The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Chief Information Security Officer

  • From Vol. 3 No.1 (Jan. 11, 2017)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part Two of Two)

    Cybersecurity risk management requires having the right leadership and governance in place, and within that structure lies the shifting role of the chief information security officer and its reporting lines. With input from CISOs, executive search experts and attorneys this article series provides insight into the most effective approaches to recruiting, compensating and structuring cybersecurity leadership roles. This second article in the series explains the problems with the current dominant CISO reporting structure and offers experts’ advice on effective governance as well as alternatives for companies that are not finding or cannot compensate a technical expert with executive-level experience. Part one covered how to find and compensate individuals for the multi-faceted cyber leadership role. “There’s a lot changing in the way people think about the CISO. There is a pretty fast-evolving set of responsibilities and reporting structure, especially given the increasing [attention to] security by the board of directors and others charged with the fiduciary responsibility of protecting a company,” Hertz CISO Peter Nicoletti told The Cybersecurity Law Report. See also our two-part series about the roles of the CISO and CPO, “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Tech Meets Legal Spotlight: Advice on Working With Information Security

    Although most companies recognize that legal and technology teams need to collaborate closely to address cybersecurity challenges, they often fail to overcome barriers to effective coordination. In this interview, Holland & Knight partner Scott Lashway offers advice on how to bring legal and security teams together, such as by establishing a risk committee. See also “What CISOs Want Lawyers to Understand About Cybersecurity” (Jun. 8, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)

    Managing the challenge of securing a company’s digital information while collaborating with other executive leadership is something that only a select group of individuals can do well. In this article series, The Cybersecurity Law Report spoke to CISOs, executive search experts and attorneys to examine what it takes to fulfill both of these crucial roles. This first article discusses the challenges of merging technology expertise with executive function, compensation expectations for cyber leaders, what companies should be (and are) looking for in candidates and the value of certifications. The second article will discuss the changing role of the CISO, including why many current reporting structures are not working, and what companies can do if they do not have the resources for or cannot find the right CISO. “Many organizations regard CISO and technology-risk executive recruitment as an increasingly daunting and complex process, and recognize that one size does not fit all,” Tracy Lenzner, founder and CEO of The Lenzner Group, a global executive search company, said. See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.22 (Nov. 2, 2016)

    Advice From Blackstone and Tiffany CISOs on Fighting Cybercrime

    Information security is “the hottest industry of all time” according to Lisa J. Sotto, managing partner of Hunton & Williams’ New York office and chair of the firm’s global privacy and cybersecurity practice. At a recent PLI panel, Sotto and fellow panelists Jay Leek, managing director and CISO for The Blackstone Group L.P.; Anthony Longo, CISO for Tiffany & Co. and Matthew F. Fitzsimmons, an Assistant Attorney General in Connecticut and head of the office’s Privacy and Data Security Department discussed the ballooning issue of cybercrime and how to both prevent and respond to attacks. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    What Private Companies Can Learn From the OPM Data Breaches

    The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    What CISOs Want Lawyers to Understand About Cybersecurity

    As security and privacy threats and regulations proliferate, it is more important than ever for in-house counsel to collaborate with a company’s information security team to mitigate risks and protect their organization’s confidential information. At a recent panel at Georgetown Law’s Cybersecurity Law Institute, CISOs from Deloitte, BDP and Northrop Grumman shared advice about how lawyers and information security professionals can achieve that goal. The panelists addressed fostering a collaborative relationship, areas of tension between legal and IT, and how counsel can more effectively act as advocates for mitigating data security and privacy risk. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape”: Part One (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part Two of Two)

    With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of CPO and CISO.  This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position.  The first article focused on the CISO.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)

    Growing cybersecurity demands on companies require effective reporting lines and operational structures to manage cybersecurity-related job functions.  Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO).  Some companies confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security, and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report.  In this two-part article series, we define and distinguish the roles of the CPO and CISO.  Part One focuses on the CISO – including core responsibilities, best practices for structuring reporting lines, and considerations when hiring for the position – and Part Two will focus on the CPO. 

    Read Full Article …