First Annual Cybersecurity Legal Institute at Georgetown Law

I attended the first annual Cybersecurity Legal Institute at Georgetown Law this week in Washington DC.

The Deputy Attorney General James M. Cole, (Eric Holder’s #2) was the closing keynote. Essentially, he encouraged attendees to assist the federal government in securing cyberspace and critical infrastructure, and every network within reach by doing a variety of things. What is remarkable isn’t what he said, rather it is who was saying it. This wasn’t a SANS or an RSA conference. I know we are used to the directors of the CIA and FBI saying things like cyber threats are the #1 threat to national security. But now, even the government’s lawyers are saying it. What is more remarkable, is that he was essentially preaching elements of the SANS 20 critical controls.

Additionally, he referenced President Obama’s Executive Order on cybersecurity and the governmental instrumentalities it is creating and the goals with regard to critical infrastructure.

Another interesting appearance was made by Tony Sager, a 25 year NSA veteran, now retired, (all 25 years with the IA directorate and predecessor organizations) to champion the SANS 20. He is the man who will be driving the SANS 20 going forward. They are dropping the name “SANS” from the critical controls, and will drive the 20 critical controls in a new organization outside of SANS.

The audience was about 80% attorneys and 20% CISO/CPO types, and a smattering of entrepreneurs and vendors, including many general counsel and Big Law partners who run privacy/security practices. The conversation about security will continue to penetrate the Boards of Directors of many large enterprises in ways that were unthinkable even two years ago.

Here is a link to the Deputy AG’s full remarks.

http://www.justice.gov/iso/opa/dag/speeches/2013/dag-speech-130523.html

SANS 20 Critical Controls

The SANS Top 20 Critical Controls provide a prioritized, agreeable starting point for ensuring an information security program is meeting a minimum standard of due care.

An information security program is mandated by law for entities operating in certain industries and most government agencies. Such programs are characterized by a wide variety of both technical and administrative controls. Contemplating and evaluating the legal sufficiency of such programs can be bewildering to the uninitiated general counsel. Fortunately, for general counsel seeking external guidance on program creation and best practices there are a wide variety of frameworks to choose from. One framework in particular is gaining notoriety and acceptance for its focus on the most essential components of an information security program: The SANS Top 20 Critical Controls.

SANS was founded in 1989 as an information security research and education organization, and provides popular and rigorous information security training to professionals worldwide. The SANS Top 20 Controls began as a classified initiative in the U.S. government and eventually grew to its present state through public-private sector coordination. Now publicly available through SANS, the Top 20 controls are well-vetted and empirically demonstrated to reduce the likelihood of information security breaches. When properly implemented and maintained, the Top 20 controls block known attacks and detect attacks that slip through corporate defenses.

Executives and boards of directors can use the Top 20 Controls as a common starting point in agreeing how to prioritize and fund information security initiatives within an enterprise. Directives and executives can avoid the uncertainty and opacity of typical technology-centric operations by gaining a basic understanding of the Top 20 Controls, which will require a basic understanding of the basic technologies espoused by the Top 20 Controls. What follows is a short explanation of each of the Top 20 Controls to be orient the non-technologist to the main objectives and benefits of the Controls.

  1. Critical Control 1: Inventory of Authorized and Unauthorized Devices. It is very difficult to protect and defend computer systems that you don’t know exist. Most large organizations have experienced a proliferation of information systems and their components, resulting in a vast, complex IT infrastructure. Unwinding such complexity is a critical first step so that professionals know what needs protection. Creating accurate and up-to-date inventories of information and systems can be one of the more difficult of the Top 20, but there is a reason it is #1 on the list. It is an essential prerequisite to the remaining 19 controls.
  2. Critical Control 2: Inventory of Authorized and Unauthorized Software. Same reasons as #1.
  3. Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Nearly all IT components like servers and databases have a variety of dials and switches used to configure them. Some settings are more secure than others. This control calls for documented settings that are and are not allowed.
  4. Critical Control 4: Continuous Vulnerability Assessment and Remediation. Technology tools should be used to scan IT environments searching for the equivalent of unlocked doors and windows, known as vulnerabilities. These vulnerabilities should be addressed quickly. Vulnerability assessment should occur on a continuous, recurring basis.
  5. Critical Control 5: Malware Defenses. Malware is another terms for computer viruses and malicious programs that invade corporate IT systems and cause damage. Enterprise-class anti-virus (AV) products currently defend against far more than just viruses, and should be deployed, monitored and properly configured.
  6. Critical Control 6: Application Software Security. Software developers in the enterprise should be properly trained to avoid common programming mistakes that introduce vulnerabilities in software applications. The source code or program code should also be scanned with specialized flaw detection products prior to being released.
  7. Critical Control 7: Wireless Device Control. Wireless networks should be secured so that unauthorized parties cannot access the corporate network from outside (or inside) the building. Hackers who drive around searching for unsecured wireless network signals are engaged in what is known as “war-driving.”
  8. Critical Control 8: Data Recovery Capability. Corporate data must be backed up and recoverable in order to minimize risk of actual data loss stemming from natural disasters, business disruptions, computer crimes and IT failures.
  9. Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps. The pace and knowledge horizon for information security is fast and ever-expanding. Enterprises should not trim costs of training and education for all personnel responsible for enterprise data protection. Such training should not be limited to IT personnel.
  10. Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches. This control is related to #3 above, and #11 below. The devices in this control particularly apply to the creation of safe network zones. When this control is lacking, a hacker may compromise one system and use that system to attack any other system in the enterprise. By deploying this control, such a compromise will place the attacker on a small island within the enterprise network where he or she will be unable to access other, more sensitive systems.
  11. Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services. This control is related to #3 above. Implementing this control removes many IT services that reach out to the Internet and respond to attackers by serving like a white pages or a fast-food drive-through window.
  12. Critical Control 12: Controlled Use of Administrative Privileges. The goal here is to limit very powerful system access. Large organizations are known to have too much access inadvertently granted to too many people. More people increases the likelihood that one of them becomes a willing or unwilling culprit of a data loss.
  13. Critical Control 13: Boundary Defense. This control embodies the traditional and well-known techniques of network defense using firewalls. New, layered technologies augment firewalls in securing corporate networks.
  14. Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs. Audit logs are often the source of the proverbial fingerprint, fiber, or hair that once discovered, ties a crime to a criminal. Enterprises should not collect unnecessary data, nor should they ignore the data they do collect.
  15. Critical Control 15: Controlled Access Based on the Need to Know. Related to Control #12, enterprises should only grant access to systems based on a need to know the data in that system. Departments should not simply grant access by job title, if an approved access role is not associated with that job title. This control corrects the common practice of blindly giving a new employee the same access as their manager or co-worker. Such a practice often unknowingly promulgates excess access in the enterprise.
  16. Critical Control 16: Account Monitoring and Control. Also related to #12 and #15, this control alerts management of unauthorized activity stemming from illicit intentions or unintentional mistakes.
  17. Critical Control 17: Data Loss Prevention. This control represents a newer breed of technology that detects large amounts of data leaving the enterprise network. This control addresses an unfortunate reality that many large enterprises discover breaches that have been sending sensitive data to criminals for months and years prior to discovery.
  18. Critical Control 18: Incident Response and Management. The adage “not if, but when” certainly applies to whether an enterprise will be hacked. This control addresses an organizations ability to limit the damage and preserve reputation and protect customers.
  19. Critical Control 19: Secure Network Engineering. Related to many of the other controls, this control seeks to establish a competency in secure network architecture, and the design and deployment of secure networks. See controls 4, 7, 9, 10, 11, 13, and 17.
  20. Critical Control 20: Penetration Tests and Red Team Exercises. There is no better way to know whether you enterprise is vulnerable to hackers than to employ good-guy hackers, often called “white-hats” or “red teams.” Such simulated hacking can discover unknown vulnerabilities and include both technical testing as social engineering, where attackers attempt to get employees to divulge passwords and grant access, based on employee good nature and natural willingness to help. Continue reading
  21. People, Process, and Technology: Transitioning from the Firm to the Corporation

    There are three primary ingredients that are necessary to produce business results: people, process, and technology, setting aside raw materials, capital.  These three resources offer a useful model for analyzing and solving business problems, and whether we realize it or not, most people generally use them in business problem solving.

    Law firms tend to view these three categories differently than their corporate clients. These different views are a result of the unique history and role in society of the legal profession, and the economic model long used by the legal industry. Understanding these differences can greatly assist an attorney who transitions from a career in a law firm to an inside counsel, or compliance role. Success certainly requires in-house counsel to deploy people, process, and technology to produce desired legal outcomes. However, in order reduce the overall cost of legal expenses while maintaining quality, and even achieving more for less, many in-house attorneys are required to view people, process, and technology more like a seasoned business manager than a seasoned law firm partner. The challenge for compliance officers is even more drastic because they are using people, processes and technology, in ways they are unaccustomed to at the law firm, to create and execute non-legal functions that enable compliance.

    People

    The day that an attorney leaves a firm to join a corporation as counsel or compliance officer, he or she has moved from one side of the billable hour equation to the other. Less becomes more. Many law firms still array human capital one hour at a time. Corporations array human capital on a task and functional basis as opposed to one that is largely time-dimensioned.

    More importantly, attorneys newly hired by corporations have left the law firm caste system behind. Corporate counsel are wise to view IT as fellow artisans working in a different medium, rather than technicians who run on invisible treadmills somewhere in the basement of the firm. Corporate IT and those who run it generally wield more power, and demand more respect within a typical corporation than the litigation administration and e-discovery specialists at law firms. Compliance officers will fail without key partners in IT. Often the arrogance and hubris of the legal profession, whether perceived or real, precedes the new compliance officer, giving her an additional obstacle to overcome.

    Process

    Successful companies scrutinize core processes, especially processes that directly generate revenue or expense, for efficiency, accuracy, and optimization. There are no monetary rewards in allowing a contract-generation process to continue to take six hours when it can be reduced to four. Processes should be documented using conventional process documentation notation, scrutinized for inefficiency, and reviewed for key inputs, outputs, and dependencies. Gains in efficiency are often made when identifying cross-functional dependencies and optimizing processes to better satisfy internal partners. It also may make sense to outsource your processes to internal service providers. For example, an internal legal function might leverage vendor management, accounts payable and human resources services instead of operating unique versions of these fundamental business activities. Likewise, external service providers can replace expensive internal processes with cheaper outsourced ones. For example, corporate counsel may engage a legal services provider who employs a modern, innovative billing model based on value, not hours. Such work is well suited for low-risk, high-volume transactional legal work.

    Technology

    A golden rule for buying or building technology is never let the technology tail wag the process dog. This means that in order to be successful in deploying technology you must understand what problem you are trying to solve, and more specifically, what business process are you trying to automate? Technology for all its impressiveness is still just a dumb beast that speaks in zeros and ones. It can only automate what you have already defined and optimized. If you automate an inefficient process, you simply get more inefficiency faster.  If you don’t have a clear process in mind to automate, with specific goals, you risk allowing your technology to create problems for which you need to create new processes to solve, and you introduce chaos. Your goal in procuring technology should be to execute repeatable, automated steps faster so you can free up human resources to deploy to work on what is generally not automatable.

    The transition from outside to inside counsel or compliance officer can be difficult. Adjusting to a corporate culture requires reliance on internal partners and being able to accomplish objectives in new, unfamiliar ways. Approach problem solving by decomposing goals into the three constituent parts: people, process, and technology. Success depends on understanding how these three elements work together, and how to efficiently deploy them to achieve desired results.

    Corporate Counsel Role in Governing Privacy and Security Risk

    Corporate Counsel Role in Governing Privacy and Security Risk

    The advent of the Chief Privacy Officer role has occurred largely within the regulated sectors of health care and financial services, but has spread to many industries and companies of all sizes. The spread has no doubt been quickened by the FTC’s enforcement of Section 5 of the FTC Act (15 USC 45), prohibiting “unfair or deceptive acts or practices in or affecting commerce.” The most common enforcement actions undertaken by the FTC have been against companies whose use of their customer’s personal information is in violation of their own stated privacy policies. These types of mishaps reveal an underlying lack of coordination between the privacy and security functions. Therefore, the quality of the relationship between an organization’s privacy and security functions may be a key predictor of compliance success.

    The introduction of a privacy program within an organization can sometimes cause tension with the information security function. These tensions arise out of the common goals and purposes shared between the two groups. Further, shared interest in common technologies that provide for confidentiality of information, the primary objective of both groups, can confuse program scope or worse, foster unhealthy competition. In house counsel can work to ensure the relationship between privacy and security functions is conducive to reducing risk, not introducing it.

    In-house counsel can provide leadership to executives and prove instrumental in harmonizing the privacy and security programs within their organizations. Counsel should consider the privacy and security functions in context with each other, understanding the relationships and dependencies between the two groups. The key is for counsel to remain informed and abreast of the goals and strategies of the privacy and security functions, and recognize points of reliance and points of divergence between the two. With advance planning and guidance, tensions that commonly arise between the two functions can be defused, and both programs can thrive in part due to the success of the other.

    Counsel should consider the following. First, privacy is usually not attainable without security. Arguably, the primary objective of an information security program is to protect the confidentiality of sensitive information from unauthorized disclosure. The privacy program is focused on the same objective for a subset of the organizations sensitive data: personally identifiable information, or PII.  The privacy team can and should rely on the vast arsenal of technologies deployed by corporate information security departments to preserve confidentiality. Since the privacy function doesn’t need to replicate these technologies, it can focus on privacy process and policy.

    Second, the policies produced by each group have important differences. Privacy policies often embody requirements found in unique state, federal and international laws and regulations that apply to individual consumers, whom these laws are designed to protect. What information about the person is collected and why? How will it be used?  How will the corporation’s technology interact with that person and her data? For example, how will cookies be used to capture and track a customer’s online behavior?

    By contrast, information security policies are rooted in best-practice, industry consensus frameworks, as much as they are based on legislative frameworks. While such frameworks for privacy are strengthening, such as the generally-accepted privacy principles (GAPP) there are many more and robust frameworks available for information security.  Care should be taken to correlate privacy policies with security policies so that one doesn’t step on the other. A common misfire of privacy programs is to produce privacy policies that create redundancies or inconsistencies with security policies.

    Third, as corporate governance mechanisms continue to evolve and mature, they are capable of contemplating and overseeing the management of security and privacy risk. Legal officers might be more likely than CISOs or CPOs to participate in the governance committees of an organization.  If a risk, operations, or information officer has not already sounded the call to information governance, the general counsel may bring to light the management of these unique and ever-growing risks.

    In summary, in house counsel can do the following with regards to guiding the privacy and security functions in achieving overall risk management objectives:

    • understand the common and diverging goals of each program
    • recognize the dependencies between privacy and security programs
    • understand that security and privacy policies should be complementary, can co-exist within the corporate policy framework, but have unique differences.
    • engage corporate governance functions as appropriate to oversee privacy and information security risk management

    Information Security: Who’s Problem Is It?

    As citizens in the age of information, we have no choice but to divulge our unique identifiers. The sharing of our personal information is mandatory in order to engage, and be a member of society. Without our personal information we cannot work, purchase the necessities of life, or even obey the law, such as by filing our annual tax returns. By divulging our personal information to government and private entities we are forced into a relationship of trust. We trust those who receive our information to safeguard it, thereby preventing the types of breaches previously discussed.  Perfect security over personal information cannot be attained without never disclosing personal information and a complete and total withdrawal from society altogether.

    Crime will always exist and identity theft will remain an opportune crime for the foreseeable future. Because of these threats, and because we will continue to be required to divulge our sensitive information, we must actively manage the risk posed by these threats. While we may never eliminate identity theft entirely, we can and should expect a certain degree of care to be taken by those to whom we entrust our sensitive personal information. We can expect that when reasonable steps are taken to safeguard our information, it will be less likely to be compromised.

    Parents of young children spare no effort to keep their children safe from harm. Children are taught how to safely cross the street, how to obtain help when a parent is not near, and how to recognize dangerous situations. Parents certainly understand the impossibility of eliminating all threats to their children completely. However, by following a manageable number of precautions and safeguards, the risk of harm to children falls to acceptable levels and the family unit is able, in most cases, to safely engage society.

    So it is with the care and protection of our sensitive information. We are subject to the consequences of our own decisions. If we routinely discard our personal information, un-shredded into the household trash, or if we routinely leave our mailbox full of mail for days at a time, we are creating opportunities for bad actors to come into possession of our personal information. We take precautions when the threats are numerous: we do not leave children unattended in shopping malls. We don’t take precautions when threats are scarce: there just aren’t that many people dumpster diving residential recycling bins. We can and should expect custodians of our personal information to be cognizant of the threats to the information they possess and to take precautions to protect it when we can’t.

    Corporate Duty to Safeguard Personal Information

    Corporations that collect, store and use our personal information have a duty to safeguard it. The duty of corporate directors to ensure the organization functions within the law to achieve its purposes, is well established in American jurisprudence. Further, corporate directors have a duty to monitor the enterprise’s internal controls over fraud, financial reporting and data protection. The U.S. Supreme Court has provided a line of cases establishing the duty of corporate directors to monitor: “The standard for assessing a director’s potential personal liability for failing to act in good faith in discharging his or her oversight responsibilities has evolved beginning with our decision in Graham v. Allis-Chalmers Manufacturing Company, through the Court of Chancery’s Caremark decision to our most recent decision in Disney.” – Stone v. Ritter (911 A.2d 362).

    The Delaware State Supreme Court explained the duty to monitor in the case In Re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996): Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability-creating activities within the corporation, as in Graham or in this case . . . only a sustained or systematic failure of the board to exercise oversight-such as an utter failure to attempt to assure a reasonable information and reporting system exists-will establish the lack of good faith that is a necessary condition to liability.

    The Problem of Externalities

    In theory, we pay for the protection of our personal information because the cost of doing business and operating government is passed on to consumers and taxpayers. Unfortunately, it isn’t that simple. Recent advances in information security theory have been made by leveraging economic and psychological concepts to explain some of the intractable problems faced by security experts. The economic incentive to protect information may not be readily apparent to those custodians of sensitive personal information. In fact, it may not exist at all.

    An externality is an economic concept that describes situations where a transaction creates a cost (or benefit) for a third party not involved in the transaction. An externality occurs when “[t]he people who could protect a system are not the ones who suffer the costs of failure.”[1] The cost of a data breach may be squarely focused on the victim whose data was compromised. Thus, there may be no economic incentive for custodians to go to great lengths to protect information when a breach of that information’s confidentiality results in no financial harm to the custodian.

    Because of these externalities that are passed on to third parties, particularly victims of identity theft, free market forces are less likely to achieve a desired effect of creating economic incentives for good information security practices. Because “protecting individual privacy remains an externality for many companies . . . basic market dynamics won’t work to solve the problem. Because the efficient market solution won’t work, we’re left with inefficient regulatory solutions.”[2] Indeed, getting data custodians to internalize externalities is typically done by regulation or by the specter of liability.

    Data Protection Laws, and Regulations: Establishing a Duty To Meet a Standard Of Due Care For Information Security

    Based on the number of individual data breaches and the number of sensitive records exposed each year, it is safe to say that both public and private institutions are hemorrhaging private, sensitive information into unauthorized hands. Custodians of information must take responsibility for the sensitive information in their possession and must be held accountable for failing to meet a standard of due care for protecting information. This enforcement can be accomplished either by the regulatory regime, by threat of punitive damages and civil suit by the subjects who own the compromised information, or both.

    The statutory and regulatory environment for protecting information is an industry-specific and context-sensitive patchwork of state and federal laws that are insufficient to create and encourage private and public entities to apply the appropriate safeguards to protect personal information.

    An Emerging Standard

    The concept of tying the myriad data protection requirements found in a wide variety of laws, regulations, and contractual requirements into a comprehensive duty of care was set forth by attorney and author Thomas Smeddinghoff in his book “Information Security Law: The Emerging Standard for Corporate Compliance.”[3] Other authors have also recognized a duty of care over the protection of information. Unfortunately, in order to be fully recognizable, the duty of care must be pieced together from a variety of sources. Laws and regulations may overlap different types of entities in different industries and jurisdictions. The applicability of each of the following sources will vary for each custodian; therefore, no single standard of care can be distilled and applied universally.

    Despite the patchwork compliance many companies face, most regulated industries have a few core data protection obligations, as enforced by regulators. Two important outcomes are important: general counsel should oversee the adequate dispensing of legal advice supporting the compliance function, and chief information securities officers must maintain information security programs that blend technical, process and administrative controls in ways that meet both the regulatory environment, in addition to meeting such basic practices as those espoused in the SANS 20 Critical Controls, or other control frameworks.

    [1] Bruce Schneier, “Economics and Information Security” available at: http://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html, accessed March 4, 2013.

    [2] Bruce Schneier, “The ‘Hidden Cost’ of Privacy” Schneier on Security, available at: http://www.schneier.com/blog/archives/2009/06/the_hidden_cost.html, accessed March 4, 2013.

    [3] Published by ITG Governance, Ltd., October, 2008.

    Improving Critical Infrastructure Cybersecurity

    Improving Critical Infrastructure Cybersecurity

    Ongoing attempts by both houses of Congress to introduce legislation improving cyber security in the private sector, and facilitating information sharing between private and public sectors are renewed each legislative session.  After several failed bills in recent legislative sessions, most recently in late 2012, the Obama administration is taking the initiative.  On February 12, 2013 President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity (the order), accompanied by a Presidential Policy Directive (PPD-21).  The order defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, [and] national public health or safety[.]”  The PPD specifically calls out 16 industries and sectors, including health care, financial services, food and agriculture, information technology.

    The executive order calls for a partnership with owners and operators of critical infrastructure by instructing the Departments of Justice and Homeland Security, and the Director of National Intelligence to provide “unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.”  The order also expands a voluntary information sharing program known as Enhanced Cybersecurity Services to include all critical infrastructure. This program provides classified cyber threat and technical information to participants.

    Cybersecurity Framework

    The order calls on the National Institute of Standards and Technology (NIST) to create a framework to reduce cyber risk to critical infrastructure.  Such frameworks are not new, and many outstanding frameworks currently exist to aid practitioners in the evaluation and selection of controls to mitigate cybersecurity risk.  The federal government is required to consume such frameworks, particularly those produced by NIST, in securing the government’s technical infrastructure. Examples of popular frameworks include the COSO ERM framework for managing enterprise risk, the COBIT framework for managing IT risk, and two frameworks for guiding the design and implementation of information security controls, the ISO 27002 framework and NIST’s own 800-53, are quite popular. It is curious why NIST is being called upon to deliver a new framework, in light of the current NIST standards already published that deal with many aspects of cybersecurity.

    More To Come

    The PPD instructs the Dept. of Homeland Security to “[c]onduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the [sector-specific regulatory agencies] . . . and critical infrastructure owners and operators. In past many regulatory agencies have incorporated risk assessments into their regulatory examination process. Now, perhaps vulnerability assessments will soon be added to their examination scope.

     

    Despite the recent legislative death of multiple cybersecurity bills, there will be many more. In recent days the Rogers-Ruppersburger Cybersecurity Bill was introduced in the House.  Only time will tell if Congress will be able to pass legislation to curb, support, or enhance the elements of these recent administrative actions. 

    Role of Counsel in Addressing Critical Infrastructure Cybersecurity Risk

    Legal counsel representing these entities may work to ensure coordination internally with information security and compliance functions to gauge the regulatory and financial impact of enhanced regulations.  The order calls for the regulatory agencies that oversee critical infrastructure industries to determine wither existing regulation is sufficient in light of the perceived current and projected risks. Compliance officers may be faced with heightened regulatory requirements in the coming years.

    Supply chains are also likely to be impacted. While the order does not specifically mention new obligations to conduct vendor risk assessments, such as those promulgated by financial industry regulators in response to the Gramm Leach Bliley Act, critical infrastructure providers face a variety of risks. Reports of foreign-produced hardware and equipment laced with malicious computer code surfaced years ago, and continue to surface.  Voluntary public-private programs exist to help mitigate some of these risks. The Information Assurance Directorate of the National Security Agency offers certification programs for vendors and hardware who supply the United Stated government.

    Counsel should coordinate with information security officers to formalize how cybersecurity information sharing will be carried out within the organization. Such information should be coordinated across multiple functions with the organization, with appropriate executive oversight.  Privacy officers may also have a vested interest in ensuring that data sharing does not impact the confidentiality of personally identifiable information of citizens and customers.

    Counsel may also play a role in sector and company-specific involvement in the legislative and regulatory process through comment periods. This activity may prove critical, and counsel may take a unique role in collecting and representing to officials the practical and unintended impacts of various proposals.

    Strengthening General Counsel’s Relationship with the CISO: What the CISO Needs and May Not Be Getting From You

    Strengthening General Counsel’s Relationship with the CISO: What the CISO Needs and May Not Be Getting From You

    It is clear there is an unprecedented level of anxiety amongst corporate legal teams concerning data security.  Over half of general counsel (55%) rate data security as a major concern, as do 48% of directors, according to an August 2012 survey conducted by Corporate Board Member and FTI Consulting.  This concern has been mounting for years, fed by an ever rising tide of publicized data breaches, regulatory actions against offending organizations, high-profile international policy disputes, myriad regulations, and constant reminders of advancing threats to intellectual property, high-tech financial crime and theft of private customer data.  General counsel can do much to enable the Chief Information Security Officer (CISO) with insight, support, and recommendations for reasonable protection of organizational value and reputation.

    What CISOs Don’t Need

    At a recent information security industry conference, members of the legal community gave a series of roundtables, panels and presentations on the topics typical of the conference:  cloud security, EU data privacy, data breach responses, recent case law and regulatory updates.  Many CISOs in attendance were disillusioned by what they heard.  They noted disagreement between the presenters and an overall lack of consensus as to appropriate approaches to compliance.   In typical fashion, presenting attorneys took opposite sides of fierce debates, hotly contesting their personal views. While illustrative of the adversarial nature of the legal system, there was little guidance offered regarding practical compliance approaches and much debate over minutiae and theory. The CISOs wanted guidance and came away wanting.

    What CISOs Want

    Of course CISOs must understand legal requirements. But CISOs must also stay abreast of trends in regulatory actions for information security non-compliance. What are the penalties being levied? What are the root causes of non-compliance? What regulations are being vigorously enforced? Are there varying degrees of regulatory enforcement within industries? Across industries? How are industry peers approaching compliance?  Are all requirements created equal?  What factors matter when analyzing competing regulations?  How does one compliance approach compare with another?  Can less expensive approaches be good enough?

    Perhaps even more important, and admittedly more difficult, CISOs want to know if the sum and substance of their information security programs is sufficient.  CISOs need help from corporate counsel in articulating a reasonable standard of information security due care, in plain terms.  It is clear that this is much more attainable when the GC and the CISO work together, joining  perspectives in addressing a difficult question.

    The Evolving Role of General Counsel

    KPMG’s recent Global General Counsel Survey highlights several trends, including:

    • GCs need to become more involved in operational details, gaining a better understanding of how the business works.
    • Successful GCs understand what the business is trying to accomplish, and can offer reasonable approaches to controlling risk.
    • Partnering with senior leaders to understand common challenges and contribute to an understanding of how today’s investments may prepare for tomorrow’s risks and regulatory challenges.
    • GC’s will arrive at enterprise risk strategies jointly with specialist input from a variety of corporate knowledge domains, and will do so in simple, crisp language familiar to the stakeholders.

    Each of these trends is applicable in describing a high-quality service provided by a legal team to an information security function.

    Getting to Know Your CISO

    In-house counsel must avoid the tendency to feel overwhelmed by the complex world of information security.  CISO and GCs are both highly specialized, each commanding a vast body of knowledge and an arsenal of analytical tools and techniques. Regardless of what software, tools or tactics used by each, they both share a common objective: managing risk.  Take the time to understand your CISO, the business problems the CISO is trying to solve, and what obstacles the CISO faces.   Collaboration need not delve into the intricacies of the other’s knowledge domain, a tendency that all too often subverts the CISO-GC relationship by distancing the two functions.

    CISOs must prioritize funding and staff to reduce risk, achieve compliance and defend their enterprises.  CISOs desks are stacked with the latest white papers and analyses of the latest three and four letter acronym-labeled regulations. While they need plain-English interpretations of regulations, this is only the beginning.  CISOs also want guidance on reasonable, acceptable, and practical approaches to compliance.   They need forward-looking strategists who can help them do more with less, in a reasonable and defensible way.

    Is the CISSP worth it anymore?

    Update 05/03/12

    The CISSP is still going strong and remains a de facto starting point for most hiring managers in information security.   The level of difficulty of the exam is likely slowing the rate of dilution.

    Update 1/05/11

    The Employment Value of Multiple Certifications, by BankInfoSecurity.com.

    Check out this no B.S. employer perspective on hiring certified job candidates: “Interested in CISSP, SSCP, CISA, and PMP certification holders. (N.B., this is largely a courtesy to our clients; we do not expect that certification will make you an expert and neither should you.)”

    Original Post, 10/23/09:

    Life Cycle

    Let’s consider the life cycle of a professional certification (at least in the IT field):

    1- The sponsoring organization wants to market the certification and promote it so more and more people obtain it. This means an initial grandfathering process whereby the organization sponsoring the cert. can get (presumably) experienced and prominent practitioners to get the certification and give it some credibility.

    2- The difficulty of the exams and requirements are slowly improved. This allows more for swift early adoption and then a quality check on the way to achieving critical mass, slowing the momentum so the certificate doesn’t peak too early. If a certification achieves instant and widespread fame, it will be considered cheap and watered down.

    3- As the inevitable dilution of the certification’s value occurs, due to the number of barely qualified individuals holding it, organizations begin creating specializations or advanced classes of their general certification, to create a “new” certification that can start over with the certification life cycle.

    4- As yesterday’s preeminent and prestigious certification becomes today’s standard, the uniqueness of those gaining the credential becomes lessened.  Applying familiar bell curves to the population of skilled workers (10/80/10 or 20/60/20) the best and the average are all able to pass the test.  If in fact, even some of the lesser skilled professionals can pass the test, the certifying organizations may have a cash cow but will be short lived because the certification will do little for hiring managers in discerning IT talent.  Therefore, a test-based certification loses its ability over time to differentiate skills in the workforce, as more and more of the lesser skilled attain the certification.

    5- Eventually, the certification becomes so unhelpful as an indicator of specialized skills, that the industry, which once benefited by its sifting effect of the pool of job applicants, no longer rely on it and stop asking for it altogether.

    It would seem to me that the CISSP is somewhere in between #3 and #4 in the above life cycle.

    Rote Memorization vs. Practical Skills

    Like most certifications, the CISSP includes required sponsorship and minimum work experience. Presumably this is to help prevent just anyone from walking in off the street and passing the exam, further diluting the value of the credential.  This practice doesn’t seem to be able to prevent the eventual dilution of the certification by mass distribution among those with minimal skills, although it probably slows the process.

    The certifications that require practical performance are harder to pass, and therefore retain their prestige in the marketplace. One of the best examples of this is probably Cisco’s  CCIE certification, which requires the test taker to actually troubleshoot and repair a broken or mis-configured network. The test is notorious.  Cisco claims the lifetime pass rate of the CCIE is 26%, much lower than the California bar exam.

    Another notoriously difficult certification to achieve is the GIAC Security Expert (GSE), offered by SANS. There are only 30 of them in the world, as of Sept. 30, 2010.  The best thing about the GSE is that it is so difficult and expensive to obtain, (two years and ~ $15,000) the risk of it becoming a watered down laughing-stock in the IT Security industry is virtually nil.  The down side is that it is still so obscure, and probably will remain so because of cost barriers, it isn’t going to score many points in the hiring process until late- round interviews, when you meet with the security gurus.

    The most challenging aspect of these practical skills-based certifications is the actual performance of what you learn. You are literally dropped off in a real IT environment for a couple days and you can’t come out until all is well. Good Luck!

    Money Talks, Posers Walk

    There is a double-edged sword to how hard to make your certification, and I suspect it boils down to money.  Here is the Hobson’s Choice to make if you are a certification authority introducing a new certification:

    1. Skills: The certification needs to be hard and thorough enough to demonstrate competency.
    2. Price/Cost: The certification must be priced to generate enough revenue to pay for the overhead required to create it, test for it and offer member services, while yielding a profit. However, it can’t be priced so high that cost becomes a bar to many people.
    3. Credibility: The certification must be earned by enough people that it gains a foothold in the marketplace and becomes a de facto measuring stick of the profession, or at least holds enough weight in industry that it becomes sought after by hiring managers.

    This then becomes the dilemma: You can have any two of the three qualities above, but not all three. If you shoot for all three, your certification will be a one hit wonder that will become a fossilized certificate found between the strata of the IT archaeological record.  Just like my Novell Netware 5 CNE.

    (I purposely ignored the distinction between vendor neutral and vendor product-based certifications. It doesn’t seem relevant to the overriding issue of certification dilution. I understand that a CNE is worthless today b/c the Netware platform did not survive the Microsoft/Novell war, and because of release obsolescence.)

    Here is an author who isn’t quite so “down” on the CISSP.

    Here is a typical complaint regarding the CISSP.   Interestingly, the author advocates professional licensing of information security professionals. He does not consider the fact that he would then have to triple his salary requirements in order to get malpractice insurance.  The threat of litigation against professional misconduct is the single greatest force driving the exorbitant prices charged by licensed professionals (lawyers and doctors) who work under threat of tort litigation. (I’m not intending to get into a debate over tort reform here.)

    The argument to professionally license security experts is analogous to the old argument running back into the 90′s to license software developers, at least those that write code in life support and critical systems, (airline traffic control, space exploration, medical devices, etc.)  I remember vigorous debates on this topic in Dr. Dobbs Journal.

    In summary, if you are seeking employment in, or a job transfer within the information security field, the CISSP is still a de facto requirement in many job descriptions.  You’ll need the certificate to get past the HR threshold criteria. But don’t expect any security managers to think you are any better than their worst security employee, who probably also holds a CISSP.