This post is the second in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.
Our previous post focused on the need for the general counsel’s office to create a proactive information security strategy supporting a validated narrative for cyber incidents. Now, Jason explains the next phase is to build an information security framework based on best practice standards, such as the National Institute of Standards and Technology (NIST) protocols for detection, response and recovery. But, even having the narrative and the framework in place is not enough.
According to Jason, some GCs tend to overlook that once the framework is in place, it needs to be made “operationally mature,” that is, it has to work properly. It’s not a “set-it-and-forget-it” strategy. The ongoing care and feeding of the framework is how a defensible strategy is created. If a cyber breach does occur, the organization will be able to successfully minimize its risk in the event of a look-back or regulatory inquiry.
Andrew adds that this process of creating operational maturity is very often supported by the compliance team, who works closely with general counsel to establish ordered regimes and help ensure that:
- All of the policies are actually being implemented
- Policies are being reviewed
- In the event of incidents, lessons are being learned, documented and shared
In this way, the audit trail of compliance is effectively built to demonstrate that it was a living process within the organization. Importantly, it documents that actions like vulnerability analyses and penetration tests were repeated at the frequency aligned with the organization’s risk policy.
Read the full Q&A transcript
Jason: The next phase to that is you take an information security framework that's based upon detection and response in the United States. NIST, which is the National Institute of Standards and Technology, came up with an information security framework that is really based upon the ability of a company to detect and respond.
Now, you would think that if you have a narrative and you then have this framework and you put it into place, then you're in good shape. But, I will tell you that it is not what I call a “set-it-and-forget-it” strategy. The piece that most general counsel tend to overlook is, once it's in place, you need to make it operationally mature, which means it needs to function properly. You can't just set it up and then let it go and not give it care and feeding. It's the operational maturity component that is a very defensible strategy where if you have to disclose, you'll be able to successfully minimize your risk.You can't eliminate it, but you can minimize your risk to any of these sort of external forces that may want to have some type of look-back or inquiry into the company.
Andrew: And that's very often supported by the compliance team, who GCs work closely with, establishing ordered regimes to determine that all of the actions laid out in the policies that have been agreed by the board and enacted are actually being implemented, that they're being reviewed and, in the event of incidents, lessons are being learned. And you build not just that narrative, but that audit trail of compliance to demonstrate that it was a living process within the organization, that security was checked regularly and things like vulnerability analyses and penetration tests were repeated at a frequency determined by the business in alignment with their risk policy.