Views on Talking Data Security With the CISO From Amy Mushahwar of ZwillGen PLLC

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

In the face of mounting cybersecurity threats, corporate attorneys need to be able to communicate effectively and efficiently with the chief information security officer and security team.

Bloomberg BNA Privacy & Data Security News Managing Editor Donald G. Aplin posed a series of questions to Amy Mushahwar, counsel and chief information security officer at ZwillGen PLLC in Washington, about how members of a company's legal and security teams can work together to better protect corporate assets and respond to data breaches.

Bloomberg BNA:

Among the members of the C-suite, does the chief information security officer (CISO) hold a unique role in the privacy and data security efforts of the company, and is that role changing?

Mushahwar:

Yes, the CISO along with the chief information officer (CIO), chief security officer (CSO) and legal department are all first-chair roles in a company’s privacy and data security orchestra. Enabled effectively, CISOs hold a unique role as the bridge between information technology, legal and senior management. Effective CISOs should communicate with IT to determine what the organization’s strengths and weaknesses are, and then frame those issues from a business perspective when communicating with legal and senior management.

But, unlike standard orchestra sections, not all companies agree what information governance roles are necessary to achieve success. Large multinational corporations now often have a CISO, CIO, CSO, legal department and even compliance staff, but smaller organizations may only have an IT lead and perhaps some legal staff. So, even though we will be talking about working with the CISO, the general guidance provided here can also apply to an IT lead, CSO or any other employee with the lead responsibility for information security. 

Bloomberg BNA:

Many companies are bringing on CISOs, perhaps for the first time. How would a company best position its new or existing CISO for success?

Mushahwar:

Where our law firm has seen effective CISOs or other security leads, they often are enabled by the following organizational traits:

A) A direct line to the chief executive officer and board—it is not enough here to simply have the CISO communicate to the CEO and board during the annual or quarterly meetings; the CISO should have a way to directly escalate emergency matters to the CEO.

B) Budget authority—when you hire a CISO, talk with them immediately about the money that the company is apportioning to security given the expected remediation events. If you have an existing CISO, be careful regarding creation of the budget PowerPoints and other documentation for budget approval; when there is a breach, these documents can become evidence that the CISO saw the particular vulnerability for many months (and in some cases, many years).

C) Determine the level of independence that is necessary from IT—As a company, you need to understand your IT health maturity before it is even possible to set security outside of IT. In organizations where the IT health is less than ideal—for example, significantly delayed system patching, capacity issues, regular outages, repeated backup failures and the like— it may not be possible to sit security outside of IT, because security’s skill set might be necessary to improve IT health before overlaying a security architecture. However, if the organization already has developed a more mature IT health model, it is helpful to have security sit outside of the structure of IT. The CISO can then truly operate as an unvarnished critic without fear that he or she may be critiquing the work of an immediate supervisor or close colleagues.

D) An open relationship with IT audit/legal staff—Although CISOs are primarily responsible for identifying weaknesses in a company’s systems, they are unlikely working alone to be able to track remediation efforts through to completion. CISOs should work with legal staff to prioritize items for remediation, and if the company has an audit department then IT audit staff should track remediation progress. Open, frequent communication between all three entities will help speed up remediation efforts and ensure that each priority has appropriate follow-up (with proper documentation).

Bloomberg BNA:

What is the most important advice for more effectively discussing privacy and security topics with the CISO at an organization?

Mushahwar:

Realize that the discussion will be an education process for both you and the CISO. Both parties need to learn to speak the same language when discussing security issues. CISOs understand specific audit controls such as ISO 27001, the Statement on Standards for Attestation Engagements (SSAE), the Payment Card Industry Data Security Standard (PCI-DSS), the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), the National Institute of Standards and Technology Cybersecurity Framework, and so on, whereas legal staff and members of the C-suite understand business/legal risks, costs, impacts to cash flow and other issues. For initial meetings, budget time to learn each other’s nomenclature; the relationship building here is just as important as the substance of the conversation.

To illustrate this concept in action, below is an example of how legal staff and the CISO might talk past each other in a discussion about privilege and the need to direct the course of understanding of legal and technical risk in a recent data breach. This exchange can easily disintegrate into a power struggle without appropriate relationship building:

Attorney:  After our meeting today, the legal team will reach out to you about coordinating the next steps in remediating our recent data breach.
CISO:  There’s no need for that; I have a remediation plan in place, and can just cc you on scheduling e-mails.
Attorney:  We of course will need your assistance, but because of privilege, the legal team needs to be in charge of coordinating the response. 
CISO:  But I’m responsible for information security, and this is an information security matter; it makes more sense for me to lead.

Although on the surface this conversation appears to be a dispute over who is better suited to leading remediation efforts, it is really an example of confusion and miscommunication about each party’s role in such efforts.

The attorney should have conveyed to the CISO why the legal department needs to be the lead coordinator—that is, so that it can frame the effort as an extension of its legal advice, thus preserving privilege arguments in any resulting documents and materials. The CISO, in turn, should have emphasized the need to make key decisions regarding technical upgrades and implementation planning to ensure that remediation is effective and does not disrupt other operations.

These two aims are not necessarily incompatible, so the two parties need to better communicate their objectives and how the course of action best accomplishes such objectives.

Bloomberg BNA:

In the context of data breach advance planning and mitigation, is risk identification the thing that the C-suite most wants to hear about? If not, what is the most important thing that the C-suite should care about?

Mushahwar:

Although risk identification is important, hackers have proven time and time again that they are one step ahead of even the most sophisticated IT detection and alert infrastructure. Therefore, all parties are rightly focused on “Am I Ready for the Next Big Breach?” Five years ago, readiness meant that organizations simply had incident response plans drafted and ready to go (which is still necessary). Now, this focus has turned to many more organizations wanting to run IT security tabletop exercise drills to test the plans in place. For the C-suite, letting your CISO know that tabletops will be run is a powerful message to send to the CISO that his/her work will be valued at the organization. Moreover, if the organization runs enough of these drills, they begin to develop a profile of response timing.

Tabletop exercises may be run in a number of different ways, such as:

• a one-day event in which outside counsel/consultants walk through a customized scenario with the breach team;

• a multi-day event in which outside counsel/consultants observe a company perform its existing incident response procedures in reaction to a simulated threat; or

• a hindsight review of documentation, policies and procedures resulting in an assessment of how the company reacted to a recent incident.

 

Bloomberg BNA:

Is a more technical discussion of privacy and security, such as encryption standards, something more properly left out of discussions with the C-suite?

Mushahwar:

Perhaps. The need to engage the C-suite in technically sophisticated discussions largely depends on: 1) the industry in question and 2) the expertise and trustworthiness of the organization’s IT department. Companies that operate in regulated sectors, such as health and finance, or those that handle government information, are subject to detailed requirements about how to protect information in their possession. Because failing to comply with such requirements can have enormous consequences, C-suite executives at these companies should have a firm grasp of the business's compliance efforts, including the relevant technical details. Regulated industries are already recognizing the need for increased technical skills within leadership, and we are seeing many corporate boards with former IT leaders.

However, organizations that deal with less-sensitive information in non-regulated sectors do not necessarily need to involve the C-suite in all decisions, particularly if the IT team is sufficiently staffed, funded, and diligent. Nevertheless, even at these companies, the C-suite should be alerted to major risks and incidents at the company, even if such discussions must be technical in nature. C-suite executives must be comfortable with stopping IT to ask questions regarding the technical details and understanding the ultimate decision points. We have seen effective C-suite executives in this technical interview role, without much technical experience at all. 

Bloomberg BNA:

Given the rarity of individuals with policy, legal and technical expertise in the privacy and data security arena, is it realistic to think that companies can move to a stronger marriage of technical and legal/policy issues?

Mushahwar:

Yes, it’s realistic, because it is a business necessity.

Nearly every actor in the security decision chain may feel blindsided when a large event occurs:

• CISOs without technical expertise cannot see if their recommendations for closing up vulnerabilities were acted upon in a consistent manner (i.e., they may not see the number of legacy configurations or compensating controls).

• Legal staff cannot effectively communicate risk without some technical training, such as knowing what a security vulnerability means and what data is at high risk.

• CIOs without some business sensitization cannot see the risk value of a company's systems in order to escalate issues appropriately.

 

Individuals with “triple threat” expertise—that is, those with policy, legal, technical and even business expertise—are rare, but becoming less so. This combined skill set is necessary for cross-communicating between IT, security staff, the C-suite and the company’s board. Therefore, it is not only realistic, but also crucial, for companies to consider data privacy and security issues from all of these angles.

Just like the most effective orchestra conductors often play multiple instruments, effective information security personnel must be able to see risk from multiple company angles.