Why Your Next CISO May be an Attorney
Considering many information security issues today tend to fall into the legal territory, I am fascinated by this perspective. And as the security profession is growing and broadening into new emerging fields such as social media policy, digital forensics, cloud computing and new regulations, the possibility of such a qualification seems warranted.
Take the tightened regulatory and compliance requirements within the healthcare sector for instance. Healthcare providers and facilities now face complex challenges in dealing with compliance issues, as presented by the enhanced Health Insurance Portability and Accountability Act's privacy and security rules.
Having an orientation in law will probably help the CISO look into the future to coherently understand the connection and impact of these regulations on information security issues.
Added to the list are new breach notification requirements, heightened organizational provisions and new patient rights -- all of which require the security officer to be familiar with the legal domain to effectively know how to update the security policies and refine incident response plans.
Having an orientation in law will probably help the CISO look into the future to coherently understand the connection and impact of these regulations on information security issues. Among some of the questions to weigh:
- Will the move toward electronic health records increase healthcare breaches?
- What are the serious and lasting consequences if a breach happens that exposes a patient's confidential data? What do we need to do to protect ourselves now?
- How is the new HITECH act affecting every aspect of business and healthcare processes, IT data security, retention, and monitoring, contracts and business relationships? Will these changes increase information security in the health care industry? Which areas are likely to be affected first and so on...?
Moving onto social media, companies are realizing that people are talking about organizations whether they like it or not. As a result, they're deciding whether they should consider having a social media presence, and hence, a policy.
Here, the security officer is again dealing with legal issues such as implications of what is being said about the institution on these new channels. How do we structure the existing regulatory landscape to adapt to this new method of communication? What and how do we bring to the attention of business owners the threats and risks associated with such an undertaking? All of this includes understanding the law and how it all affects the overall policy of protecting the organization from internal and external threats.
Another common scenario is a security professional tasked with performing forensic duties in the event of employee misconduct, industrial espionage, intellectual property theft or a breach.
Typically the practitioner here analyzes what happened, when it happened, how it happened and who was involved. All evidence must be treated in a way that ensures the admissibility in a court of law or other legal/administrative proceeding. In all of these cases, there are legal concerns which if significant can lead to involvement in a law suit.
Again, as companies adopt cloud computing services, many will have to do with contract negotiation and understanding how security and privacy issues are dealt within a legal context.
Going forward, the CISO will need to be proficient in writing a technical policy or a vendor management contract and perhaps representing the security team in court proceedings.
So, what are your thoughts? Will future security officers need to be attorneys to perform their roles effectively?