General Counsel are leaders in enterprise risk management and should therefore have a central role in the company’s information security methodology. The GC is broadly aware of an organization’s risks and objectives, maintains a good understanding of its clients and its internal stakeholders, has a normative legal framework and a sense of how to provide risk mitigation.
A Chief Information Security Officer’s value may only be fully realized when a cyber incident occurs. The CISO can become a crucial driver of not only digital transformation but also risk management, as effective information security practices are vital both in preventing a successful incident and responding to one. Legal professionals understand risk management, and its related urgency. Not being aware of statutory requirements can prove costly to the companies, not to mention the harm to reputation that may follow. Again, a clear argument for promoting the GC/CISO alignment.
Successfully meeting risk mitigation obligations is a cooperative effort. A partnership must exist across the enterprise between the GC, IT, and security organizations to establish the proper controls and enlist executives to meet these obligations.
Given the continually changing skills required in each of those domain areas, the GC is in a position to lead this collaborative effort. Reporting to the GC may provide the foundation for what CISOs should be focusing on next: moving beyond the security silo to play a central role in overall business leadership.