Photo credit: Zenzen/Shutterstock.com

Last week's news that PayPal Holdings Inc.'s TIO Networks was compromised is just the latest reminder to companies that becoming a target for hackers is all but inevitable.

It's no surprise then that cybersecurity is a critical concern for most, if not all, companies, which is why it's increasingly important for in-house counsel to know how to effectively discuss the risks with the C-suite.

For starters, when communicating with the C-suite about cybersecurity issues, it's important to make the topic relatable, said Elise Houlik, associate general counsel at Fannie Mae, who spoke Tuesday in New York City on a panel at ALM's 2017 cyberSecure conference. “Be careful to not make cyber sexy and strange and interesting,” she said. “You want to do that to get into the room, but the minute you get in the room, this is just like any other risk that is facing our company.”

---

➤➤ Sign up here for Law.com's new email briefing on in-house lawyering: Inside Track by Jennifer Williams-Alvarez. 

---

Houlik said to “move the ball forward,” approach cybersecurity like any number of other issues the C-suite is a bit more used to dealing with, such as an issue with a business partner or a weather event that gets in the way of work. “That is the language that your management team, your board, all the folks you're going to be talking to, who have oversight responsibility and management responsibility, that's what they're familiar with,” she said.

Though the C-suite should be involved in cybersecurity, not every incident has to be escalated to this level, and it can be hard to tell which incidents should be raised with top executives, said panelist Andrew Tannenbaum, who is chief cybersecurity counsel and associate general counsel at International Business Machines Corp. This is especially true in larger companies “because there are so many potential people involved at the business level, at the security level and then at the C-suite level,” he noted on Tuesday's panel.

The key, according to Tannenbaum, is to have a plan mapped out in advance to be able to quickly identify when an issue hits a particular threshold and should be escalated. “There are a million different iterations of the types of threats you can see, and you've got to have a system that can quickly triage and make those judgments, because you will get burned if there is something important and it doesn't get escalated quickly,” he said.

Getting the necessary resources to manage cybersecurity risks is another area of difficulty, Tannenbaum explained. “My guess is, budget is a challenge for everybody. In companies, that's the world we live in,” he said. “Security, even when you have a culture recognizing how important it is and you're focused on it from a governance perspective, risk management perspective, when it comes to spending dollars, that's not necessarily the top of your company's list.”

And so here, too, being able to judge the seriousness of the risk is extremely useful, Tannenbaum pointed out. It's a fine line between being an alarmist versus “knowing when something is an alarming type of risk or is going unaddressed in a way that does need more money and more funding,” he said.

“And how to balance all that, how to have credibility in that and then how to advocate in an environment where it's probably tough to ask for a lot more money, that's a challenge and I think an important part of the [chief information security officer] role and the general counsel role,” he added.

Photo credit: Zenzen/Shutterstock.com

Last week's news that PayPal Holdings Inc.'s TIO Networks was compromised is just the latest reminder to companies that becoming a target for hackers is all but inevitable.

It's no surprise then that cybersecurity is a critical concern for most, if not all, companies, which is why it's increasingly important for in-house counsel to know how to effectively discuss the risks with the C-suite.

For starters, when communicating with the C-suite about cybersecurity issues, it's important to make the topic relatable, said Elise Houlik, associate general counsel at Fannie Mae, who spoke Tuesday in New York City on a panel at ALM's 2017 cyberSecure conference. “Be careful to not make cyber sexy and strange and interesting,” she said. “You want to do that to get into the room, but the minute you get in the room, this is just like any other risk that is facing our company.”

---

➤➤ Sign up here for Law.com's new email briefing on in-house lawyering: Inside Track by Jennifer Williams-Alvarez. 

---

Houlik said to “move the ball forward,” approach cybersecurity like any number of other issues the C-suite is a bit more used to dealing with, such as an issue with a business partner or a weather event that gets in the way of work. “That is the language that your management team, your board, all the folks you're going to be talking to, who have oversight responsibility and management responsibility, that's what they're familiar with,” she said.

Though the C-suite should be involved in cybersecurity, not every incident has to be escalated to this level, and it can be hard to tell which incidents should be raised with top executives, said panelist Andrew Tannenbaum, who is chief cybersecurity counsel and associate general counsel at International Business Machines Corp. This is especially true in larger companies “because there are so many potential people involved at the business level, at the security level and then at the C-suite level,” he noted on Tuesday's panel.

The key, according to Tannenbaum, is to have a plan mapped out in advance to be able to quickly identify when an issue hits a particular threshold and should be escalated. “There are a million different iterations of the types of threats you can see, and you've got to have a system that can quickly triage and make those judgments, because you will get burned if there is something important and it doesn't get escalated quickly,” he said.

Getting the necessary resources to manage cybersecurity risks is another area of difficulty, Tannenbaum explained. “My guess is, budget is a challenge for everybody. In companies, that's the world we live in,” he said. “Security, even when you have a culture recognizing how important it is and you're focused on it from a governance perspective, risk management perspective, when it comes to spending dollars, that's not necessarily the top of your company's list.”

And so here, too, being able to judge the seriousness of the risk is extremely useful, Tannenbaum pointed out. It's a fine line between being an alarmist versus “knowing when something is an alarming type of risk or is going unaddressed in a way that does need more money and more funding,” he said.

“And how to balance all that, how to have credibility in that and then how to advocate in an environment where it's probably tough to ask for a lot more money, that's a challenge and I think an important part of the [chief information security officer] role and the general counsel role,” he added.