Legal and Security
The cybersecurity manager and legal staff usually get along nicely, though they probably don’t know much about what the cybersecurity manager does. The cybersecurity manager should start by meeting the lawyers in charge of drafting contracts and end user licence agreements to discuss security requirements that should be included within those contracts.
The first thing the cybersecurity manager discovers in these conversations is that not all attorneys understand security. Usually, lawyers and legal advisors specialise in one area of law, like contracts and IPR. But if you ask them about defects in software and vulnerabilities, they have no idea.
This becomes a teaching opportunity for the cybersecurity manager. He might be able to provide the legal team with invaluable support, which they will appreciate. If they have a collaborative working relationship, the cybersecurity manager might see the legal staff coming over to ask for help when they are drafting new agreements for security or compliance.
That’s the perfect time to try to influence the contracts that will govern relationships with outside service providers and suppliers—before the agreements are signed. It’s usually very difficult to fix problems after the agreements are signed. There’s always a cost involved. It’s critical that the cybersecurity manager gets involved in all the new acquisitions and service provider agreements as early as possible.
Whatever the cybersecurity manager and legal do together usually involves creating some sort of contract, as well as a standardised template with set security clauses for different uses. A typical case they might work on together is buying data centre services. The contract should clearly define operational security and services in the agreement when they buy the service. Some of the language can be templated and some of it may require customisation, but it’s a good idea to include right-to-audit to all the templates.
Contracts through the Supply Chain
There is not a single company in the world that doesn’t use some sort of supply chain. Employees have to have cell phones, an ISP, a SIM card, and an agreement to provide a voice service—otherwise, their salespeople cannot make calls. That’s a simple supply chain. But some supply chains are huge. One logistics company we know of used to have 10,000 suppliers for transporting cargo. Other types of supply chains, especially in technology, are extremely complex. Consider all the parts and suppliers that go into making one iPhone.
Most companies work with a variety of suppliers, then those suppliers each use suppliers, and so on. It can be tough to track the supply chain all the way back to the source. Most supply chains are so complex that it’s not realistic for any cybersecurity manager to expect to implement security standards for the whole supply chain from start to finish. In reality, the cybersecurity manager has to focus on just the few that matter most.
Working with the legal team, the cybersecurity manager should focus on the biggest suppliers and audit those agreements. Typically, supply chain contracts last for a few years—at least one to three years. So when each agreement nears its end date, the legal team and cybersecurity manager should work together to see if there’s anything they want to change or add to that agreement. With a three-year deal with a service provider, there is three years’ time to think about what needs to be written into the new contract regarding security.
Making Legal Happy
Clearly, the cybersecurity manager will benefit from a healthy relationship with legal. Legal will too. The lawyers don’t know the security area very well, so the experienced cybersecurity manager might be able to insert a few beneficial tricks into their agreements and agreement templates. Security clauses that make their way into templates will be used across many agreements. The legal team will also be grateful if the cybersecurity manager helps them clear out some requirements from contracts that shouldn’t be in there, clauses that create unnecessary liabilities.
For example, in software development contracts, there’s almost always a clause about fixing significant flaws in the software. If the cybersecurity manager and legal agree that a security vulnerability constitutes a significant flaw, they can put a clause in the contract saying that all vulnerabilities are significant flaws that should be fixed by the service provider. If legal doesn’t have that definition in the contract, it will lead to a negotiation every time there’s a vulnerability found in the software. Who will fix it? Who will pay the cost? An experienced cybersecurity manager can help legal a lot in this regard.