We just got a great item in from Patrick Burke. He is the Assistant General Counsel at Guidance Software, Inc. Prior to that he was a litigator with the London-based international law firm Linklaters so really knows his onions:
With corporation’s lawyers increasingly reliant on ready access to the company’s digital information, CISOs who work closely with Legal find their roles expanded and their corporate profile raised.
Legal departments at major corporations are increasingly reliant on ready access to their companies’ digital information. Without the ability to locate and collect large amounts of data that resides on the company’s laptops, workstations and servers, a company’s lawyers now find they are unable to effectively advise management on legal questions, defend the company in litigation, advise on the company’s rights under contracts with other companies, investigate HR issues or satisfy regulators.
In short, the lawyers have developed a growing dependency on the Chief Information Security Officer (“CISO”). The CISO and the Information Security (“IS”) team are the people with the authorisation, ability and tools to search the company’s data, collect what the lawyers need, and deliver it to them in a usable format. Given the range of legal matters at issue – including some “bet the company” investigations or litigations at some companies – this dependency is expanding the mission of IS and raising the profile of CISOs.
The fit between Legal and IS is symbiotic, natural and nothing new. IS at most companies traditionally has included in-house investigatory capacities. IS investigators frequently investigate matters at the behest of the Legal and HR departments such as IP theft, fraud, sexual harassment or other illegalities. Typically IS investigators come from backgrounds in law enforcement and are practiced in handling electronic evidence with attention to the chain of custody required by courts.
What is different is the scope sheer amounts of data required for the wide range of legal matters, and the increase in data maintained overall by companies and their employees. Employee laptops alone often hold 40 gigabytes of data on their hard drives, with newer models holding a multiple of that amount. The data on just a dozen of those computers can amount to a terabyte of potential evidence, which is the equivalent of over 60 million pages of hard copy information. Document requests from the FSA, OFT, SEC or European Competition Commission can run beyond gigabytes into terabytes of data. Legal’s hunger for data can be even greater when it comes to major litigation or exchange of due diligence materials required in mergers and acquisitions.
Savvy CISOs leverage their access to corporate data into a strategic relationship with Legal. They do this by demonstrating they understand Legal’s requirements and can deliver on them. The relationships are strongest with Legal when the CISO puts in place:
• Strong communication with Legal. Some companies form “working groups” that facilitate planning, coordination and trust. IS should select representatives who are not put off by lawyers or how they communicate.
• Technology capable of efficiently searching, locating and collecting data from every single server, workstation and laptop in the company. Enterprise-wide solutions that automate data collection (including metadata) usually also provide the logging and documentation that may be crucial to the lawyers at a later date. Having a common platform to support electronic disclosure, regulatory collections, internal fraud investigations, computer security incident response, internal audit, and other key processes allows the company to dramatically reduce the cost per activity by amortising the cost of the platform over many different events, minimizing the employee training required, and reducing the amount of outsourcing to expensive consultants.
• Strong project management. Smart project management not only gets the job done efficiently, but keeps an eye on documentation in a way that reassures courts and regulators.
• Processes that are defensible and repeatable. Ad hoc approaches to data collection increase doubt and suspicion by lawyers, courts and regulators. Repeatable process increase IS’s ability to ensure compliance with best practices, rules of evidence and data protection laws.
Each of these elements is best accomplished by IS staff rather than outsource bureaus. Yet company lawyers frequently will turn to their law firms or to outside consultants if they do not believe that IS has the expertise. Sometimes IS can contribute to the impression that it is not comfortable with an expanded role.
The arguments are compelling for a company’s IS staff over outsourced alternatives. The strongest argument is the cost savings – in-house systemised processes efficient and cost effective. Common sense dictates that IS is better positioned to implement defensible and repeatable processes involving the company’s data because they work with that data every day, rather than consultants who work on a project basis.
Assigning data search and collection to IS also makes sense because corporate information security professionals already are generally well-versed in computer investigations. Many have computer forensics training and tools and routinely access and investigate systems to identify and collect data for security and investigative reasons. Further, a systemised process executed with plugged-in enterprise tools and run by a well-trained internal team that is very familiar with the organisation’s IT infrastructure and that works alongside corporate legal is generally more advantageous from a compliance standpoint.
Finally, IS already have existing reason to be equipped with software that enables keyword and time-frame searching of all the company’s email as well as all electronic documents on the companies’ laptops, workstations and servers.
The expanding data needs of Legal present CISOs with an opportunity to raise their profile and increase their authority and budget. They are best positioned to step into this role, but must capitalise on this opportunity by developing strong connections with Legal and implementing defensible and repeatable inhouse processes supported by strong project managers equipped with efficient enterprise search and collection software.
Read more →
Latest Feedback