Why CIOs and CISOs Need a Wartime Consigliere

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Privacy Pros

As companies adopt new environments they are faced with the challenge of juggling security risks associated with not only new, but also old technologies. Whether one is on the board, in the C-Suite or the vice president of digital, it's important to develop a personal rapport with the legal team since they are in the best position to help advise the organization on safe usage of new technology, the author writes.

Devin Redmond

By Devin Redmond

Devin Redmond is the general manager for digital security and compliance solutions at Proofpoint Inc., a computer and network security company, in San Francisco.

A Proactive, Tech Savvy-Legal Department Can Minimize Risk While Driving Technology Agility

Today's chief information officers (CIOs), chief information security officers (CISOs) and their teams are embattled on multiple fronts. On one front, their businesses are racing to new technologies and digital transformation trends that change the very model of how traditional information technology (IT) infrastructure and security work. Employees, partners and customers increasingly work with applications and communicate data in a reshaped landscape of social media, mobile and software as a service (SaaS) technologies that live outside the environment owned and managed by their organizations. Aside from the inherent challenges of adopting and embracing these transformative technologies, this creates new security and compliance challenges for IT teams. At the same time, targeted attacks and overall security and compliance risks have increased on every front. This means pre-existing infrastructure has only become harder to protect. So as companies adopt new environments they are faced with the challenge of juggling security risks associated with both new and old technologies.

In a recent study by analyst firm 451 Research LLC ( Voice of the Enterprise: Information Security, September 2016), enterprises are expected to spend $2.5 billion annually on waves of new social media management tools by 2019. That wave of new infrastructure is designed to optimize communication channels that live outside the traditional, owned IT infrastructure. Beyond the challenge of implementing and protecting that sprawl of social media pages, tools and users, one very specific example of this new environment and the risk it introduces is social media-based customer care.

In research by Aberdeen Group LLC, companies using social media for customer care saw best-in-class customer retention rates of 92 percent versus a sub-40 percent retention range for companies that didn't. It is no wonder the same study found adoption of social media customer care programs had skyrocketed from 12 percent of companies surveyed in 2010 to 62 percent in 2015. Adopting these programs is already challenging for IT teams, but even more challenging is the risk it introduces.

That risk includes compliance penalties related to a slew of new regulations for communicating on social media and protecting PCI and personally identifiable information (PII) shared with customer care teams, as well as the vulnerability to the new wave of phishing that targets social customer care. This attack, known as Angler Phishing, tricks consumers into providing sensitive account and personal data with a well-branded fake account of the company they are attempting to get support from. In addition to seeing social media scams increasing overall by over 150 percent in 2016, targeted Angler Phishing attacks have preyed on electronic commerce companies and major banks in the U.S. and the U.K. and continues to increase. In terms of the scope of exposure for social media risk, research firm Blue Hill Research LLC found each social media risk incident can cost over $450,000 and brands can average nearly 10 incidents per year, potentially totaling over $4 million per year. This risk to new, external communication channels, however, doesn't mean threats to older channels have gone away.

Protecting existing infrastructure and communication channels like e-mail hasn't gotten easier for IT and security teams either. In fact, the Federal Bureau of Investigation's list of most common internet fraud schemes notes the exponential rise in Business E-mail Compromise(BEC). That list also includes broader spoofed e-mail phishing, which topped the FBI's list of most common internet fraud schemes. All of these schemes involve some form of fake e-mail from trusted brands, individuals, partners and supply chain providers and cost businesses and consumers millions of dollars each year. What is worse is that they can even involve the same infrastructure used in social media Angler Phishing schemes. In other words, the bad actors have intensified their scams and attacks while also evolving to use the new digital and social channels. All of that should clearly signal that CIOs and CISOs are, in a very real sense, in a battle to enable their businesses to grow through technology usage and adoption while protecting their organizations, employees, partners and customers from risk.

A United Front is Needed.

Just as the Michael Corleone character in “The Godfather” recognizes their circumstances have changed, requiring a new consigliere for a new fight, CIOs, CISOs and their teams should look for a new partnership with their legal teams to tackle this evolving battle. All references to “The Godfather” aside, and in all seriousness, legal teams must be willing to step up to face the new battle against obsolescence and bad actors and become more savvy about the new wave of technologies their businesses need to use and the risks surrounding them. Instead of just saying no, this will allow them to become that vital counselor and find ways to support new digital and cloud technology initiatives that will ultimately drive their business forward.

Examples of Successful Collaboration—Finance and CPG.

Companies that develop true technology partnerships with legal have seen tremendous success in reducing their risks on new external communication environments such as social media. These security risks are also not specific to any particular industry or size of company, although generally some industries are more evolved in the digital landscape, especially those with a heavy digital media presence or those focused on customer service.

For example, one large financial services firm I worked with has a very proactive legal program, with teams responsible for identifying and understanding marketplaces and the risks associated with the applications used to access those marketplaces. As part of this procedure, a lawyer on the team responsible for digital technologies regularly attends relevant technology industry shows. At one of those shows, focused on social media compliance, the lawyer saw presentations from multiple vendors and was introduced to some of the security challenges around social media and new technologies for security and compliance. These presentations enabled the lawyer to understand that his firm's social media programs—social customer service and social marketing—were favorite targets of cybercriminals.

As a result, the lawyer sponsored an internal briefing with the rest of his legal team, as well as representatives from business, IT and security, inviting industry experts to present the security trends and challenges relevant to their firm. Based on that briefing, both the social and security teams did their own more detailed follow-on briefings. The firm asked vendors for a proof of concept for their needs, and once the right technology was identified, implementation was relatively quick and easy because all the stakeholders were already onboard. Now the firm has in place technology that protects both the social media accounts created by the business and the customers who use those accounts to interact with the firm.

Thanks to a proactive member of the legal team, the firm's social media programs are now vastly safer than they would otherwise have been, and all the stakeholders can move forward with greater confidence. The legal team is also now consulted as a vital partner in any future technology decisions to ensure the business is utilizing best in-class technology that will push it forward.

In a very different environment, a particular brand within a consumer packaged goods (CPG) company was struggling with fake social accounts and mobile apps that frequently contained fraudulent offers, counterfeit goods and content that was abusive toward the brand. In this case, the marketing, IT and legal teams worked together to identify technologies and develop processes that made it easier to find and take down fake accounts and apps while performing automated remediation on bad content spread on their legitimate accounts. Thus, they created a social voice that was stronger than what the fake accounts could muster. By working together, legal developed a better understanding of the technology and how to lower the risk profile, IT developed a clearer understanding of the importance of social media to the business, and the marketing and digital teams developed a better understanding of how the legal department could help them be more successful.

Legal Teams Must Evolve: Five Steps.

Unfortunately, most legal teams today don't have the training and experience to proactively support IT and the business in their new mobile, social and digital initiatives. Instead, they tend to force new technologies into a legacy paradigm, evaluating criteria in a way—and at a pace—that makes implementation impossible. Faced with this resistance, marketing and IT teams frequently find themselves heading down one of two dangerous roads:

  •   fearing the risk of security and compliance violations, they don't move forward with new initiatives, undercutting the organization's ability to compete;
  •   fearing the inability to compete, they implement new technologies without adequate vetting by the legal team, putting data at risk and exposing the company to possible compliance violations.

Legal teams that want to avoid these challenges by becoming a partner in their company's digital transformation should follow these five steps:

1. Collaborate more with other departments: The business should invest time and resources in having the legal department work directly with internal groups—digital, mar-tech, IT, etc.—to understand each group's specific needs.

2. Become a technology pro: Representatives from the legal department should attend seminars and workshops and join forums focused on technology trends, so they can truly understand new application capabilities, as well as the differences between cloud and on-premises operating environments.

3. Utilize all of your trusted resources and stay up-to-date: Legal department should follow respected industry analysts that cover these areas, such as Gartner Inc., Forrester Research Inc., 451, Blue Hill Research and more. Legal should also recognize that cybersecurity vendors are storehouses of deep expertise. Yes, their goal is to sell products, but in order to do this, they are staffed with some of the most respected cybersecurity professionals in the world and are freely sharing volumes of information about the threat environment and how organizations can protect themselves.

4. Change your mindset and consider the bigger picture: The legal department as a whole must develop a positive mind-set about the evolution of technology. Instead of evaluating only the risk, they always need to consider the lost opportunity cost of not evolving as an organization.

5. Be proactive outside of the immediate business: In addition to playing this new and powerful advisory role internally, these new tech-savvy lawyers can also protect their companies by working proactively with regulators to make sure the regulators themselves are actually working with the most up-to-date information.

It's a Two-Way Street.

While I have delved into what legal can do, it's not just the legal department that must evolve. Businesses as a whole must develop a new attitude. First, business and IT must get smart about the evolving legal and regulatory landscape related to social, mobile and digital technologies to understand the potential impact to their business. Instead of viewing legal as nay-sayers opposed to technology evolution, business owners and IT should give legal a seat at every table, making it the vital stakeholder it needs to be to become proactive, tech-savvy advocates of safe technology programs.

Whether one is on the board, in the C-Suite, or, say, the vice president of digital, it's important to develop a personal rapport with the legal team. Recognize that they are in the best position to help advise the organization on safe usage of new technology, maximizing opportunity while minimizing risk and making sure good technology programs don't turn bad. The IT and security teams also need to have the same attitude, relying on legal to do some blocking and tackling to ensure the organization is not implementing solutions that IT can't protect.

There's no doubt that as organizations are competitively driven to extend the enterprise beyond the traditional owned infrastructure by accelerating their social and mobile initiatives, cybersecurity in general and protecting sensitive data specifically are becoming bigger and bigger challenges. The sooner legal teams embrace this technology evolution, and the sooner IT and the business see the legal team as their partner and trusted counselors, the sooner organizations will be able to successfully balance business agility with risk management.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security