THE CISO LEGAL PARTNERSHIPWhat CISOs can do Better

DISCLAIMER

The views and opinions expressed during this presentation represent my personal and professional experiences and do not necessarily reflect the opinion or position of my current or previous employers, and/or educational institutions.

SPEAKER: ALEJANDRO VILLEGAS

Ethical Hacker with a Business and Legal Education

• Seasoned Cyber Security Engineer with over a decade of experience working for various leading tech companies. • Law school graduate.• Education: JD, MBA, MS, BBA• Certifications: CEH, CISSP, CISA, CHFI, ECSA, LPT, MCITP, ISO 27K Lead

Auditor.

QUESTION

Raise your hand if you are 100% assured that your company will never experience a security

breach.

OPERATIONAL TRIFECTA

Engineering

Business

Legal

WHY A LEGAL PARTNERSHIP?Cyber Security has become a predominant challenge for organizations responsible for protecting and safeguarding customer data such as Cloud Service Providers (CSPs).Attorneys serve a critical function ensuring that companies conduct due diligence and adhere to the cyber security requirements mandated by local, national, international and industry information security frameworks.

RELEVANT COURT CASES

SONY: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014)

TARGET: Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014)

TJMAXX: TJX Co. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007)

ASSUME SECURITY BREACH

Proactive engagement with Legal.

Pre-breach continuous interaction with Legal.

Always assume security breach.

THE LEGAL LIFECYCLE

Avoid reactive Attorney

engagement (Incident Response

Phase)

Attorney engagement

throughout the entire Software Development

Lifecycle

Attorney engagement

throughout the entire Secure Operations Lifecycle

QUESTION

How often do you proactively talk to your attorneys on a regular basis?

END TO END LEGAL DILIGENCE

Attorney

Roles:Advisory Complian

ce Drafting Audit Litigation

CISOs must partner with attorneys on every applicable role:

ATTORNEY ADVISORY ROLE

Proactive discuss cyber security challenges such as Ransomware.Determine whether you should pursue security breach insurance.Discuss your cyber security program with your attorneys.

Advisory

ATTORNEY ADVISORY ROLE Advisory

Cyber Security Incident Response Plan Cyber Security Liability Insurance Post-Attack Public Relations Cooperation with Law Enforcement (Apple) Reporting Cyber Crimes

ATTORNEY COMPLIANCE ROLEDiscuss what security compliance certifications are worth pursuing and which ones are not.

What is the cost of non-compliance?

How do you plan to be continuously compliant not just during the audit engagements?

Talk about the Security vs Compliance dilemma.

Compliance

ATTORNEY COMPLIANCE ROLE Compliance

National Cyber Security Compliance: FISMA, FedRAMP, CJIS (FBI), NIST 800:53.

International Cyber Security Compliance: ISO 27001; 27018, EUMC, GDPR.

Territorial Cyber Security Compliance: MTCS Singapore, IRAP Australia, UK G-Cloud.

Industry Cyber Security Compliance: HIPAA,PCI DSS.

ATTORNEY DRAFTING ROLEReview contract security addendums from a security engineering perspective.

Evaluate the feasibility of the clauses and contract obligations.

Determine if you are prepared to meet the security contract requirements.

Are you getting the right assurances from your vendors?

Drafting

ATTORNEY DRAFTING ROLE Drafting

Do the cyber security provisions make sense to engineers?

Do the cyber security controls address the risk adequately?

Are both parties equally agreeing to manage the cyber security risks?

Is it best to use broad language? Is staying silent on a specific provision the best

approach?

ATTORNEY AUDIT ROLEAre you comfortable with the Right to Audit clauses?

Can your company manage multiple concurrent audits?

Have you consider the legal implications of audit findings?

Are your audit papers and artifacts ACP protected?

Audit

ATTORNEY AUDIT ROLE Audit

Terms of Right to AuditDuration of the Audit(s) Scope of the Audit(s) Limit amount of concurrent Audits

ATTORNEY LITIGATION ROLEAre you currently conducting due diligence throughout your entire engineering lifecycle?

Are you prepared for a subpoena or a deposition?

Do you adequately invoke the Attorney Client Privilege during your day to day security operations?

Proactively talk about litigation strategies.

Litigation

ATTORNEY LITIGATION ROLE Litigation

The value of due diligence: Pre, During & Post a Security Breach

Diligence vs Negligence

VENDOR MANAGEMENTVendor

Security Do your vendors meet the same security bar than your company?How often do you audit vendor security compliance?Do your vendors have vendors? Do they also meet the security bar?

QUESTION

Do you get involved in the attorney recruitment process?

HIRE ENGINEER ATTORNEYS

Patent Attorneys generally have a science background to prosecute patents with the US Patent Office.Cyber Security Attorneys must be qualified to understand the engineering intricacies of your Cyber Security Program.

END TO END LEGAL PARTNERSHIP

Ultimately you must proactively engage your legal team and leverage your attorneys throughout the entire lifecycle of your security engineering operations.

Conduct End to End Legal Cyber Security Due Diligence!

Q & A