The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Chief Information Security Officer

  • From Vol. 4 No.38 (Nov. 14, 2018)

    How Privacy Professionals Can Benefit Cybersecurity Programs: Practical Tips From Gap and Privacy Panacea

    Privacy and security go hand in hand but, without a technical background, privacy professionals may feel unprepared to work with and provide oversight to security teams. To help overcome that hurdle, the associate general counsel of Gap Inc., and the president of Privacy Panacea, a boutique privacy advising firm, shared candid and practical tips on overseeing a cybersecurity program for non-technical privacy professionals at IAPP’s Privacy. Security. Risk. 2018 conference. For attorneys in the privacy space, “security has become much more of a legal issue,” Gap’s associate general counsel Dan Koslofsky said. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.30 (Sep. 19, 2018)

    Evolving Roles of Privacy and Security Professionals: Operationalizing Policies, Incident Response and Vendor Management

    Clear policies and effective collaboration go a long way toward improving security and privacy efforts across an enterprise. In this three-part series, current and former privacy and security leaders share their insights on how the CPO and CISO can effectuate these practices and protect their organizations. This final installment covers policy ownership and ideal implementation, and includes advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part two discussed effective governance, including reporting structure and the relationship with the board. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles.

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Evolving Roles of Privacy and Security Professionals: Effective Governance and Board Reporting

    Not only are the roles of the CISO and CPO changing, but so are their relationships within the organization. Many CISOs who used to report to the CIO now report to other functions and, along with the CPO, have a direct or dotted line to the board. In this three-part series, we speak to current and former privacy and security leaders at Citi, AvePoint, Hunton and national retailers about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This second installation discusses effective governance, including reporting structure and the relationship with the board. The final part will cover ideal policy ownership, and will include advice on effective collaboration when preparing for and responding to incidents and when assessing and contracting with third parties. Part one addressed how the skills necessary for each function have changed, how to combat ongoing challenges and whether companies should consider a convergence of the roles. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.28 (Sep. 5, 2018)

    Evolving Roles of Privacy and Security Professionals: Examining Required Skills and Potential Convergence

    With changes in the current regulatory environment, such as the implementation of the GDPR, the NYDFS Cybersecurity Regulation and China’s Cybersecurity Law, the roles of the CPO and CISO are becoming more important and more collaborative. In this three-part series, we speak to current and former privacy and security leaders at Restoration Hardware, Citi, West Marine and AvePoint about these positions and their integral, and sometimes overlapping, roles in protecting an organization. This first installment in the series covers the skills necessary for each function, how those requirements have changed, how to combat ongoing challenges and whether companies should continue to keep these functions separate or perhaps consider a convergence of the roles. Part two will discuss effective governance, including reporting structure, scope of authority and the relationship with the board. The final part will cover how these two teams should collaborate for effective incident preparation and response and on assessing and contracting with third parties. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    How Financial Services Firms Should Structure Their Cybersecurity Programs

    Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discusses the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and the outsourcing of cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    Managing Data Privacy Across Multiple Jurisdictions

    Long gone are the days when acceptable privacy programs consist of a policy in an HR handbook. Building an effective and comprehensive privacy program that addresses wide-ranging data sets and dynamic regulations is a challenge for large and small organizations. To provide guidance on what has worked for them, Ropes & Gray teamed up with privacy professionals from Wyndham Worldwide and Facebook on a recent panel at the Privacy + Security Forum. The panelists offered advice on complying with the patchwork of U.S. laws and the growing number of global regulations and offered behind-the-scenes insight on how Wyndham built its global privacy program as well as how Facebook approaches privacy across its products. See also “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    Advice From Recruiters on How to Attract the Best and Brightest Security and Privacy Leadership

    Demand for experienced and effective data security and privacy leadership is far outpacing supply. The Cybersecurity Law Report spoke to executive recruiters about finding and compensating chief technology officers, chief information security officers and chief privacy officers. In this article, we discuss their advice on defining a search, what skills to look for and their insight on market salaries. “Recruitment of top C-level executives in security, digital risk and privacy is a strategic and competitive undertaking. Globally, organizations are faced with the challenge of assessing and selecting the best and brightest leaders where titles, experience and credentials vary greatly across the cyber-executive landscape,” Tracy Lenzner, CEO of the executive search firm Lenzner Group, told us. See “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Cyber Crisis Communication Plans: What Works and What to Avoid (Part Two of Two)

    Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Building an Enterprise-Wide Cyber Risk Management Program: Perspectives From the C-Suite (Part Two of Two)

    Even an organization with a highly mature cybersecurity risk-management program needs to keep pace with the changing legal and business landscape, and staying ahead of this challenge starts at the top. Just when the dust had started to settle from the widespread WannaCry attack, the ransomware attack dubbed Petya spread internationally, impacting government and commercial entities, including law firms. Using a hypothetical scenario based on starting a new business line involving financial services, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, recently offered advice on how to develop an information security risk management program; which key stakeholders are involved in the governance of the program; and how the CISO should interact with the program. In this second installment of our two-part article series, we hear from the chief risk officer on ideas for program revitalization and minimizing risk and from the general counsel on understanding and implementing applicable laws, and all four stakeholders provide practical takeaways. Part one set forth the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and strategy. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Building an Enterprise-Wide Cyber Risk Management Program: Perspectives From the C-Suite (Part One of Two)

    Even an organization with a highly mature cybersecurity risk management program needs to keep pace with the changing legal and business landscape, and staying on top of this challenge starts at the top. Using a hypothetical scenario, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, offered advice on how to develop an information-security risk-management program; which key stakeholders are involved in governance of the program; and how the CISO should interact with the program. In this first part of a two-part article series, we present the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and the strategy. In part two, we will hear from the chief risk officer and general counsel on the subject as well as the takeaways of all four stakeholders. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Forensic Firms: Effective Vetting and Collaboration (Part Three of Three)

    Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    Forensic Firms: Key Contract Considerations and Terms (Part Two of Three)

    Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    A CSO/GC Advises on How and When to Present Cybersecurity to the Board 

    As more boards come to understand cybersecurity as a critical issue that cannot be ignored, briefings on the topic have become more common. Those with the responsibility for presenting such briefings must understand what information is essential for the board to know and how to communicate it effectively. Dr. Chris Pierson, EVP, chief security officer and general counsel for Viewpost, a FinTech payments company, and the former CPO, SVP for the Royal Bank of Scotland’s U.S. banking operations, spoke to The Cybersecurity Law Report about his experiences briefing the board on cybersecurity and shared his insights on the most effective reporting structure, how to obtain buy-in and budget and the importance of communicating business advantage. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part Two of Two)

    Cybersecurity risk management requires having the right leadership and governance in place, and within that structure lies the shifting role of the chief information security officer and its reporting lines. With input from CISOs, executive search experts and attorneys this article series provides insight into the most effective approaches to recruiting, compensating and structuring cybersecurity leadership roles. This second article in the series explains the problems with the current dominant CISO reporting structure and offers experts’ advice on effective governance as well as alternatives for companies that are not finding or cannot compensate a technical expert with executive-level experience. Part one covered how to find and compensate individuals for the multi-faceted cyber leadership role. “There’s a lot changing in the way people think about the CISO. There is a pretty fast-evolving set of responsibilities and reporting structure, especially given the increasing [attention to] security by the board of directors and others charged with the fiduciary responsibility of protecting a company,” Hertz CISO Peter Nicoletti told The Cybersecurity Law Report. See also our two-part series about the roles of the CISO and CPO, “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Tech Meets Legal Spotlight: Advice on Working With Information Security

    Although most companies recognize that legal and technology teams need to collaborate closely to address cybersecurity challenges, they often fail to overcome barriers to effective coordination. In this interview, Holland & Knight partner Scott Lashway offers advice on how to bring legal and security teams together, such as by establishing a risk committee. See also “What CISOs Want Lawyers to Understand About Cybersecurity” (Jun. 8, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)

    Managing the challenge of securing a company’s digital information while collaborating with other executive leadership is something that only a select group of individuals can do well. In this article series, The Cybersecurity Law Report spoke to CISOs, executive search experts and attorneys to examine what it takes to fulfill both of these crucial roles. This first article discusses the challenges of merging technology expertise with executive function, compensation expectations for cyber leaders, what companies should be (and are) looking for in candidates and the value of certifications. The second article will discuss the changing role of the CISO, including why many current reporting structures are not working, and what companies can do if they do not have the resources for or cannot find the right CISO. “Many organizations regard CISO and technology-risk executive recruitment as an increasingly daunting and complex process, and recognize that one size does not fit all,” Tracy Lenzner, founder and CEO of The Lenzner Group, a global executive search company, said. See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part Two of Two)

    The core value of a risk assessment as a critical component of a robust cybersecurity program is in its findings and recommendations. With perspectives and advice from various experts, including the CISO of a large global cloud services provider, attorneys and technical consultants, this second part in our two-part series on risk assessments details what the written report should include, with whom it should be shared and how companies can use it to strengthen their cybersecurity program. It also provides recommended actions for assessment follow-up, explores common challenges to the process and offers tips and solutions to overcome them. Part one covered the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and examined what the risk assessment evaluation process entails. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)

    By identifying an organization’s risk areas, gaps in how it is addressing those risks and, ultimately, by providing recommended actions for closing those gaps, cybersecurity risk assessments have become a critical part of a robust cybersecurity program. With input from attorneys and technical consultants with experience conducting these audits, our two-part series takes a deep dive into the topic. Part one covers the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and also examines what the risk assessment entails, including initial steps and the evaluation of technical, administrative and physical safeguards. Part two will offer details on what the written report looks like and how it is used, recommend actions for follow-up, and provide a discussion of common roadblocks and solutions. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Advice From Blackstone and Tiffany CISOs on Fighting Cybercrime

    Information security is “the hottest industry of all time” according to Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice. At a recent PLI panel, Sotto and fellow panelists Jay Leek, managing director and CISO for The Blackstone Group L.P.; Anthony Longo, CISO for Tiffany & Co. and Matthew F. Fitzsimmons, an Assistant Attorney General in Connecticut and head of the office’s Privacy and Data Security Department discussed the ballooning issue of cybercrime and how to both prevent and respond to attacks. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    What Private Companies Can Learn From the OPM Data Breaches

    The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    What CISOs Want Lawyers to Understand About Cybersecurity

    As security and privacy threats and regulations proliferate, it is more important than ever for in-house counsel to collaborate with a company’s information security team to mitigate risks and protect their organization’s confidential information. At a recent panel at Georgetown Law’s Cybersecurity Law Institute, CISOs from Deloitte, BDP and Northrop Grumman shared advice about how lawyers and information security professionals can achieve that goal. The panelists addressed fostering a collaborative relationship, areas of tension between legal and IT, and how counsel can more effectively act as advocates for mitigating data security and privacy risk. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape”: Part One (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part Two of Two)

    With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of CPO and CISO.  This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position.  The first article focused on the CISO.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)

    Growing cybersecurity demands on companies require effective reporting lines and operational structures to manage cybersecurity-related job functions.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some companies confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security, and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of the CPO and CISO.  Part One focuses on the CISO – including core responsibilities, best practices for structuring reporting lines, and considerations when hiring for the position – and Part Two will focus on the CPO. 

    Read Full Article …