Hot Off the Press: A CISO’s Guide to Legal Risks and Liabilities
Being a CISO is a tough job, and with the recent conviction of Uber’s former CSO, Joe Sullivan, it became even harder.
Not only are CISOs held responsible for the cybersecurity of the enterprise, often they need to do so without the appropriate tools and resources – and now, also risk jail time. Or at least being named in class action lawsuits, such as with the solarwinds case.
Team8’s CISO Village in collaboration with SINET is releasing our new CISO guide on legal risks and liabilities, to shed light on the what a CISO needs to be aware of on the legal front, covering the questions they’d need to ask their General Counsel, the challenges they will face, and the types of dilemmas that might arise. Of course, our guide isn’t a substitute for legal advice.
Specifically, the guide covers three major aspects in a CISO’s daily work:
- The CISO contract or employment agreement, discussing topics such as the Directors and Officers policy (D&O)
- Security and governance processes that can be put in place to create a culture of shared responsibility and accountability, such as with an incident response playbook
(Spoiler: Never be responsible for declaring a data breach, That’s the General Counsel’s job)
- What to look for early in the hiring process, when CISOs vet their employers, as well as their own fit for an organization’s culture.
The guide provides a reference for communication on the topic inside the company, including employing practices and processes that will minimise legal risks to you personally, and to your firm.
The guide was written by:
- Mark D. Rasch, a renowned Computer Security and Privacy Lawyer, who wrote the CFAA (Computer fraud and abuse act).
- Gadi Evron, Team8’s CISO-in-Residence, with years of experience in incident response (wrote the post-mortem for “The First Internet War”, Estonia 2007), and with building security programs for organizations.
- Niv Liliev, our editor and an experienced tech writer.
We received reviews and comments from dozens of CISOs and others, both from within the Team8 CISO Village, from the wider community, and from our own teams at Team8 and SINET. We’d like to thank those who could share their name publicly:
Adam Zoller, Amir Zilberstein, Ariel Litvin, Bob Blakley, Caleb Sima, Charles Blauner, Chenxi Wang, David B. Cross, David Fairman, Jason Witty, Jerry Perullo, Liran Grinberg, ADM Michael S. Rogers, USN (ret), Mike Johnson, Nadav Zafrir, Nicole Darden Ford, Robert Rodriguez, Sounil Yu, Tim Callahan.