• Adam Cohen

CSO 2.0

The Modern CSO -- Collision at the Intersection of IT Security and Legal Compliance

by Adam Cohen

Historically, the role of Chief Security Officer has been considered primarily technical and has emerged from the Information Technology function of the enterprise. However, cyber-security risk has evolved, especially in terms of the increasingly thorny legal and compliance thicket surrounding it. This suggests that the recipe for the current CSO role would benefit from a modified balance of experience and expertise, mixing technical security knowledge with legal and compliance judgment. Such hybrids may be rare today, but circumstances are creating them already and supply will grow to meet demand once the critical value of such a blend is recognized.

Treating cyber-security as a purely technical problem is a recipe for failure, yet this is largely how it has been treated for decades. While classical information security literature preaches “defense-in-depth” as the Holy Grail—a holistic approach layering protective measures that cover people, process and technology—most organizations have effectively corralled the influence of their cyber-security function to hardware and software. This is not a criticism or a shortcoming on the part of the cyber-security professionals, who generally appreciate the wisdom of the comprehensive approach. However, they have typically lacked the organizational authority to implement cyber-security as a complete program rather than an assortment of technical measures.

In many cases, the information security group goes as far as generating a complete set of policy documentation addressing secure use of information assets, but these policies are not adopted by the enterprise or integrated with the overarching policy ecosystem (encompassing, for example, records management, HR, physical security) and the resources to communicate and train users are not provided. This makes the orphaned policies worse than useless, as they merely serve to underscore the failure to address basic security issues. Even where such policies are considered “official” they are often not communicated effectively to users or otherwise given a reasonable chance at implementation, creating conditions of widespread non-compliance and corresponding potential liability.

Isolating cyber-security as a technical function is untenable even from a purely security-oriented perspective. Having security technology like “next-gen” firewalls, DLP, IRM, MDM, IDS, IPS and the like sounds impressive, but it all has to be configured and deployed in a way that supports compliance with policy and law. Moreover, it has to do this without paralyzing business productivity, or it becomes a very expensive collection of junk treated as an obstacle course by users trying to do their jobs. This requires continuous and close collaboration among many functional areas outside of cyber-security technical professionals, including legal, compliance, internal audit, records management, HR and of course the users who generate revenue, be they engineers, traders, salespeople, etc. History has showed time and again that basic social engineering or a malicious or even merely careless insider can leapfrog a gauntlet of technical security measures.

Regulators and litigators have become keenly aware that IT systems contain our most valuable and sensitive information. Accordingly, as the reality of the threats to these systems has become apparent, demands for adherence to responsible cyber-security standards have crystallized, leading to rules and rule-like pronouncements in the form of “guidance” from governing authorities, as well as lawsuits by consumers, patients and shareholders alleging damages caused by unreasonably lax cyber-security. Regulatory agencies, law enforcement authorities and industry groups seeking to avoid burdensome regulation by demonstrating self-policing have issued a blizzard of publications which some lawyers hold up as standards.

This blizzard creates significant complexity for anyone tasked with developing a consistent and compliant enterprise cyber-security program. Where legal requirements and standards are at issue, the words matter. Thus, even where particular pronouncements may seem to be generally indicating the same kind of security measure, the exact manner of implementation may differ depending on the tea leaves. For example, encryption is frequently required or recommended, but in broad terms that from a technical perspective open infinite possibilities as to the what, where, when and how. Evaluating an appropriate technical response to a legal requirement without an adequate foundation in either the legal or technical side is perilous.

For a number of reasons, including the very legitimate concern with rapid obsolescence, it is highly unlikely that a regulator or other authoritative issuer of rules or guidance would describe technical security measures at a level of specificity akin to an instruction manual. Flexibility and abstraction in cyber-security prescriptions are necessary where technology develops at a pace much faster than the legislative process. At the same time, the onslaught of regulatory output on cyber-security comes on top of decades of information security thought leadership. Clearly, the lawyers drafting the current stream of regulatory pronouncements did not invent or re-invent the cyber-security wheel, they are standing on the shoulders of more technically educated giants; however, we cannot assume, absent explicit reference, regulatory intention to adopt existing formulations from classical cyber-security literature.

When lawyers sue based on negligence, in this context alleged failures to provide reasonable information security, they will point to whatever source of authority, legal or technical, supports their position. This could be a statute containing specific directives for a particular industry or type of data, but there are far more numerous sources of cyber-security “best practices” independent of any legal regime. If you’ve been reading from the beginning, there is no need to articulate the inescapable conclusion--the time of the hybrid CSO has come.

A less radical option is enhanced collaboration between IT security and the legal department, although the culture clash can sometimes be too much to overcome. A translator is often necessary. This is where many business enterprises find themselves today. For some, likely smaller organizations with relatively slight regulatory and litigation burdens, this may well be the only practical solution. However, for larger enterprises, especially in heavily regulated industries where frequent and often complex litigation is a fact of life, the trend of increasing need for legal and compliance involvement in cyber-security will be unrelenting, requiring a full-time symbiosis of cyber-lawyer and IT security so that they are effectively co-CSO. Rather than forcibly mating professionals in different departments and demanding that they think as one, these entities should consider installing a hybrid CSO, with the mandate to draw on deeper expertise in particular legal or technical subjects as necessary.

Notably, this idea of a hybrid CSO seems to be reflected in the European Union’s new data protection law. The General Data Protection Regulation 2016, Articles 37-39, has a section devoted to the role of the “data protection officer.” It requires the designation of a data protection officer under specified conditions, outlining the involvement, support and independence of the position and mandating a minimum set of tasks assigned to the role. The GDPR data protection officer has functions that make it impossible to separate legal from technical, requiring interpreting, analyzing and training about the law as well as implementing it in a data protection program with technical safety measures like encryption.

As a general matter, the importance of integrating legal and technical expertise is not a new phenomenon and appears in areas other than information security, for example, electronic discovery. Over the past two decades, the U.S. legal process has been repeatedly adjusted in an effort to deal with the impact of the digital information tsunami, as witnessed by the extensive e-discovery amendments to the Federal Rules of Civil Procedure in 2015 and 2006. The e-discovery explosion gave rise to new kinds of businesses and professional services, as well as a new breed of professionals, with resume’s blending law and technology. A similar movement is afoot in cyber-security. As an expanding scope of legal and compliance concerns focus on the field more intensively, the demand for integrated expertise rises. The ideal professional for the contemporary mission of enterprise cyber-security leadership integrates experience and expertise in legal compliance and information security, reaching beyond the purely technical credentials of history’s typical CSO.