The Crucial Cyber Strategy Pivot: Toward Defensibility

You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.

           Buckminster Fuller

Whenever I speak at conferences and activities, I like to say that “the perfect cybersecurity business is a cyberlaw practice.”  To audiences used to hearing about the latest security technology, this statement initially puzzles them as an apparent nonsequitur.  But after listening to the logic for it, their heads start to nod.  My reasoning, shared below, has several parts.

  1. It’s About the Strategic Approach to Cyber Risk

Lawyers and risk go hand in hand.  This much of the logic is no surprise.  But my message runs deeper.  As this article’s title projects, it is the institutional role that law plays in the cyber risk landscape that stands to be corrected at the cyber strategy level. 

Just follow this logic to understand the importance of cyberlaw:  cyber experts and pundits have, for years, proclaimed a paradigm shift in the strategic approach to addressing cyber risk.  The phrases about this shift sound like: 

“Assume you will be compromised.”

“90 percent of companies say they’ve been hacked.”

“There are only two types of companies: those that have been hacked, and those that will be.”

Behind these comments about the cyber threat is the near-universal support for a strategy of detection.  Prevention alone is deemed insufficient.  In other words, absolute security in cyberspace is an impossibility, and therefore detection and response are imperatives to business survival. 

Yet, this thinking is only partly accurate.  Though it is necessary and appropriate to shift the strategic narrative about cyber risk, detection and response represent an incomplete characterization of the true cyber risk.  And, what’s missing is the answer to the proverbial “so what” question?  To wit:  LEGAL EXPOSURE!  Proclaiming that absolute security is no longer possible is a half message without adding the ramifications of this revelation. 

Hence, the first part of how the cyber risk landscape has been mischaracterized is the failure to account for the full array of risks attendant to there being no true security in cyberspace.  In general, cyber is unsatisfactorily viewed simply in network terms – and risks to data.  What’s missing is a 360 view that accounts for all the risks to the business.  A cyberlaw attorney is an interdisciplinary expert, able to interpret cyber risks and correlate them with compliance and other legal exposures.

  1. It’s Also About Who Needs to Know

When cyber experts advise network defenders about bolstering security in new areas (i.e., detection technologies), how regularly does that get translated to the boss in terms of catastrophic risk?  That’s the job of cyberlaw counsel.  In general, this “detection narrative” is targeting network defenders.  To round out that narrative and to tell the whole story, the “so what” explanation must be conveyed to management. 

As a former military operational law judge advocate myself, my calculus and advice to the commander would materially change if the word came that the bad guys were inside the wire – that’s the analog to this detection-centric half-strategy to cyber risk.

Put simply, having the bad guys inside the wire is a Big Deal!  To remedy this risk awareness gap, there must be more legal exposure analysis given to the C-Suite. 

Getting back to the narrative about the shift in cyber strategy, a more complete mantra about addressing cyber risk would look like this: 

Focus on detection and response, and also assess your overall legal risk exposure

  1. It’s About Due Diligence

Cyber professionals are schooled in the Infosec Triad, whereas “due diligence” speaks to the duties of  management.  Due diligence is a risk management function; and since leadership needs to understand that ‘bad guys inside the wire’ correlates with catastrophic risk, they need to have greater assurance that they’re doing enough to protect the business. 

The reason that “defensibility” was chosen for the title of this piece is because “doing enough” (i.e., due diligence) must be provable.  Proving due diligence falls under the fiduciary “Duty of Care” that officers and directors must uphold and demonstrate through their actions.

A cyberlaw advisor, working in partnership with an interdisciplinary team, ensures that BOTH the principles of the CIA Triad are addressed at the technical level, and also that leaders execute their due diligence mandate related to cyber risk.

Having a comprehensive team is how eosedge Legal, and its eosCyber Alliance provider network, offer cyberlaw and services to clients.  More specifically, with our CyberGaps™ tool and methodology, eosedge Legal offers defensible decision support to corporate leadership.  Cyber risk decisions are defensible because CyberGaps™ is built upon an efficacy-based, risk-reducing algorithm that prioritizes risk controls with a mathematical scoring output.  With math behind their risk management decisions, leaders can be assured that their decisions are defensible.  And because those defensible decisions can be proven, directors and offices can meet their Duty of Care. 

  1. And It’s About Confidentiality

eosedge legal also possesses an advantage that is unmatched by cyber vendors:  as a law firm, the attorney-client communications are confidential and privileged.  Even with CyberGaps™ to aid decision-making concerning risk-reducing options, communications between cyberlaw counsel and client remain confidential.  There is no such thing as an unlimited budget for cybersecurity, so there are substantial advantages to a frank and confidential attorney-client dialogue about how to manage cyber risk. 

 

ABOUT EOSEDGE LEGAL AND IR GLOBAL

IR Global has partnered exclusively with eosedge Legal to provide IR Global members with a full spectrum of services to prevent, detect and respond to cyberattacks.  eosedge Legal and its partners in eosCyberTM Alliance offer full-scope cyber services including education and boardroom advisory, vulnerability assessments, penetration testing, threat intelligence, application security, incident investigation and breach coaching.