Cybersecurity is too important and significant to organizations not to have its own budget.

With the recent hack of an intellectual property law firm for M&A activities, it's clear that security operations for IP departments are a necessary measure. As they currently stand, budgets simply don't exist internally for IP IT teams to keep up with all the security monitoring and trends for these systems.

Hanley Chew, of Counsel, Litigation Group at Fenwick & West, sat down with Inside Counsel to discuss whether IP departments will get security budgets. Chew focuses his practice on privacy and data security litigation, counseling and investigations, as well as IP and commercial disputes affecting high technology and data driven companies. He regularly advises companies large and small on data breaches and cybercrimes, network and data security, and internal investigations.

“I believe that IP departments will begin getting their own security budgets,” he told us. “Many organizations still do not have a separate security budget. Cybersecurity is still a subset of the IT budget. The dynamic, however, is changing. Given the increase in the number, severity and notoriety of cyberattacks, there is a growing recognition by organizations that more specialized resources need to be devoted to cybersecurity preparedness and response.”

The recent epidemic of global ransomware attacks and large scale data breaches have raised awareness that protecting your organization's networks is a priority. So, according to Chew, the best way to do so is to designate specific individual(s) who have the knowledge and experience to deal with data security incidents with the responsibility for cybersecurity and provide them with resources to carry out their duties.

However, there is no one-size-fits-all remedy as different organizations have different resources and needs and face different challenges, he said. The structure of a security operation should be tailored to the individual circumstances of each organization. In general, an organization should place responsibility for cybersecurity in individual(s) with the right knowledge and skills. Organizations may want to establish a CISO and place all cybersecurity functions under his or her control, or have someone with cybersecurity expertise join the Board, or establish a committee of the Board responsible for cybersecurity.

So, why don't budgets exist internally for IP IT teams?

Currently, separate budgets do not exist internally for IP IT teams in many cases because of bureaucratic inertia, per Chew. In the past, IP IT teams reported to and fell under the control of the Finance Department or another departments. Thus, budgets for the IP IT teams was subsumed by the budgets of these departments.

“In the past 10 years, IP IT departments have become their own administrative departments in several organizations,” he explained. “As the awareness of the importance of cybersecurity has grown, more organizations have begun devoting additional resources to IP IT teams, establishing independent infrastructure for those teams, and hiring specialized personnel.”

Overall, Chew believes that IP departments do need separate security budgets. Given the growing number and complexity of cyberattacks from individuals, organizations and even nation states, the best way to guard against these attacks is to dedicate resources to the cybersecurity function.

He said, “Subsuming the security budget into a larger budget often makes it more difficult to devote the appropriate funds to cybersecurity as different functions compete for the same resources. Cybersecurity is too important and significant to organizations not to have its own budget.”

Further reading:

• As Priorities Shift at DOJ, Health Care Corporate Fraud Strike Force Gutted
• 3 Key Lessons for Legal Departments From Hobby Lobby's $3 Million Antiquities Settlement
• Lyft GC Kristin Sverchek Weighs Gig Economy's Future
• Video Games Trigger New Legal Issues