Marketing wants the freedom to make promises and compliance holds them back. Production needs a hiring spree and finance says “no.” IT finds the new systems demanded by HR to be unworkable in the current network structure.
I once worked for a huge company that was selling three different versions of PCs through three different production and sales channels, where each sales group promoted its own product and bad-mouthed the other company offerings to customers. “Buy my desktop because the other desktop versions my company makes stink.” It can be a mess.
Natural conflicts develop within and between departments. Some lawyers feel they are representing the teams they are assigned to support. Some lawyers feel they are representing the “institution” against the damage those teams could do. These frictions can be damaging, but they can also assure management that important priorities will have advocates in the company.
I have seen situations where the CISO’s team felt they were at cross-purposes with the company’s lawyers, and resented legal intrusion into their realm. But despite having different assignments and portfolios within the company, there is no reason that the information security team and the legal department shouldn’t be allies. In fact, these two internal teams can provide support for each other’s priorities.
The CISO’s people protecting the company’s networks are performing a crucial and complex function. Attacked from all sides from all over the world, these defenders not only prepare for known threats, but build a system that can resist incidents that no one even considered yet. They build, maintain, and support resilient systems – technology, policy and procedure – for all of the other company functions to operate seamlessly. They need to plan ahead for resistance to and recovery from every threat from government-sponsored attacks to asteroid strikes.
The legal department serves a similar role. Starting with the laws, rules, regulations, and contracts that dictate compliant company operations, the legal department measures risks and threats – both internal and external – and guides the company through the most dangerous waters. Legal develops a protective and resilient infrastructure of risk-resistant policies, procedures, agreements and documentation for all functions in the company to operate seamlessly. They plan ahead for resisting litigation and regulatory investigation and improve the options of company recovery from disaster.
Both security professionals and lawyers need to train the rest of the company to function in the safest possible fashion while allowing the most freedom operate for other company units. Both data security and legal need to educate the rest of the company about the rules associated with their business function and must develop policies and procedures for minimizing risk. Both functions work with vendors and customers of the company to assure that primary relationships are not significantly increasing risk. Both are instrumental in contingency planning and disaster recovery. Both are crucial for proper governance of company operations.
Both security professionals and lawyers need to train the rest of the company to function in the safest possible fashion while allowing the most freedom operate for other company units.