GCs: The Role of IT Literacy in Effectively Managing a Cyber Breach

GCs: The Role of IT Literacy in Effectively Managing a Cyber Breach

July 09, 2018

This post is the fourth in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.

Lawyers don’t necessarily have to be IT experts to successfully manage cyber security, according to Andrew. But, he added, it helps to “speak” the IT language relevant to information security. Spending time with your IT security team in advance of a breach and rehearsing those scenarios gives GCs sufficient exposure to the language and the high-level technicalities that they need to do the job effectively.

Andrew uses this analogy:  When an attorney is prosecuting a surgeon for malpractice, she doesn’t need to understand brain surgery. She does need to understand the process the surgeon is supposed to be following and how he makes risk decisions. It's that kind of inquiring mind the general counsel brings to the table that is essential in running the incident response plan, not a detailed knowledge of cyber forensics.

Watch the Video

Jason adds a global perspective. One thing he reports seeing is general counsel over-reliant on their IT department to provide forensic support during an investigation or when an incident response is activated. IT is very good at keeping the lights on. But the skill set required for performing an actual incident response is quite different than what IT is doing on a day-to-day basis. It’s important to have on retainer an expert forensics firm, good outside counsel and a crisis communications firm, which are all well-versed in managing emergencies.

Read the Full Q&A Transcript

Dominic: That raises an interesting point, which is that GCs are highly trained in terms of the law and understanding all the relevant issues, compliance internally, externally, all the areas of risk that their company may or may not be subject to. But they're not necessarily – in many cases, they're definitely not – in some cases they're getting towards it – becoming IT experts. Wearing two hats is very difficult. And how is that divide bridged most easily for GCs who feel a deficiency in their IT skill set?

Andrew: Lawyers, by the nature of the job, are highly intelligent people. But they don't have to be an IT expert. It helps if they're IT literate, but they don't have to be an expert. Spending time with your IT team and your IT security team in advance of a breach, rehearsing those scenarios, will give them sufficient exposure to the language and the high-level technicalities that they can do the job effectively. Solicitors, barristers in court, if they're prosecuting a surgeon for malpractice, they don't need to understand brain surgery. They need to understand the process that the surgeon is supposed to be following and how you make risk decisions about what you're doing next. It's that inquiring mind, that intelligence that the GC brings to the table that is essential in running the incident response plan, not an absolutely detailed knowledge of cyber forensics.

Dominic: From a global context, what would you like to add, Jason?

Jason: I think one thing that I've seen in a variety of places is general counsel sometimes tend to over-rely on their IT departments to provide information security or forensic support during an investigation, or when an incident response is activated. And again, IT is very good at keeping the lights on. But the skill set required for performing an actual incident response is quite different than what these folks are doing on a day-to-day basis. So like Andrew said, it's quite important to have in advance a good forensics firm on retainer, a good outside counsel on retainer, along with having – many folks now have crisis communications firms on retainer. Because the skills sets that your PR department has or your marketing department, or your IT department, they're much different than managing an emergency. And that's something that we do pretty routinely.

Additional Resources

Learn more with these additional resources—

Jason N. Smolanoff Senior Managing Director, Global Practice Leader, Cyber Risk

Jason Smolanoff is a Senior Managing Director, Global Cyber Risk Practice Leader, based in the Los Angeles office. Jason, who brings more than 16 years of federal law enforcement and information security experience, has played a leading role in some of the most significant cyber security investigations in history. Over his career, he has specialized in supervising and investigating sophisticated computer and network intrusions conducted by state-sponsored organized crime, hacktivists, and insider threat actors, often developing and maintaining productive partnerships with international intelligence and law enforcement agencies as well as private industry.

Read More

Jason N. Smolanoff
Andrew Beckett Managing Director, EMEA Leader, Cyber Risk

Andrew Beckett is a Managing Director and EMEA Leader for Kroll’s Cyber Risk Practice. Andrew began his career at GCHQ where he held a variety of roles including head of the branch responsible for providing cyber security advice to government departments and penetration testing.  He also served in the Organisation for the Prohibition of Chemical Weapons (OPCW). This is an International Civil Service organisation operating under the auspices of the UN where Andrew was the first head of the Office of Confidentiality and Security and charged with setting up this team. Andrew went on to run his own commercial consultancies before joining Airbus Defence and Space in the UK as the head of Cyber Defence, a role he filled for five years before joining Kroll. Andrew is a visiting professor of Cyber Security at the University of South Wales.

Read More

Andrew Beckett