General counsel (GCs) are responsible for providing a critical lens into the consequence of poor cybersecurity. They provide a large part of the “so what?” when it comes to justifying cybersecurity investment. This includes mitigating the likelihood and impacts of regulatory sanction, as well as financial loss, reputational harm, personal liability for officers and directors, and other material impacts to an organization. To do this effectively, GCs should coordinate closely with chief information security officers (CISOs), boards, and business leaders to play a key role in challenging cybersecurity strategy, understanding cybersecurity capability, and supporting tactical uplifts to protect the strategic interests of the organization.

GCs also need to understand the risk management approach of their organization (sometimes considered the second line of defense) and the output from both compliance functions and audit (the third line of defense). This allows for critical challenge to the strategy laid out by the CISO and to provides a 360-degree view of cybersecurity investment and maintenance within an organization.