Written by: Daniel Haurey on 10/06/18

On September 24th, 2018, I held a teleconference to discuss the topic of Chief Information Security Officer (CISO), and Chief Information Security Officer as-a-Service with data privacy expert, Michael Feldman, Esq. and Cybersecurity expert and consultant, Jeff Miller.  The complete video is published on YouTube.  Below, we are also providing a transcript of the entire call.

CISO-as-a-Service Interview

Daniel: Hey, hi everyone. I’m Dan Haurey. And with me today is cybersecurity expert Jeff Miller and Michael Feldman, attorney at law and co-founder of the New Jersey-based law firm, OlenderFeldman, LLP. Hello, gentlemen. Good morning.

Michael: Morning.

Jeff: Morning.

Daniel: Thanks for joining me. As you guys know, today’s topic is Chief Information (Security) Officer as a service. So, Jeff, we’ll just jump right into it. Jeff, what is Chief Information Security Officer or CISO as we’ve been commonly referring to it? What is a CISO and what are they responsible for?

Jeff: All right, so a CISO is the person who is in charge of or responsible for the overall security strategy of an organization and CISOs aren’t in every organization. But it makes sense for companies that are growing, companies that have a lot of employees, companies that have a lot of risk. So the CISO is the person whose ultimate goal is to strategically plan how to identify and reduce risk within a company and also remediate that risk. And they may not be doing that themselves.

Oftentimes, they’re not, but they’re the leader who’s sort of holding the strings, and they’re gonna report to key stakeholders, both internal and external on their efforts to reduce risk. So they’re typically not under a CIO, but side by side with a CIO and they would sit at the table with all C-suite. So their responsibility, again, is just the strategy of finding and reducing risk on a continual basis for a company.

Daniel: Gotcha. Gotcha. What does this type of person make in terms of salary range? So if you’re in a regulated business and you do need a Chief Information Security Officer, what would you say is the full-time salary like in this New York Tri-State Area? What does that look like?

Jeff: Okay, so in this area being a metro area, the base salary is gonna be higher than other areas in the country. So I did actually recently look it up for this video that we’re doing today and according to salary.com, the base salary range for a full-time CISO in the Tri-State Area is gonna be between just over 200K a year and upwards of a quarter million dollars. So the ceiling on that was 263K per year. So which is surprising, people don’t realize that that is, in fact, the going rate for CISOs in our area. If we took the whole United States into play the entire U.S., not including bonuses, healthcare, or retirement benefits, the base salary for CISOs across the board is 218K. So no matter how you cut it, it’s over $200,000 base. So it’s definitely a very important role but definitely inexpensive role as well.

Daniel: Gotcha. Gotcha. And I guess, as Michael can attest to this, and I know I can, as a small business owner, then when you add benefits, vacation, all that other stuff, the overhead and all that, of course, that number probably climbs higher, right? I mean, it’s fair to say.

Jeff: Yeah.

Michael: We typically consider that 25% to 30% extra for all and overhead when you’re talking about an employee.

Daniel: Yeah, yeah, my rule of thumb is a minimum of 20% added to that, right. And Michael, while we’re on the subject here of security, of course, you hold the CIPP certification, which is something that I’m personally interested in. Just give us a little background on what CIPP is and what that’s all about?

Michael: Sure. CIPP stands for Certified Information Privacy Professional. It’s a certification commuted through the IAPP or International Association of Privacy Professionals. I know I hate to throw around all the initials out there but it’s a way to [inaudible 00:04:33]. The IAPP basically with several thousand members is considered the largest organization of privacy professionals in the world. It brings together professionals such as me, lawyers, as well as technical experts in privacy, security, etc. The program itself to get certified requires you to learn about the privacy laws in your geographic areas, there’s one for the U.S. they’re separate for Europe. The laws there are obviously different.

You know, as some people may know and maybe we can get to later, the laws are starting to overlap between Europe and the United States. At the end of the day you have to invest to make sure that you actually understand not only what the laws are but how to apply the laws to practical situations that arise every day and ultimately you’re required to continue with 12 hours of continuing legal education or continuing privacy education [inaudible 00:05:34] to make sure that you are up to date at what’s going on in the world of privacy.

Daniel: Interesting. Yeah, I’m sure that one’s gonna be getting much more popular. How long have you held that particular designation?

Michael: Good question. I wanna say six years, six or so years. It was much smaller and less common when I started with the IAPP and the CIPP program. Now, more and more organizations are coming out as what used to be the world of privacy was kind of small, most people didn’t know much about it outside of HIPAA is now becoming commonplace and something that just about every business has to deal with on a daily basis.

Daniel: Absolutely. So that kind of brings me into a good segue for my next question. From my vantage point here, you know, living cybersecurity every day, the environment seems to be…or at least the consensus is that the environment is becoming more strict or more complex as time goes on and we turn everything digital. Do you agree? And if so, why do you think that is?

Michael: Well, I guess they’re two separate questions about strict and complex. The simple answer is the strict part. Yes, the laws are becoming more strict. The courts and the laws are giving more credence and credibility to the privacy rights of individuals which then impact any business out there pretty much because almost every business ultimately deals with individuals, whether its internal with human resources or external with your clients, customers, etc. So that’s kind of the simple part.

The more difficult part perhaps is the complexity. And yes, they’re becoming more complex, to understand a little bit about the complexity, you have to look at the U.S. model, which I presume we’re talking about most versus the European model. The European model starts with the concept that all personal information is private unless there’s a law that says otherwise. And then Europeans tend to have unified laws such as the more recently enacted GDPR as of May 2018. But starting with that concept that everything is private, it’s a little easier to figure out then what isn’t. The U.S. is far more complex and getting even more so, and the U.S. in regard with the general presumption that nothing is private unless the law says it is.

But to add to the level of complexity here, instead of simply having laws that say that information is private and this information isn’t private, or what we can do with it, we have laws and regulations at the federal level and the state level, then the local level. And to make things a little more complicated over that, we also have industry-specific rules whether it’s finance, healthcare, etc. And we have certain non-binding where certain industries agree internally to follow so you can comply with general industry standards.

And then on top of all of that, you have contractual obligations, some of which require you to comply with certain laws, whether or not they would otherwise apply to you and certain contractual obligations that create independent privacy and security obligations. So you need to be aware of all of them. And I give people an example of some of the complexities that could pop up. Where I had a case involving two doctors, one left to practice, the other doctor sued, said, “You took my customers.” The first step was to determine did the customers go to the new doctor? The court had an experienced judge who’s been on the bench for probably 20 or 25 years saying, “Hand over the patient list. Keep it confidential. We’ll sign a confidentiality order. But turn over the patient list to the other side so we can see if you do in fact have overlapping patients.”

Ultimately, that was reversed. Why was it reversed? Because under HIPAA this means you could do that, HIPAA being the federal regulation that govern generally medical records, physician-patient connections. But New Jersey has a more strict patient privilege statute. That statute said, “You can’t turn over those records.” Once that was brought to the judge’s attention who had no clue, the judge said, “You’re right, the records can’t be turned over,” and ultimately the case was dismissed.

Prior to bringing that to the court’s attention, I talked to various healthcare experts who weren’t really sure about it. To be honest, I wasn’t really sure about it. So if you take it outside the realm of in that case attorneys and healthcare experts and try to deal with a situation like that which for businesses could be simply the interaction between the physician-patient privilege in HIPAA, you would be lost. So these types of overlaps are now occurring more and more and more as more states and more industries are creating their own privacy rules and regulations.

Daniel: Excellent, excellent. Yeah, that is a great response and a great example of how regulations and contracts and everything kind of intertwine to create complexity sometimes. So that can’t be understated. Jeff, you’ve been trained in a lot of these different areas, how does an organization know when it’s time to create this Chief Information Security Officer role or just employ the services of a CISO as a service?

Jeff: Yeah, good question. So, first of all, many organizations are mandated by law to have a CISO role. So when you’re mandated, you don’t have a choice, that’s just something you have to do. So whether in-house or outsourced, some people do choose to outsource the role. That can be less expensive, obviously, than hiring a full-time employee. Like we talked about earlier, you’re looking at a quarter of a million dollars, essentially. So examples of some verticals that tend to have CISO roles are banking, insurance, financial institutions, particularly in New York State, thanks to the relatively new Department of Financial Services Cybersecurity Regulation. So, in New York State or anybody licensed in New York, even if they’re in New Jersey or some other state within banking, insurance, and financial, they have to have a CISO.

Other companies that choose to hire a CISO do so shortly after they go public or before they go public just to manage that. Oftentimes, investors wanna see that their money is invested in a company with a sound cybersecurity vision and approach. There was a sports medicine company that I worked with recently in New Jersey, and they were just about to get acquired. So they sort of hurried up and got all this stuff in place where we did a security assessment, some written policies for them around their IT and their cybersecurity, because the people who were going to acquire them, they didn’t wanna acquire a risky business. So that was a case where it made sense to have that kind of work done.

So, the fact is, many small and medium businesses can’t afford and it may not make sense obviously for a 10-person, you know, shop to have to employ a full-time CISO. That’s simply not financially feasible. But that’s why outsourcing that role out to a cybersecurity firm as a fractional CISO is sometimes more appropriate. I guess to tie it up, anybody who wants to reduce risk, maintain their reputation, and avoid the expensive downtime associated with breaches should consider either a full-time CISO, if they can afford it and they’re large enough or an outsourced fractional CISO to a cybersecurity firm.

Daniel: Awesome. Yeah, a lot of times, we remind clients to, you know, when they’re doing their risk analysis to of course also not forget reputation cost, right, because that’s huge. Michael, is there anything you wanna add to that?

Michael: A couple things. First, is the concept of privacy by design, which is the idea that companies are latching on to more and more of developing your business, all aspects around the concept of privacy. When I say privacy, we’re talking to rules, regulations, security, everything that goes with it. And CISO fits into that role, whether again, full time, part time, inside, outsourced, in protecting your business. And the best way to avoid getting into problems, and having lawsuits, sanctions, fines, whatever the case might be, if you’re in a regulated industry or not, is to organize [inaudible 00:15:10] correctly in the first place.

Now we see most businesses, the larger businesses have an HR department or head of HR, which is a newer concept. Fifty years ago, you didn’t have that generally. But people saw there was a benefit to having a head of HR or an HR department to make sure that the HR rules, regulations, and concepts were integrated into a business. Now, I kind of view the concept of a CISO, security, privacy, legal team all in place, integrated with the business. It’s kind of like the HR department used to be. And I think we’ll see that happening more and more, some may resist it. I think it’s inevitable. And I think as a general matter, it’s a sound investment for your business to make sure things are done right up front.

In addition to that, as I mentioned earlier, as of May 25th, 2018, the Privacy Act called the GDPR or General Data Protection Regulation came into effect in the EU, while people are watching this perhaps or businesses in the U.S. think, “That’s a European thing. That doesn’t affect me.” The regulation is written in such a way that it affects anybody in essence who targets any business in the EU or collects any personal data from anyone in the EU. That could include having a website where you have the little link that pops so you can change your language to French, to Spanish, to German.

It may be a website that you sell your product to people over there, and how is that indicated for your own records too? If you click on the shipping icon or shipping information, people often have international orders in there. Any of that even if your entire business is located in the U.S., it’s impacted by GDPR and you’re subject to sanctions, fines, penalties, and lawsuits for lack of compliance. It’s a pretty complex regulation. It is a big regulation. The fines can be based upon your worldwide revenue, not just your revenue in connection with business in the EU. And if you really think, “Well, I don’t need to worry about that because I’m just in the U.S. and I just do business in the U.S.” California recently passed its own Consumer Privacy Act just probably a month or two ago.

While it doesn’t come into effect until 2020, there can certainly be some truth to do it. That law will be coming. It takes a long time to get ready for it. It’s not something that you can do overnight. I still work with companies regarding GDPR who are trying to get compliant now because they didn’t start in May. It’s not a simple process. That’s something a CISO and having a team in place can certainly help with. And my guess is California is not going to be the last state to implement such rules. I think you’ll probably see it in the same way you’ve seen with laws with respect to biometrics. Started, generally, the big first one was in Illinois and then other states followed. So I think it’s inevitable that it’s going to happen here. And while you can wait and be more passive, you can also use compliance as part of your marketing strategy, as well as simply a defensive mechanism.

Daniel: Got it. Got it. So what you’re essentially saying is if I stand up a website and potential customers…I could be located here in the U.S., but if I sell widgets and I stand up a website and sell those widgets and potential customers are in Europe, I have a GDPR obligation?

Michael: I’d actually take it a step further than that. You don’t even have to sell them the widget. If these people are coming to your website, and your website collects information, whether it’s more passively or passively through cookies, etc. Or if you simply collect information from them, maybe to send them marketing material, email, [inaudible 00:19:41], new products, new services, anything like that, you’re covered by GDPR, even if they never purchased anything from you.

Daniel: Right, right. Jeff, you’ve been trained in some of these various cybersecurity regulations, including the New York DFS1, which we’re receiving a lot of calls on. What are some of the cybersecurity regulations that require the services of a CISO?

Jeff: Sure. Good question. So we’ve mentioned the New York State Department of Financial Services, that regulation is actually…the formal name of it is 23 NYCRR 500. And so it’s cybersecurity for insurance, banking, and financial services. So there are smaller organizations with fewer than 10 employees and under a certain revenue threshold are exempt from that. But by and large, the majority of banking, insurance, and financial services companies doing business in New York, even if they’re located in Florida, it doesn’t matter, if they’re licensed in New York, they have to meet the CISO role. Whether they do that in-house or whether they outsource it to a company who can help. GDPR doesn’t explicitly say, “Hey, you need to have a CISO.” But it does say, “You need to have a data privacy officer,” which is not quite a CISO role but there is a lot of overlap in terms of, you know, their primary goal is reducing risk, protecting private data. So they really have the same agenda but they are slightly different or nuances between privacy and security. But at the end of the day, if you think about it like a Venn diagram, the data privacy officer has quite a lot of overlap to what a CISO would provide.

And then the other one is HIPAA, which has been around for well over a decade is any HIPAA covered entities are required by section 164.308, which is the HIPAA Security Rule to identify what they call a HIPAA Security Officer. And that’s somebody who is responsible for the development and the implementation of policies and procedures. And this is, you know, verbiage right from HIPAA, “To ensure the integrity of electronic protected health information.” What does that mean? That to me, means you need to have a CISO. Sometimes they call that a Chief Risk Officer. I’ve heard that when I visited different hospitals and healthcare facilities, you know, so it goes by different names. But at the end of the day, they’re really trying to just do those two things, reduce risk and protect private data. So those would be, again, New York State DFS, GDPR, HIPAA, and those are just three off the top of my head.

Daniel: Nice. Michael, I was wondering, you know, after the financial fallout, you started to see major regulations, you know, Dodd-Frank and all these things happen where the person in the company, maybe the CFO, right, in a publicly traded company had to start making, I guess, attestations to the validity or truthfulness of the data under penalty of law, right? Like you had people who could be held personally liable, I think, correct me if I’m wrong, if there were certain irregularities, or if the company ran afoul of the law. I’m wondering if…I think that’s not in place now in terms of, you know, data breach privacy laws if you’re a Chief Information Officer or a CISO, but I wonder if in the future, we could see a trend towards more personal risk exposure for someone in that role? I mean, any thoughts on that?

Michael: I expect to see slowly happening. In the last financial crisis as you know, there were lots of complaints that executives were getting off in the financial sense. The new wave is probably gonna be data breaches. They’re happening every day. You’re seeing most recently, I guess, maybe not most recently, but certainly with Uber, where there was information that was supposed to be private, that was being used for improper purposes. And I think you’re gonna see that happening more and more, same with the analytics company. I’m drawing a blank on its name.

Jeff: Cambridge Analytica.

Michael: Yes, Cambridge Analytica that was gathering data for one purpose and using it for something else. I think as those types of incidents continue to rise, you’re going to see a need or a desire to hold individual’s liable or those [inaudible 00:24:37]. I don’t think you’ll see it where the individual was careless or was just not being that smart, but I do think you’ll see it where the individual was acting maliciously, whether it’s separate criminal statutes held you liable or built into the regulations themselves. Already, for example, with GDPR, while not applicable here in a sense, in certain scenarios, you need a representative in the EU, if you’re a U.S. company, that representative over in the EU, which could be a person, an individual or an individual at a company, that representative can in fact be held personally liable for their own representations.

Not for the badass company overseas if your company does something but if the representative makes a representation into government or entity investigating something. And that representation based on first knowledge is wrong, that individual can be held individually reliable. And I think as U.S. companies are to mimic somewhat, or I should say, U.S. regulators start to mimic somewhat what’s going on in the EU, I think we’ll see some of that here. Right now a lot of technology companies are getting together saying we need a national law on this. They don’t want GDPR. It’s a little too strict the businesses that promote because it limits what they can do, but they’re pushing for a national law to cover this type of behavior, this type of business behavior. And I think eventually you will see the personal liability built in there.

Daniel: Yeah, yeah, the personal liability is an interesting topic because whether you’re for or against it, I think skin in the game is better for consumers or people who are having their data possibly exposed, but it’s probably a topic for another video. Jeff, going back to, you know, we touched on running a small business and, you know, sometimes an organization just can’t justify a full-time HR manager so they outsource their HR maybe to a PEO like we do here. One of the big trends now is, you know, the phone will ring and someone will say, “Can you provide CISO as a service and check that box for me?” So tell us about CISO as a service.

Jeff: Right. So CISO as a service is basically taking that role and giving it to a third party. So just given the sheer cost of hiring a full-time CISO, it makes sense for companies to at least explore the option of an outsourced CISO. Again, like you said it, CISO as a service or fractional CISO is another way to put it, one of the things I like about CISO as a service is oftentimes companies that do not…they have a bench, so you’re not just getting, you know, a singular opinion from one person, you’re getting sometimes a team of people with different vantage points. And so that can be valuable. And then CISO as a service offerings should start with, you know, when you engage a third party, if you decide to do that, you need to get a baseline.

So that offering starts with doing an upfront risk assessment, and I always use the analogy, you know, you can’t get where you’re going unless you know where you are, right? In Google Maps you’re having asked to figure out where are you located down to get your directions for you, so. And the same thing goes for CISO as a service, you need to have an upfront risk assessment performed by that company. And that gives them the baseline of risk for your organization. It allows them to adjust your organization’s risk appetite, are you risk averse, do you accept certain levels of risk in different areas? What’s your mission statement? What’s your vision? Where are you trying to get in 5 years or 10 years?

So taking all that as inputs, the risk assessment is gonna give you a risk baseline and help understand where the organization wants to go from a leadership perspective. So the outsourced CISO is gonna help your organization continually find opportunities to reduce risk, right? We don’t look at risk as, “Hey, shame on you, you did something wrong.” We look at it as, “Hey, now that we know about it, there’s an opportunity to do something about it.” And the CISO as a service offering should ultimately take everybody’s stress away by collating and curating information about risk remediation efforts and the general effectiveness of your cybersecurity program. Without having this service or this person tying it all together, it’s all ad hoc, you don’t know what’s going on and it’s hard to really put a grade on how well you’re doing.

So this person is taking all the efforts of individual, you know, the IT folks who are doing the remediation, the people who are addressing different areas of risk. They’re gonna be talking to people in different departments about their general understanding about policies and procedures and how well they’re being followed. And the CISO as a service offering is really valuable because it ties all that stuff together. It makes it, again, digestible by a board or C-level folks, or who are people president, owner, or people who need to know about that stuff. And if your organization is attacked, breached, or adversely affected in any way, it’s the outsourced CISO’s responsibility to report to the board. So that can take a lot of that stress during a breach or after a breach. It can take that stress away because the CISO gets to sort of bear that burden.

Daniel: Gotcha. Yeah. Are there any regulations that you guys know of that maybe particularly say that CISO as a service is not gonna fly, you have to have like a full time equivalent doing that role?

Jeff: No, there’s nothing at all that says you can’t outsource it. But when you do outsource, you obviously have to pay attention. There has to be, you know, agreements in place, regular reporting, service level agreements, or SLAs, anytime anybody engages in a third party, whether it’s your janitorial staff, whether you’re moving email to Office 365, whether you’re outsourcing your IT, for example you used earlier outsourcing your HR, any of those times that there’s a third party involved, there needs to be oversight. So the oversight is important but there’s nothing in terms of regulation that says you can’t outsource the CISO role. So it’s perfectly acceptable in any geography, environment, or vertical to outsource that role if that makes sense financially for the company.

Michael: And I’ll add something to that. Because I agree with everything Jeff has just said on the last few questions. But to add to it, oftentimes outsourcing a CISO is actually beneficial to the company. You wouldn’t wanna outsource your CMO’s agenda no matter because you want somebody who’s running the company with skin in the game. When you’re dealing with privacy and security regulations, oftentimes you want someone who doesn’t have skin in the game. You want someone who’s looking to protect the company from an objective viewpoint, to make sure the company is taken care of from an objective viewpoint. That’s why in GDPR when you have your privacy officer, the privacy officer has to be in a position separate in essence from the business people.

You can’t have the same role if it creates a conflict of interest. I kind of look at outsourcing the CISO, and the equivalent of having outside legal counsel. And no one looks at it because, well, we only can have an inside in-house counsel because otherwise it doesn’t make sense. You outsource your legal work, oftentimes, even if you had an inside counsel, you may have a GC, general counsel, and a whole team but you still outsource a lot of legal work, particularly as a general matter when it comes to specialized work, big, specialized work. So the concept of outsourcing not only isn’t it barred by any law that I’m aware of, the whole idea of having whether it’s an individual or is [inaudible 00:33:07] to the team or at least having a team who is ready if needed, can be more beneficial and more cost efficient oftentimes, than having your in-house CISO.

Daniel: I like that. Yeah. And, you know, having been doing this for 20 years, I think the last thing anybody wants is the finger pointing, when something really bad happens and everybody kind of just, you know, does the hot potato thing. And says, “Well, I thought he was doing this, and she thought he was doing that, and I’m not really responsible for that.” So I think the name of the game here with CISO or an outsourced CISO as a service is this person is totally responsible for these things. So that makes a lot of sense.

So speaking of things going south, right, that’s when we get the call sometimes, and I’m sure, Michael, you feel the same. Something goes bad and, you know, the Office of the Inspector General has now knocked on the door, and, oh, boy, everybody’s on the hot seat. So in that case of a substantial breach at a regulated company, right, it might be a hospital, it might be an insurance company, it might be a financial services firm, what is the CISO doing? What are they responsible for, Jeff?

Jeff: So yeah, in the case of the emotional, the irrational is, what happens during a breach, right, everybody starts to freak out. In that case, it’s the CISO’s responsibility to add the rational in and subtract the emotional out. And they’re really…the way that they do that is by enacting the incident response plan. So the CISO, I said earlier, that the first thing they’re gonna come in and do is a risk assessment of the organization as a whole. And based on that risk, based on the technical controls that are in place, we’re also gonna build an incident response plan, hoping to never use it, but regularly reviewing it in case they do need to use it. We recommend once a year doing tabletop exercises to review the incident response plan.

So again, the CISO would enact the incident response plan. They work with individuals in IT, legal, and other departments to get the breach contained and to reestablish services as promptly as possible. Oftentimes, people think about a breach as, “Oh, that’s an IT problem. You know, it’s a cyber-breach, right? It came in through a computer. So that’s an IT problem.” They forget the fact that there are regulations in place. It’s a legal issue. They forget the fact that the reputation is at stake. So there may be a need to get messaging correct, right? Not to mislead people that, “You know what? You wanna be on the 6:00 news.” And you certainly don’t want your employees on Facebook saying, “Hey, we just got breached. And it’s so bad and terrible,” and all this stuff, that’s not good for anybody. And it’s not helpful.

So the CISO is gonna enact the plan, get the appropriate teams fired up, IT, legal, and whatever other departments need to be involved. They’re going to…they need a person who would communicate the breach to third parties. So in certain cases, the FBI needs to get involved, right, if there’s, you know, money transfer or things like that, you know, the best practice is to contact the FBI. In certain cases, state and local police need to be reached out to, often the Attorney General for a particular state, the Department of Health and Human Services and healthcare, and then going back to New York State, the DFS superintendent, if you’re in banking, insurance, or financial services. And if you don’t know that in advance, if you don’t have that plan in place you’re not gonna be acting…like I said earlier, it’s gonna be emotional and irrational. So the CISO is going to take the heat off and just follow the plan. It doesn’t have to be difficult.

You just follow the plan. And after you’re up and running and services are up and the data has been accounted for, everybody has been reached out to, the CISO is then gonna be responsible for conducting what we call a lesson learned exercise. That’s a post-breach thing that everybody gets together to identify areas of weakness in their current security posture, because obviously if you got breached there was a chink in the armor, right? So how do we avoid this from happening in the future? Did I have employees reaching out to the public where they shouldn’t have? Were there things that we could adjust or tweak to reestablish services more promptly next time, right? So the lessons learned is also something that the CISO would host after the fact of a breach.

Daniel: Yeah. Anything to add to that, Michael?

Michael: Jeff fairly nailed it. I think the key points here are going back to the concept of privacy outline and the CISO being part of it, and you need to have everything in place up front for when and if a breach happens. And to be honest, I tell everybody, “You will be breached.” Everybody will be breached. So whether it’s a breach that you know about, whether it’s a breach that actually causes a problem because sensitive data is used or it’s just a breach by some hacker having fun or a government that you’re never gonna know about, you’ll be breached. But if you wanna develop upfront the concept of privacy by design with your business and a CISO is obviously part of that.

And then the key that Jeff mentioned there is the incident response plan. You need to have one in place. When these breaches happen, you often have obligations based on an action 24 to 48 hours depending on what regulation may govern you, and whether you have contractual obligations that often shorten that time. Those steps that you take, those actions that you take immediately after a breach can be the most critical moments to your company. You go down the wrong avenue or you take the wrong step and it could be catastrophic. But in these scenarios, you don’t have time to gather everyone together, to gather the board, and just, “But here’s what happened, what do we do? Let’s go out and start helping people and do some research and figure that all out.”

You need to know almost instantly, you’re literally talking to them for the 48 hours. And the last thing you want when you’ve been breached is to blow a regulation that may require you to contact people by notice, that may require you to contact the government, or you may decide to contact the government to help in connection with your bridge depending on what it is. These aren’t things that you can deal with afterward.

So having a CISO in place, whether in-house or outsourced is critical. And you may be a huge company, you can have inside, have your in-house CISO. If you’re not, it’s really not an excuse anymore as outsourcing is becoming more and more common. Ten years ago if we were having the same conversation, my response might be very different. But now there’s really no excuse. And it’s not just…I don’t just say that as a lawyer [inaudible 00:40:36] perspective, it’s a practical perspective. You’re spending all your time and effort to grow and develop a business to have it all go south because you don’t take proper protective measures is ultimately somewhat irrational.

Daniel: Awesome. Awesome. Well, thank you guys for joining me. We’ll have more videos to come. And I really appreciate you sharing your insight today. So thank you.

Jeff: Thanks.

Michael: My pleasure.

Daniel: Take care guys.

Michael: All right. Bye.



Categories

Compliance