand the cyber threat environment
The National Council of Information Sharing and Analysis Centers
(ISACs) helps organizations in various industries share information
that can protect their facilities, personnel, and customers from
cyber and physical security threats and other hazards. Members
have access to information and tools to help them mitigate risks
and enhance their cyber resilience.
Action #2 Look into the existing cybersecurity program
Most organizations today have some form of cybersecurity strategy.
While knowing the technical details may be of some value, it can be
more useful for legal executives to understand its scope and, at a high
level, how effectively it addresses cyber risks the organization faces.
In particular, you should be familiar with four areas of the cybersecurity
strategy and the program in which that strategy is executed.
Cyber risk profile
Understand the processes by which cyber risks have been identified
and prioritized for your organization. How often is the profile updated?
How does it account for a quickly evolving threat environment?
Program governance
Assess who across the enterprise is involved in cybersecurity program
oversight. Who sets policies and procedures? What internal controls
are there for compliance? What resources and programs are in place to
predict, detect, and respond to cyber incidents, and how much does
the organization spend on cybersecurity annually? Are the programs
insourced or outsourced? How are employees and business partners
educated and trained about cybersecurity, and how is the effectiveness
of that monitored over time?
Cybersecurity safeguards
Determine what resources, both human and digital, are in place to
defend the organization. How is the cyber perimeter defined? What
security measures protect each type of device and the networks to
which they have access?
Cyber incident response and remediation
Identify existing disaster recovery plans for responding to data
breaches and other cyber incidents and determine if they meet any
applicable industry standards and regulations. If a breach occurs, what
public disclosures and other actions are required? How quickly can the
organization react to shut it down? Do existing plans go far enough not
only in meeting requirements, but also to remediate the issue in such
a way to build additional resilience so it’s not likely to happen again?
Action #3 Apply a legal point of view
With a clearer view of the cyber threat environment and the organization’s program for addressing it, legal executives can look upstream to determine where legal should be involved, both strategically and in discrete activities.
Strategically
Bring a legal perspective to the cyber risk assessment, prioritization, and mitigation process. Have an active voice in how the organization views cyber risk and how key elements of a cybersecurity program address
those risks. As the organization expands its cyber footprint into new geographic areas, stay on top of legal and regulatory implications.
Tactically
As new business initiatives are undertaken (for example, new product development, digital expansion into new markets, thirdparty relationships, and many others), take a seat at the planning table to represent the legal point of view. For example, if an organization allows employees to use company-owned or their own mobile devices for business purposes, review the approach and help establish related parameters for access and usage.
Operationally
Insert legal into the process of monitoring cybersecurity programs. Make sure legal has adequate representation early on in the event of a cyber breach or other incident. Play a more active role in remediation
efforts to help mitigate risk to the organization and prevent similar future
events. To enable more effective strategic, tactical, and operational engagement, consider deeper training in cyber issues for your legal
department or a subset of the department.
MORE: Deloitte Report: Tech Bytes Part 3: Cyber Three things chief legal officers can do now to become more cyber-savvy