![Page 1: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/1.jpg)
THE CISO LEGAL PARTNERSHIPWhat CISOs can do Better
![Page 2: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/2.jpg)
DISCLAIMER
The views and opinions expressed during this presentation represent my personal and professional experiences and do not necessarily reflect the opinion or position of my current or previous employers, and/or educational institutions.
![Page 3: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/3.jpg)
SPEAKER: ALEJANDRO VILLEGAS
Ethical Hacker with a Business and Legal Education
• Seasoned Cyber Security Engineer with over a decade of experience working for various leading tech companies. • Law school graduate.• Education: JD, MBA, MS, BBA• Certifications: CEH, CISSP, CISA, CHFI, ECSA, LPT, MCITP, ISO 27K Lead
Auditor.
![Page 4: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/4.jpg)
QUESTION
Raise your hand if you are 100% assured that your company will never experience a security
breach.
![Page 5: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/5.jpg)
OPERATIONAL TRIFECTA
Engineering
Business
Legal
![Page 6: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/6.jpg)
WHY A LEGAL PARTNERSHIP?Cyber Security has become a predominant challenge for organizations responsible for protecting and safeguarding customer data such as Cloud Service Providers (CSPs).Attorneys serve a critical function ensuring that companies conduct due diligence and adhere to the cyber security requirements mandated by local, national, international and industry information security frameworks.
![Page 7: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/7.jpg)
RELEVANT COURT CASES
SONY: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014)
TARGET: Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014)
TJMAXX: TJX Co. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007)
![Page 8: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/8.jpg)
ASSUME SECURITY BREACH
Proactive engagement with Legal.
Pre-breach continuous interaction with Legal.
Always assume security breach.
![Page 9: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/9.jpg)
THE LEGAL LIFECYCLE
Avoid reactive Attorney
engagement (Incident Response
Phase)
Attorney engagement
throughout the entire Software Development
Lifecycle
Attorney engagement
throughout the entire Secure Operations Lifecycle
![Page 10: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/10.jpg)
QUESTION
How often do you proactively talk to your attorneys on a regular basis?
![Page 11: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/11.jpg)
END TO END LEGAL DILIGENCE
Attorney
Roles:Advisory Complian
ce Drafting Audit Litigation
CISOs must partner with attorneys on every applicable role:
![Page 12: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/12.jpg)
ATTORNEY ADVISORY ROLE
Proactive discuss cyber security challenges such as Ransomware.Determine whether you should pursue security breach insurance.Discuss your cyber security program with your attorneys.
Advisory
![Page 13: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/13.jpg)
ATTORNEY ADVISORY ROLE Advisory
Cyber Security Incident Response Plan Cyber Security Liability Insurance Post-Attack Public Relations Cooperation with Law Enforcement (Apple) Reporting Cyber Crimes
![Page 14: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/14.jpg)
ATTORNEY COMPLIANCE ROLEDiscuss what security compliance certifications are worth pursuing and which ones are not.
What is the cost of non-compliance?
How do you plan to be continuously compliant not just during the audit engagements?
Talk about the Security vs Compliance dilemma.
Compliance
![Page 15: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/15.jpg)
ATTORNEY COMPLIANCE ROLE Compliance
National Cyber Security Compliance: FISMA, FedRAMP, CJIS (FBI), NIST 800:53.
International Cyber Security Compliance: ISO 27001; 27018, EUMC, GDPR.
Territorial Cyber Security Compliance: MTCS Singapore, IRAP Australia, UK G-Cloud.
Industry Cyber Security Compliance: HIPAA,PCI DSS.
![Page 16: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/16.jpg)
ATTORNEY DRAFTING ROLEReview contract security addendums from a security engineering perspective.
Evaluate the feasibility of the clauses and contract obligations.
Determine if you are prepared to meet the security contract requirements.
Are you getting the right assurances from your vendors?
Drafting
![Page 17: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/17.jpg)
ATTORNEY DRAFTING ROLE Drafting
Do the cyber security provisions make sense to engineers?
Do the cyber security controls address the risk adequately?
Are both parties equally agreeing to manage the cyber security risks?
Is it best to use broad language? Is staying silent on a specific provision the best
approach?
![Page 18: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/18.jpg)
ATTORNEY AUDIT ROLEAre you comfortable with the Right to Audit clauses?
Can your company manage multiple concurrent audits?
Have you consider the legal implications of audit findings?
Are your audit papers and artifacts ACP protected?
Audit
![Page 19: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/19.jpg)
ATTORNEY AUDIT ROLE Audit
Terms of Right to AuditDuration of the Audit(s) Scope of the Audit(s) Limit amount of concurrent Audits
![Page 20: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/20.jpg)
ATTORNEY LITIGATION ROLEAre you currently conducting due diligence throughout your entire engineering lifecycle?
Are you prepared for a subpoena or a deposition?
Do you adequately invoke the Attorney Client Privilege during your day to day security operations?
Proactively talk about litigation strategies.
Litigation
![Page 21: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/21.jpg)
ATTORNEY LITIGATION ROLE Litigation
The value of due diligence: Pre, During & Post a Security Breach
Diligence vs Negligence
![Page 22: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/22.jpg)
VENDOR MANAGEMENTVendor
Security Do your vendors meet the same security bar than your company?How often do you audit vendor security compliance?Do your vendors have vendors? Do they also meet the security bar?
![Page 23: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/23.jpg)
QUESTION
Do you get involved in the attorney recruitment process?
![Page 24: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/24.jpg)
HIRE ENGINEER ATTORNEYS
Patent Attorneys generally have a science background to prosecute patents with the US Patent Office.Cyber Security Attorneys must be qualified to understand the engineering intricacies of your Cyber Security Program.
![Page 25: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/25.jpg)
END TO END LEGAL PARTNERSHIP
Ultimately you must proactively engage your legal team and leverage your attorneys throughout the entire lifecycle of your security engineering operations.
Conduct End to End Legal Cyber Security Due Diligence!
![Page 26: The CISO Legal Partnership by Alejandro Villegas](https://reader036.vdocuments.mx/reader036/viewer/2022070602/587967e01a28ab1e388b7819/html5/thumbnails/26.jpg)
Q & A