Should Legal Departments Take Control of Cybersecurity Budgets? Exploring the Pros and Cons
With laws such as the GDPR and the CCPA in effect, the trend toward looking to the legal department for cybersecurity oversight is likely to increase. There are potential benefits to having the legal team control cybersecurity reserves, but some significant challenges as well.
May 18, 2020 at 07:00 AM
7 minute read
Most financial teams can agree that the amount of money in a cybersecurity budget will change depending on the size of the organization. According to a study from the Deloitte and Financial Services Information Sharing and Analysis Center, financial services on average spend 10 percent of their IT budgets on cybersecurity or approximately $1,300 to $3,000 per full time employee. Microsoft, on the other hand, invests more than $1 billion. Just as varying as the amount of money allocated towards cybersecurity is who in the company takes responsibility for the funds.
BTI Consulting Group's Cybersecurity & Data Privacy 2020 report recently showed that 46 percent of companies put the legal department in charge of the cybersecurity budget. Nearly a quarter of respondents said the budget is held by IT departments, almost 20 percent in security, seven percent in compliance, and 6.9 percent said it was held by another department.
With laws such as the European Union's GDPR and the CCPA law in effect in the U.S., the trend toward looking to the legal department for cybersecurity oversight is likely to increase. Acting as a liaison between compliance and technology, there are a lot of potential benefits to having the legal team control cybersecurity reserves. However, there are some significant challenges as well.
Below, we take a look at the pros and cons of legal handling the cybersecurity budget, how to mitigate some of the challenges and how to determine which department should ultimately take charge.
|Benefits and Risks of Legal Taking Control of Cybersecurity Budgets
Lawyers can protect companies—because they have the jurisdiction to do so. The legal department can act as a voice at the top of the organization and in some cases the security team can do a lot of work under the direction of counsel. Legal can act as a temporary shield and advise security teams on steps to take on informing customers of a potential breach, help mitigate the damages after a breach, and act as an impartial decision maker when diminished cooperation sets in between the security and IT teams.
On the other side of the coin, legal teams do not have an understanding of cybersecurity capabilities or have a native definition of "good." This fundamental lack of experience could prevent them from understanding the pain and challenges faced when defending an enterprise network.
Liability is also a big concern as it can drive the behaviors and associated capabilities of the security team. Visibility in the form of alerting and logging comes to mind. If an alert isn't enabled or a log not sourced, then culpability is lessened, or is it? It's not uncommon for security teams to fight about his topic as it can inhibit them greatly. The poor example is, if the organization does not generate an unnecessary alert, they are "less at risk" (read legal risk) because awareness and inaction is worse than ignorance and inaction. The legal department may consider this more favorably because the company cannot be held responsible if they did not know a problem was there. Conversely, if you have a security tool that constantly alerts, you now have to review that and respond. Now there's culpability. The combination of the emphasis on liability and lack of knowledge serve as reason enough why many organizations decide against legal handling the cybersecurity budget; however, this union will most likely occur in times of major incidents and especially breaches.
|The Importance of Legal and Security Being Aligned
If companies review the pros and cons and decide to have legal take over the cybersecurity budgets, there are conversations that need to occur first. CISOs, CIOs and lawyers have a tendency to speak their own language. Just as a CISO or a CIO would not necessarily understand what goes into an appeal, arraignment or what an exempt asset was, a lawyer does not understand some of the terminology of the cybersecurity space. Even CISOs and CIOs struggle to understand the jargon that comes with their individual territories at times.
The lawyers, CIOs and CISOs need to really make a point to understand and trust each other. They must state their needs in plain language. Cybersecurity and IT teams need to be aligned and articulate their needs accurately to the legal department if they are in charge of the budget. Only then can an organization solve and prevent risks.
When the legal department, which can include chief compliance officers, chief privacy officers and chief privacy counsels, aligns with the security and IT teams, organizations can ensure that data is secure and abiding to all privacy laws. This can help organizations save thousands, or even millions, of dollars in fines from violating laws such as CCPA and GDPR. Just as the security teams can keep legal up to date on the latest threats that might be targeting the organization, legal teams can return the favor by sharing knowledge of new privacy regulations.
|The Bottom Line on Cybersecurity Budgets
What most companies get wrong is that cybersecurity isn't new to anyone today. Breaches have overwhelmed the headlines for years now. Security has to be controlled and looked over at the highest level as opposed to being an ELT afterthought. The legal department and security teams should want to see security as an output of quality. No one wants to work with a company that isn't secure or said plainly, a company they don't trust.
Security as a whole needs to be a corporate mission. Rather than focusing on who holds the actual reserves, look at it as a reporting structure. The budgeting process starts the discussion that the organization is open to new capabilities; which is a product of strategy. The legal department or an outside counsel can serve as an unbiased party to opine on strategy if they are gatekeeper to resources.
Organizations are still finding their way. Companies are spending more money on cybersecurity and still unable to detect and respond to problems in their environments—they are failing. Until we understand the adversary, the threats to the organization, and prioritize security into the culture of an organization, we will continue to joust over cybersecurity budget control
For organizations currently facing the choice of who should allocate the funds of the cybersecurity budget, the legal department is a viable option. Even with some reluctance of legal teams in some areas, the benefit is they are no stranger to obtaining executive support. Their say is final and with it comes the cooperation required to complete the project across the board. The legal department can serve as a reminder of the law to help make the best decisions for the organization. As long as the security and IT teams can align and communicate with the legal department, the organization can succeed in protecting themselves and their consumers.
Stephen Moore has been vice president and chief security strategist of Exabeam, Inc. since August 2017. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Mr. Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He served as staff vice president of Cyber Security Analytics at Anthem, Inc. and played a leading role in the response and remediation of the data breach announced in 2015. He has deep experience working with legal, privacy and audit staff to improve cybersecurity and demonstrate greater organizational relevance.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1ClaimClam Wanted to Boost Class Action Claims Rates. But Judges and Attorneys Fought Back
- 2'We Will Sue ... Immediately': AG Bonta Says He's Ready to Spend $25M Battling Trump
- 311 Red State AGs Demand Damages in Antitrust Lawsuit Shaming ESG Climate Investors
- 4In-House Moves of Month: Discover Fills Awkward CLO Opening, Allegion GC Lasts Just 3 Months
- 5Delaware Court Holds Stance on Musk's $55.8B Pay Rescission, Awards Shareholder Counsel $345M
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250