How Fannie Mae, IBM Counsel Get Top Executives' Attention on Cybersecurity
“Be careful to not make cyber sexy and strange and interesting,” one in-house lawyer said at ALM's cyberSecure conference. “You want to do that to get into the room, but the minute you get in the room, this is just like any other risk that is facing our company.”
December 05, 2017 at 06:04 PM
7 minute read
Photo credit: Zenzen/Shutterstock.com
Last week's news that PayPal Holdings Inc.'s TIO Networks was compromised is just the latest reminder to companies that becoming a target for hackers is all but inevitable.
It's no surprise then that cybersecurity is a critical concern for most, if not all, companies, which is why it's increasingly important for in-house counsel to know how to effectively discuss the risks with the C-suite.
For starters, when communicating with the C-suite about cybersecurity issues, it's important to make the topic relatable, said Elise Houlik, associate general counsel at Fannie Mae, who spoke Tuesday in New York City on a panel at ALM's 2017 cyberSecure conference. “Be careful to not make cyber sexy and strange and interesting,” she said. “You want to do that to get into the room, but the minute you get in the room, this is just like any other risk that is facing our company.”
|
➤➤ Sign up here for Law.com's new email briefing on in-house lawyering: Inside Track by Jennifer Williams-Alvarez.
Houlik said to “move the ball forward,” approach cybersecurity like any number of other issues the C-suite is a bit more used to dealing with, such as an issue with a business partner or a weather event that gets in the way of work. “That is the language that your management team, your board, all the folks you're going to be talking to, who have oversight responsibility and management responsibility, that's what they're familiar with,” she said.
Though the C-suite should be involved in cybersecurity, not every incident has to be escalated to this level, and it can be hard to tell which incidents should be raised with top executives, said panelist Andrew Tannenbaum, who is chief cybersecurity counsel and associate general counsel at International Business Machines Corp. This is especially true in larger companies “because there are so many potential people involved at the business level, at the security level and then at the C-suite level,” he noted on Tuesday's panel.
The key, according to Tannenbaum, is to have a plan mapped out in advance to be able to quickly identify when an issue hits a particular threshold and should be escalated. “There are a million different iterations of the types of threats you can see, and you've got to have a system that can quickly triage and make those judgments, because you will get burned if there is something important and it doesn't get escalated quickly,” he said.
Getting the necessary resources to manage cybersecurity risks is another area of difficulty, Tannenbaum explained. “My guess is, budget is a challenge for everybody. In companies, that's the world we live in,” he said. “Security, even when you have a culture recognizing how important it is and you're focused on it from a governance perspective, risk management perspective, when it comes to spending dollars, that's not necessarily the top of your company's list.”
And so here, too, being able to judge the seriousness of the risk is extremely useful, Tannenbaum pointed out. It's a fine line between being an alarmist versus “knowing when something is an alarming type of risk or is going unaddressed in a way that does need more money and more funding,” he said.
“And how to balance all that, how to have credibility in that and then how to advocate in an environment where it's probably tough to ask for a lot more money, that's a challenge and I think an important part of the [chief information security officer] role and the general counsel role,” he added.
Photo credit: Zenzen/Shutterstock.com
Last week's news that PayPal Holdings Inc.'s TIO Networks was compromised is just the latest reminder to companies that becoming a target for hackers is all but inevitable.
It's no surprise then that cybersecurity is a critical concern for most, if not all, companies, which is why it's increasingly important for in-house counsel to know how to effectively discuss the risks with the C-suite.
For starters, when communicating with the C-suite about cybersecurity issues, it's important to make the topic relatable, said Elise Houlik, associate general counsel at
|
➤➤ Sign up here for Law.com's new email briefing on in-house lawyering: Inside Track by Jennifer Williams-Alvarez.
Houlik said to “move the ball forward,” approach cybersecurity like any number of other issues the C-suite is a bit more used to dealing with, such as an issue with a business partner or a weather event that gets in the way of work. “That is the language that your management team, your board, all the folks you're going to be talking to, who have oversight responsibility and management responsibility, that's what they're familiar with,” she said.
Though the C-suite should be involved in cybersecurity, not every incident has to be escalated to this level, and it can be hard to tell which incidents should be raised with top executives, said panelist Andrew Tannenbaum, who is chief cybersecurity counsel and associate general counsel at
The key, according to Tannenbaum, is to have a plan mapped out in advance to be able to quickly identify when an issue hits a particular threshold and should be escalated. “There are a million different iterations of the types of threats you can see, and you've got to have a system that can quickly triage and make those judgments, because you will get burned if there is something important and it doesn't get escalated quickly,” he said.
Getting the necessary resources to manage cybersecurity risks is another area of difficulty, Tannenbaum explained. “My guess is, budget is a challenge for everybody. In companies, that's the world we live in,” he said. “Security, even when you have a culture recognizing how important it is and you're focused on it from a governance perspective, risk management perspective, when it comes to spending dollars, that's not necessarily the top of your company's list.”
And so here, too, being able to judge the seriousness of the risk is extremely useful, Tannenbaum pointed out. It's a fine line between being an alarmist versus “knowing when something is an alarming type of risk or is going unaddressed in a way that does need more money and more funding,” he said.
“And how to balance all that, how to have credibility in that and then how to advocate in an environment where it's probably tough to ask for a lot more money, that's a challenge and I think an important part of the [chief information security officer] role and the general counsel role,” he added.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Trump Media Accuses Purchaser Rep of Extortion, Harassment After Merger
4 minute read
After 2024's Regulatory Tsunami, Financial Services Firms Hope Storm Clouds Break
Trending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
