Pay attention to the medium: CISOs also need to pay attention to what they say based on the medium in which they are communicating. Pay attention to “how we communicate, who we’re communicating with, what platforms we’re communicating on, and whether it’s oral or written,” Angela Mauceri, corporate director and assistant general counsel for cyber and privacy at Northrop Grumman, said at RSA. “There’s a lasting effect to written communications.”She added, “To that point, you need to understand the data governance and, more importantly, the data retention policy of those electronic communication platforms, whether it exists for 60 days, 90 days, or six months.”One way to sidestep communications land mines is to communicate as much as possible in person. “The other thing that I would recommend is establishing a culture of in-person or just face-to-face communications instead of in writing in chats, IM, or Teams,” Mauceri said. “That’s important because that can allow you to emphasize tone when communicating face-to-face with the team.”
Define your role and establish policies: CISOs should consider defining their roles and establishing policies to build guardrails that minimize the risk of potentially actionable communications. “It starts with a clearly defined job description,” Brown told CSO. “One that is discoverable, one that is known. It’s important to understand that people don’t know what a CISO does. And that includes legal folks.””That tone must be set right from the start: Here is what I do; here’s what I don’t do,” he said. “For example, legal disclosures. I may be a part of a team that discusses disclosures, but I’m not the one making a final decision.”Brown reiterated, “It’s important to outline that you’re part of an approval team. You’re not the approver. You’re part of a team that is doing things. You’re part of a team that’s providing input to something. Ultimately, what gets posted on the website goes through marketing review, goes through legal review, comes through to the CISO potentially for some check, but we don’t decide what we’re going to publish or pop it on a site.”Likewise, CISOs should consider writing policies, procedures, and processes for how their cyber teams should manage and communicate risks. “Establish in writing what is your expectation for teams to identify and do the internal reporting and escalating up the chain in terms of a risk escalation policy,” Northrop Grumman’s Mauceri said. “This is once you identify the risk, assess it, and identify it as a weakness or a vulnerability. The language that you use should be very, very specific.”She added: “Always assume that this information is discoverable in litigation and audits. It is good to have something that you document when you identify risks and that you are resolving those critical system changes, critical decisions, and vulnerabilities very carefully. Be factual and neutral.”
Understand the law and seek counsel: Understanding some of the finer points of laws and regulations will also help keep CISO communications from veering into damaging directions.”Don’t be sloppy and call a cyber event an incident if it hasn’t been declared an actual incident,” Mauceri said. “‘Cyber incident’ is a legal term depending on what type of company you are. There is a legal definition of cyber incident in the SEC rules, as well as if you are a defense contractor or dealing with government contracts under the federal or defense acquisition regulations.”To that end, CISOs should establish good working relationships with their in-house or external legal counsel. “Listen to your counsel,” Brown said. “If you’re dealing with an entity such as the SEC, you already have counsel, either the company counsel or your own counsel. Listen to them. They’re always, or usually, very experienced. They’ve often been in those positions before. They will help and craft messages to be able to communicate appropriately.”CISOs who lack counsel should contact experienced counsel or volunteer organizations that might help. “My legal team has probably had a call with 10 or so CISOs since [my litigation] began. Many will do it essentially just pro bono as an initial conversation,” Brown said.Brown stressed that any CISO should have somebody to call for advice if they start feeling uncomfortable. “They should have a few folks they could call either through some of the organizations they’re on or through personal relationships.”Although CISOs might now feel confused about the risks of exposing themselves to legal liabilities, the rules might become clearer over time.”We’re young as an industry,” Brown said. “The first CISO was somewhere around 30 years ago. We’re going through a maturity curve. People need to realize that my case and other things around it are a maturity blip. We’ll get through it. We’ll become stronger because of it and continue forward. But have a little patience.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3988361/4-ways-to-safeguard-ciso-communications-from-legal-liabilities.html
