Why data security and the law should be friends | Womble bond dickinson
Marketing wants the freedom to make promises and compliance withholds them. Production needs a wave of hiring and finance is saying “no”. The IT department believes that the new systems demanded by HR are unusable in the current structure of the network.
I used to work for a large company that sold three different versions of PCs through three different production and sales channels, where each sales group promoted their own product and disparaged the other company’s offerings to customers. “Buy my desktop computer because the other desktop versions my company makes stink. This can be a mess.
Natural conflicts develop within and between departments. Some lawyers feel that they represent the teams they are responsible for supporting. Some lawyers believe they represent “the institution” against the damage these teams could cause. These frictions can be damaging, but they can also assure management that important priorities will have advocates within the company.
I have seen situations in which the CISO team felt they disagreed with the company’s lawyers and hated legal intrusion into their field. But despite different missions and portfolios within the company, there is no reason why the information security team and the legal department should not be allies. Indeed, these two internal teams can support each other in their priorities.
The CISO people who protect corporate networks perform a critical and complex function. Attacked from all quarters around the world, these defenders not only prepare for known threats, but build a system capable of withstanding incidents that no one has yet considered. They create, maintain and support resilient systems (technology, policy and procedure) so that all other business functions operate seamlessly. They must plan in advance for resilience and recovery for every threat, from government-sponsored attacks to asteroid strikes.
The legal department fulfills a similar role. Starting with the laws, rules, regulations and contracts that dictate compliant business operations, the Legal Department measures risks and threats – internal and external – and guides the business through the most dangerous waters. Legal develops a protective and resilient infrastructure of risk-resistant policies, procedures, agreements and documentation to keep all business functions running seamlessly. They plan ahead to withstand litigation and regulatory investigations, and improve business disaster recovery options.
Security professionals and lawyers need to train the rest of the business to operate as safely as possible while leaving the greatest operational freedom to other parts of the business. Data security and legal need to educate the rest of the business on the rules associated with their business function and must develop policies and procedures to minimize risk. Both functions work with the company’s suppliers and customers to ensure that primary relationships do not significantly increase risk. Both are essential for contingency planning and disaster recovery. Both are crucial for good governance of business operations.
Security professionals and lawyers need to train the rest of the business to operate as safely as possible while leaving the greatest operational freedom to other parts of the business.