Compliance with information security regulations should not be viewed simply as sunk cost or minimal value-add activity. It should be viewed as an opportunity for the legal team to engage with its business partners to establish regulatory compliance as a differentiator. Done effectively, the legal team’s involvement in driving the implementation of controls will not only reduce risks, but will result in an improved partnership with the business, and increased credibility and influence for the legal function.
The legal team can be a key contributor to the information security team. It is knowledgeable about information security requirements that arise from laws and regulations (e.g., export control laws), customer and supplier agreements, and the limitations of the organization’s systems. The legal team can be especially effective when engaged early, which should happen naturally provided it has earned the role of trusted advisor within the organization.
Threats to organizations are evolving. Regulations are inevitable, as is enforcement. The overall cost of information security continues to rise, and it is significantly higher in any organization that suffers a breach. Organizations that make concerted efforts to regard information security as a capability instead of a sunk cost can reduce their overall risk and cost, and build trusted relationships with their business partners. The legal team is well positioned to support the organization in achieving these goals, and to establish a trusted advisor role that will pay dividends in the form of engagement and collaboration.