This post is the fourth in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.
Lawyers don’t necessarily have to be IT experts to successfully manage cyber security, according to Andrew. But, he added, it helps to “speak” the IT language relevant to information security. Spending time with your IT security team in advance of a breach and rehearsing those scenarios gives GCs sufficient exposure to the language and the high-level technicalities that they need to do the job effectively.
Andrew uses this analogy: When an attorney is prosecuting a surgeon for malpractice, she doesn’t need to understand brain surgery. She does need to understand the process the surgeon is supposed to be following and how he makes risk decisions. It's that kind of inquiring mind the general counsel brings to the table that is essential in running the incident response plan, not a detailed knowledge of cyber forensics.
Jason adds a global perspective. One thing he reports seeing is general counsel over-reliant on their IT department to provide forensic support during an investigation or when an incident response is activated. IT is very good at keeping the lights on. But the skill set required for performing an actual incident response is quite different than what IT is doing on a day-to-day basis. It’s important to have on retainer an expert forensics firm, good outside counsel and a crisis communications firm, which are all well-versed in managing emergencies.
Read the full Q&A transcript
Dominic: That raises an interesting point, which is that GCs are highly trained in terms of the law and understanding all the relevant issues, compliance internally, externally, all the areas of risk that their company may or may not be subject to. But they're not necessarily – in many cases, they're definitely not – in some cases they're getting towards it – becoming IT experts. Wearing two hats is very difficult. And how is that divide bridged most easily for GCs who feel a deficiency in their IT skill set?
Andrew: Lawyers, by the nature of the job, are highly intelligent people. But they don't have to be an IT expert. It helps if they're IT literate, but they don't have to be an expert. Spending time with your IT team and your IT security team in advance of a breach, rehearsing those scenarios, will give them sufficient exposure to the language and the high-level technicalities that they can do the job effectively. Solicitors, barristers in court, if they're prosecuting a surgeon for malpractice, they don't need to understand brain surgery. They need to understand the process that the surgeon is supposed to be following and how you make risk decisions about what you're doing next. It's that inquiring mind, that intelligence that the GC brings to the table that is essential in running the incident response plan, not an absolutely detailed knowledge of cyber forensics.
Dominic: From a global context, what would you like to add, Jason?
Jason: I think one thing that I've seen in a variety of places is general counsel sometimes tend to over-rely on their IT departments to provide information security or forensic support during an investigation, or when an incident response is activated. And again, IT is very good at keeping the lights on. But the skill set required for performing an actual incident response is quite different than what these folks are doing on a day-to-day basis. So, like Andrew said, it's quite important to have in advance a good forensics firm on retainer, a good outside counsel on retainer, along with having – many folks now have crisis communications firms on retainer. Because the skill sets that your PR department has or your marketing department, or your IT department, they're much different than managing an emergency. And that's something that we do pretty routinely.