Protecting CISOs From Taking the BlameTroutman Pepper Attorney on the CISO-General Counsel Partnership - or Lack of It
In the wake of high-profile incidents at Uber and Twitter in 2022, both CISOs and their general counsels can learn valuable lessons. The case studies show how CISOs have been made scapegoats when organizations are faced with a breach and looking for someone to blame. But there are ways to improve collaboration, says Ron Raether, partner at Troutman Pepper.
Much of the friction, Raether says, is the result of ignorance. The general counsel doesn't fully understand technology and information security. Raether advises a dynamic shift in the organization's culture, beginning with education and effective communication. CISOs also should have allies within the organization where historically they may not have built connections.
"Just like a CISO, a general counsel might be seen as the individual that is a cost center, that says 'no' to projects and is seen as an impediment to revenue generation or product functionality," he said. "Being able to bring in these resources together to act unanimously is going to help instill some of those cultural changes that are needed to reduce the overall risk profile of an organization."
In this video interview with Information Security Media Group at RSA Conference 2023, Raether also discusses:
- What the Uber and Twitter cases tell us about the relationships between CISOs and their general counsels;
- Options to consider before paying a ransom;
- Why and how the relationships between CISOs and their general counsels can be improved.
Raether leads the cybersecurity, information governance and privacy team at Troutman Pepper. He has assisted companies in navigating federal and state privacy laws for over 20 years and has counseled clients on operationalizing the California Consumer Privacy Act of 2018. Raether represents clients in data aggregation and analytics, mobile applications, payment technologies and IoT.