In our previous post, we looked at how legal should approach security about data privacy strategy & risks. When speaking with CISOs, we encouraged general counsels to create dialogue around best practices, learn to speak the same language, and make smart use of technology.
As these recommendations and the conversations at our 2023 DataGrail Summit emphasized, data privacy is a team sport. CISOs also need to meet their legal teams halfway.
This is particularly important given how the relationship between legal and security has evolved in recent years. Previously, these teams had little overlap; however, things have changed dramatically in the last decade. Today, the increased data privacy risks associated with data breaches, security incidents, and a constantly changing regulatory landscape have pushed these teams into close—and at times uncomfortable—collaboration. And, let’s not forget the unknown risks associated with AI that are just beginning to come into view.
What’s clear is that CISOs need to partner with GCs if they hope to roll out legally-sound technical solutions to data privacy issues. But how, exactly, can they go about doing so? In this piece, we’ll examine how security can work more effectively with GCs on data privacy by embracing conflict, developing a shared business language, and seeking constant feedback about solutions.
Embrace conflict before a real incident
First and foremost, CISOs can remember that it’s OK—and healthy!—to have conflict with GCs. In fact, the right kind of friction can lead to better outcomes if done before a real incident occurs.
Don’t lose sight of the fact that both teams are working toward the same goal: CISOs and higher-ups want the organization to be both secure and transparent, while GCs want to make sure that the steps taken in the process abide by national and international law.
It’s only natural that conflicts come up on this path to risk reduction. While CISOs will typically gravitate towards technical solutions to solve problems, legal may look to policies and workflows. Work together before any issues arise with an eye on finding a blended approach to reducing data privacy risk. Table top exercises are always recommended to help identify friction points before a real data breach or privacy compliance issue surfaces.
In addition to having different toolsets, security and legal teams might also have differing thoughts on their company’s risk profile. Even if friction arises as a result, CISOs and GCs that prioritize customer trust and risk reduction can contextualize conflict before it gets blown out of proportion, and agree on a path forward.
Develop a shared business language
Understandably, if you’re a CISO, you’re constantly on the lookout for technical risks and quick solutions; however, at times your outlook can be so technical that it may not resonate with legal.
Start any conversation about a risk, breach, or incident by contextualizing what the business outcomes could be, or will be, which will likely make GCs more receptive to your proposed recommendations. Perhaps put the risks into relative terms compared to a risk your GC is more familiar with.
By speaking to the implications of data risks for the company’s overall health, CISOs also provide GCs with clear talking points to convey to their boards. This can turn a nuanced technical solution into a palatable concern about data privacy risks that receives buy-in from across the organization. While it may be in your nature to lean into the technical components when describing a solution, try your best to avoid jargon in order to get on the same page with legal.
Show you’re invested. Educate yourself on the latest changes and updates to privacy laws to show your legal counterpart that you care and are prepared to collaborate on solutions that can work. Doing so will also shore up your collaborative efforts as you work to grasp the current state of regulation, your company’s risks, and competitors’ responses to similar questions.
Seek constant feedback on solutions
Once you’re speaking a shared business language with your GC, there shouldn’t just be one conversation about data privacy—it’s crucial that it be ongoing.
First, be sure to ask your legal team questions early to be sure that you’re in alignment on key terms and definitions. At the DataGrail Summit, for example, Brandon Greenwood (Overstock) and Jonathan Agha (FanDuel) insisted that it’s imperative for CISOs and GCs to agree on the definitions of “event,” “incident,” “threat,” and “vulnerability.” Shared understandings of these terms will clarify how they’ll be addressed by IT solutions and how those solutions can best satisfy regulatory requirements.
Second, don’t forget to ask questions throughout the process of implementation. On a practical level, this means regularly communicating and meeting to identify known issues and risk sites, then acknowledging places in the organization where you have less visibility so as to minimize legal surprises. Setting aside time to communicate in this regard also gives CISOs a clear picture of the current state of data privacy in the industry and of the legal landscape.
When CISOs learn to embrace conflict, develop a shared business language, and consistently communicate with their GCs, they’ll equip their company with an effective block for warding off data privacy risk, ensuring business health, and maintaining brand image.