In a digital, highly interconnected and increasingly virtual world, the data created, managed and shared by a business is simultaneously one of its greatest assets and biggest risks. As individuals and organisations have grown increasingly reliant on data, it has risen exponentially in value. As a result, it is a prime target for cybercriminals who are attacking corporate networks with escalating intensity.
At the same time, privacy regulations designed to protect citizens from the serious impacts of data breaches have grown stricter and penalties for infringements more severe. Failure to comply has considerable legal, financial and reputational impacts.
The result of this intensifying data dependency is that responsibility for data protection touches multiple corporate departments. From the IT and cybersecurity teams defending against malicious attacks and accidental data loss, to legal and compliance teams ensuring that rules are followed, to PR teams on the media front line in the event of a breach.
This joint responsibility is continuous, but often the stakeholders only meet when something has gone wrong. They report to different authorities in the corporate management structure and exist in operational siloes. This means not only do organisations miss enormous opportunities to create a more strategic integrated approach to managing data security and cyber risk, they also put themselves in a vulnerable position when responding to a data breach emergency. To successfully deliver a co-ordinated response to a breach incident, all the stakeholders need to be aligned and working effectively together.
Defining Roles and Responsibilities
At our recent Modern Governance Summit, Diligent’s CISO Henry Jiang and General Counsel Jack Van Arsdale, who is also Diligent’s Data Protection Officer (DPO), discussed how organisations can foster collaboration between IT security and legal teams to better meet the demands of the modern data protection environment.
Jiang and Van Arsdale highlighted that each department’s areas of expertise must be acknowledged and respected.
The legal team is responsible for knowing what laws and regulations apply to the business and monitoring any changes coming into force that will impact operational activities. These must be clearly communicated to IT security teams. The legal team should also be aware of any contractual obligations agreed with customers about data breach disclosures.
The IT security team manages developing and maintaining security standards and policies. Subsequently it is accountable for implementing tools and controls based on those policies. The IT security department validates compliance with standards such as ISO27001 and SOC2 and conducts day-to-day security operations. When a security incident is detected, this department must escalate to other specialist areas if necessary, including the legal department.
However, there are critical crossover areas and dependencies where strong relationships between departments are vital.
“The GDPR has really tight deadlines for notifying the regulator of a breach; we need to make sure security teams are aware of what those deadlines are so when something happens you are notified right away. This buys you valuable time to craft a thoughtful, measured response and go to the regulator with clear, considered communication.”
– Jack Van Arsdale, Data Protection Officer (DPO) and General Counsel, Diligent
Similarly, the legal team needs to be aware of the performance capabilities and limitations of breach detection. Additionally, the legal team must stay in-the-know of any forensic analysis technology that could impact the organisation’s ability to establish whether a breach has taken place and its extent.
Reflecting on this, Jiang added: “It is important that we develop standardised written security procedures for incident responses, because in high pressure scenarios people forget things such as whom they are supposed to notify. For example, at Diligent, it is a management requirement when dealing with a data incident of any magnitude – whether contractual or regulatory – that the incident handler consults with the legal team. We recognise that they have vital expertise that needs to be brought into the situation.”
Developing Team Muscle Memory in Advance of Breach Incidents
This points one of the most important activities cross-departmental teams should undertake to foster better alignment: table-top exercises.
Mock data breach exercises provide invaluable insight into issues that wouldn’t otherwise become apparent until a live incident occurs. They allow different stakeholders to identify factors other departments might not have considered when developing a response plan.
“There are a lot of things you don’t realise right off the bat. For example, I might know exactly whom I need to notify of a breach from a legal standpoint. But say, for example, that totals 100,000 customers, do we have the technical ability to send out all those emails? Or from the marketing perspective, will our business be blacklisted for spamming if we send out that number of emails at once? And where is the data for those email addresses coming from – is it reliable and up to date?”
– Jack Van Arsdale, Data Protection Officer (DPO) and General Counsel, Diligent
Another essential outcome of mock data breach exercises is an incident response timeline because the clock starts ticking as soon as a breach is detected: “All departments are under obligation to send out notifications – whether that is on the security and technical side or the customer and regulatory side,” says Van Arsdale. “72 hours is a standard period, but some customers may have contracts that stipulate faster notification. We need to know in advance which those customers are and be prepared to communicate in phases based on urgency and contractual terms.”
Ultimately, the goal of table-top exercises and continued cross-departmental collaboration is to establish a trusted advisor relationship that recognises the roles and responsibilities of each. These should be recorded in incident response plans to prevent wasteful duplication of effort, and equally, so that nothing falls through the gaps.
This degree of preparation and relationship-building pays dividends when a breach occurs and everyone is under pressure. You can’t expect mission-critical communications and notifications to simply fall into place if you haven’t invested time and energy into creating those connections in advance. When they have been tested and refined with practice scenarios, the teams begin to build muscle memory that automatically flexes when the pressure of a real incident is brought to bear.
Board Oversight and Crisis Communications
Board oversight of the cross-departmental approach to managing data protection incidents is crucial. Positioned at a remove from daily activities, the board has a duty to challenge the executive team on its response plan. Boards should also conduct mock data breach activities to clarify their role and responsibilities ahead of an incident.
Secure communications are critical in crisis scenarios for both boards and executive teams. Response teams need assurance that, as they manage the situation, they don’t introduce additional breaches and reputational risk through using insecure channels. A dedicated secure messaging system such as Diligent Messenger can be usefully deployed to keep crisis management communications between stakeholders safe during an incident.
Align and Build Alliances
Ultimately, security incident response is a collective effort across multiple organisational departments including legal, technical, marketing and finance. Every department brings unique expertise to the table. A successful outcome relies on the alliances and alignment that exists between those stakeholders. That is not something that can be forged in the fires of emergency, it must be built and reinforced in advance over a period of regular collaboration so, when the heat is on, the structures withstand it.
“Preparation is the most important thing. When you have an incident, you don’t want to be running through the basics, you want to dedicate that time to getting the response exactly right.”
– Henry Jiang, Chief Information Security Officer (CISO), Diligent
By building those working partnerships into the fabric of operations, organisations can position themselves to minimise the impact of data breaches that, in today’s cyberthreat environment, are inevitable.
November 17, 2020
How Can IT, Legal and Security Best Work Together on Data Security in a Post-COVID World?
Often the stakeholders only meet when something has gone wrong. They report to different authorities in the corporate management structure and exist in operational siloes. This means not only do organisations miss enormous opportunities to create a more strategic integrated approach to managing data security and cyber risk, they also put themselves in a vulnerable position when responding to a data breach emergency. To successfully deliver a co-ordinated response to a breach incident, all the stakeholders need to be aligned and working effectively together.