Following Sullivan’s trial, CISOs are understandably concerned about their legal risks and liabilities. Team8’s guide outlines how CISOs can arm themselves against legal repercussions as fully as possible through robust documentation, clear communication, and thorough diligence.
On joint responsibility
- Data security, and therefore the CISO’s work, straddles many different departments in a company. There must be an established level of cooperation and collaboration so that everyone is kept in the loop - one way to achieve this is by creating interdepartmental committees. A crucial task of the CISOs is writing an incident response playbook, determining who will be notified about a breach and in what order, and laying out their responsibilities.
On conflict resolution
- CISOs need to determine a process for conflict resolution. This could include exploring what steps should be taken if, for example, the company’s management doesn’t want to report a breach, or if public health and safety is at risk. These kinds of issues often end up putting the CISO in the line of fire when it comes to liability - so it’s critical that a framework for resolving them is devised beforehand.
Don’t trust - verify
- CISOs need to always remember that they may be being misled - deliberately or not - by other people, whether they come from external organisations or their own company. For example, if a CISO is told that a device doesn’t need to be secured because it has no personal data on it, they must check. When asking other people to run these checks for them or take other important actions, they should make sure they have a paper trail of their requests, so they don’t risk being held accountable for the negligence of others.
Don’t be afraid to say no
- If CISOs are asked to do something that entails breaking the law, or puts too much at stake for the company, its employees, or its customers, they should speak up and opt out.
Why does this matter for businesses?
- CISOs are likely feeling anxious about their status as potential sacrifices, but the guidance in this article can help calm their fears. Having a clear understanding of their responsibilities and the need to engage with stakeholders, as well as what to look for in their employment agreements, will help CISOs protect themselves from legal liability as much as possible.