Defense in Depth: Legal Protection for CISOs

What’s the legal responsibility of a CISO? New cases are placing the liability for certain aspects of security incidents squarely on the CISO. And attorney-client privilege has been overruled lately too. What does this mean for corporate and for CISO risk?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest is Evan Wolff, partner at Crowell & Moring.

Thank to our episode sponsor, TrustMAPP

TrustMAPP delivers continuous, automated Security Performance Management, a real-time view of your cybersecurity maturity. TrustMAPP tells you where you are, where you’re going, and what it will take to get there. TrustMAPP lets you manage security as a business, quantifying and prioritizing remediation actions and costs.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • We repeatedly joke about Davi Ottenheimer’s comment that the CISO has held the moniker of “designated felon” in American risk mitigation.
  • Big piece of advice that was repeated throughout the episode is to have an employment contract.
  • In the employment contract you want an exit strategy that allows you to leave if you think a situation is not tenable or the company is asking you to do something that you believe to be unethical. It gives you an opportunity to leave without any blame assigned.
  • The cc field is your friend. If you don’t want to be seen as the only one “in the know” take advantage of making sure key people are also in the loop.
  • We heard one unbelievable story of an employment contract where it was clear that the CISO would be the “designated felon” should there be any breach. This was put in place to protect the executive team. The contract offered financial security for two years post breach. We all agreed this was insane and had never heard of anything like that before.
  • Be wary of being forced to take on personal ownership of security issues. A CISO is responsible, not accountable.

Defense in Depth