CISOs and GCs Unite: Collaborating for stronger cyber risk management and compliance
The past two decades have seen a fundamental change in the relationship between technology and business. There has been a seismic shift away from technology on the periphery—as an aid to business performance and productivity—toward today’s highly interdependent cyber-physical corporate ecosystems where technology is the business. Regulation designed to mitigate the risks of corporate and societal dependence on digital systems has followed.
These changes have profoundly affected Chief Information Security Officers (CISOs) and General Counsels (GCs), as their spheres of influence have rapidly begun to overlap in the realms of cyber risk management, operational resilience, and regulatory compliance.
Diligent’s Cyber Risk Summit brought together a seasoned CISO and GC, and a senior outside legal counsel from a global law firm who has extensive experience working at the crossroads of law and cybersecurity. The discussion centred on the evolving roles of both the GC and CISO roles and the changes they have all observed. It also explored how better partnership and collaboration can help both parties to manage cyber risks and regulatory pressures more effectively, while also supporting the ongoing development of their respective careers.
The Cyber Leadership Playbook
Align your CISO, GC, and board for smarter cyber risk management. Discover practical insights and strategies to bridge the gaps between security, legal, and board leadership.
Download hereThe evolving roles of CISOs and GCs
CISOs: From technical expert to strategic advisor
Hussein Bahgat is Group CISO for a leading UAE bank and is clear that priorities and perspectives for the CISO have changed considerably in recent years: “The CISO of 2025 is not exactly the same CISO as in 2010[…] The 2010 CISO was more plugged into protecting the organisation, making sure that there is the latest software or following the latest crime news.”
Bahgat advises that CISOs adapt their traditional tone and content when communicating with the board and broader business. Rather than reporting on technical aspects, such as how fast an incident was mitigated, CISOs should focus on communicating the revenue effects, opportunities, and the ROI of effective security. This is the language of the business and the board, and it is what will get CISOs heard.
CISOs must also contribute proactively to the conversation around risk at a general level, working with peers in legal, risk, and compliance to build a reputation for strategic understanding of how cybersecurity performance impacts the business.
GCs: Understanding technology and supporting cybersecurity investment
Natalie Salunke, General Counsel and Board Director, underlines the importance of GCs understanding technology as an intrinsic element of their role in supporting today’s data and digital-intensive businesses, saying: “I think every company is now a tech company…” and later adding, “If they don’t understand these things, I don’t think they’re very effective in-house lawyers!”
Salunke also emphasised the value a lawyer’s traditional skillset adds to their CISO counterparts, saying: “What do lawyers do? We help understand regulations — we love words — I don’t think that’s always a CISO’s particular area of interest. I think that partnership is a really important one.”
GCs have a unique birds-eye perspective of risk throughout the business and can help contextualise it through a cybersecurity lens. Where CISOs may not be getting the investment they need in the organisation, Salunke believes that GCs are a powerful ally to help illustrate the wider risk context and importance—and the regulatory risks that might result from a lack of appropriate investment. She says, “GCs’ support for cybersecurity helps it get the attention it deserves, but in proportionality to risk across the wider organisation.”
Regulatory pressures and board accountability
As pressures on cybersecurity and operational resilience mount, with EU regulations such as NIS2 and DORA now requiring implementation to ensure compliance, the board’s attention is turning to cyber risk and compliance with new responsibilities and added levels of accountability.
Craig Rogers, Partner at Eversheds Sutherland, believes that serious cyberattacks such as NotPetya and WannaCry in 2017 were a watershed moment for board awareness of cyber risk. Now, as regulation has increased boardroom accountability for cyber and operational resilience, directors are more demanding of CISOs and GCs. They want much more detailed information and guidance to support well-informed and risk-based board decision-making.
He also acknowledges the tension between the drive for competitive technology innovation and the importance of ensuring this is achieved in a secure and compliant way that doesn’t extend the threat landscape. Boards and Executive teams need to navigate this amid “a tsunami of regulation” that is especially overwhelming for organisations operating in multiple geographies and in highly regulated sectors.
Agreeing with Salunke and Bahgat, Rogers emphasises the importance of CISO collaboration with the board and senior management – especially because cybersecurity responsibility extends through the supply chain and into employee management, advising: “Tying in with procurement, tying in with compliance, tying in with your HR and people teams to ensure you’ve got that end-to-end cycle.”
Strategies for fostering collaboration between CISOs and GCs
Despite the fact that the CISO role has evolved towards more strategic and regulatory awareness, and the GC role has shifted towards a deeper understanding of the technology and operational complexities of cybersecurity, there often remains a lack of significant interaction between the two. How can CISOs and GCs get in each other’s corners?
Build transparent, trust-based relationships
There's no substitute for building personal relationships, ensuring GCs and CISOs have open lines of communication and trust. One of Rogers’s clients has gone further to develop rapport: “They embedded their cyber legal team with the CISO team, so they live and breathe it every day. They’re sitting in with them, and they learn the vernacular […] and they’re learning about incidents and breaches […] and it develops trust.” This pays dividends in the event of a major incident when legal and CISO teams listen to each other with respect and shared history. He also advises both sides:
Conduct regular briefings and shared risk assessments
Bahgat agrees and adds that GCs must support CISOs as they enter this new environment of risk accountability. He advises regular one-to-one meetings as part of their rhythm of the business, where the CISO brings the cybersecurity risks they have identified to the table and asks the GC for their view on that risk in the wider context of the business. “This could keep the CISO’s feet on the ground but also keeps the GC informed.”
Partner on compliance and due diligence
Rogers believes that the new evolving regulations offer an opportunity for CISOs and GCs to collaborate and that they should be viewed as a tool for checking capability and resilience, rather than as an administrative burden. He also believes CISOs should be more closely involved in strategic initiatives such as acquisitions, bringing their skillset to the table as another level of due diligence to help ensure the organisation is not buying a toxic asset.
A successful, high-trust GC-CISO relationship also pays dividends when the organisation itself is undergoing due diligence, believes Salunke, because it gives third-parties confidence that the business is aligned and operating in a reasonable manner. She says: “all that trust and confidence is inspired by that joint knowledge and validation that is then is stress tested when you're actually trying to present and close a deal with a third party where this is very important to them. I think it’s a really important relationship.”
Summing up the importance and urgency that CISOs and GCs should place on collaborating, Salunke says: “The sooner you bite the bullet and get on with it, the more we’ll have conversations in the next 10-15 years’ time that go ‘Actually, there’s been great progress, and this is a really good relationship because of the landscape of the world in which we’re operating where every company is a tech company and data integrity and security is one of the most important elements of risk mitigation and our functions.”
Strengthening cyber resilience: The power of CISO-GC collaboration
By building transparent, trust-based relationships, conducting regular briefings, and partnering on compliance and due diligence, both the CISO and GC can better support their organisations and advance their careers.
Discover how to choose the technology that will level up your organisation's IT risk management strategy. Download our buyer's guide, here.
Keep exploring
How Diligent can elevate CISO communications with the board
in this checklist, we provide tips and guidance about building an effective dialogue on cyber risk.
The role of the general counsel in corporate governance
Today's global challenges have heightened the importance of the role of the general counsel in corporate governance for the board.
Diligent Q&A – Oliver Newbury on building cyber resilience, the double-edged sword of AI and navigating regulations
Oliver Newbury, Senior Advisor, TPG and Former Global CISO, Barclays, discusses the most pressing cybersecurity trends impacting EMEA organizations today
Cybersecurity governance and the CISO's dilemma
In this episode, Jim Alkove, co-founder and CEO of cybersecurity company Oleria, shares insights for CISOs.
