Michael Dolan is the Chief Information Security Officer (CISO) for Element Fleet Management. Dolan has more than 17 years of experience in information security, privacy, compliance, and operational risk management, including executive roles at Element, GE Capital, and U.S. Bancorp. He previously served as a Senior Associate for Oppenheimer Wolff & Donnelly LLP where he practiced antitrust and trade regulation, business litigation, campaign finance and election law.
Christopher P. Skroupa: Historically, the Chief Information Security Officer (CISO) has owned the responsibility for cyber defense: however, over the last several years companies have taken a more holistic approach, inviting in legal counsel, risk, governance and compliance leadership. What are the drivers of this change?
A broader array of policy makers are developing an understanding of just how significant cyber security is to industries within their scope and the economy as a whole.
Michael Dolan: I think that the CISO commonly still owns responsibility for executing cyber defense at business organizations, but I agree, and think it’s a natural progression that a suite of stakeholders have become engaged on this subject.
First, information technologies have become more core to business success. If we think of “security” as ensuring confidentiality, integrity, and availability of critical and sensitive information, its significance to the modern enterprise is clear. Are you a manufacturer? Your competitors, and perhaps nation-state actors, may want your intellectual property—industrial espionage is real. Do your employees or customers rely on getting accurate information, when they need it? Then security failures potentially have tangible, direct bottom-line consequences across an enterprise. And with the emergence of ransomware and business email compromise, all organizations—of any size and any industry—are targets and exposed to cyber risks as reflected by the U.S. FBI’s recent public service announcements on the subject.
Second, a broader array of policy makers are developing an understanding of just how significant cyber security is to industries within their scope and the economy as a whole. While minimizing impact to consumers from data breaches is without a doubt an important policy objective, more policy makers are realizing there’s more to it than that. As a result, there are more laws, rules, and scrutiny, which leads to more internal legal and compliance engagement.
Skroupa: From your background and professional experience as both legal counsel and CISO, how can you speak to the evolving nature of cyber security? Why should a general counsel serve as an integral part of the resilience team?
Dolan: A long-standing challenge in this area is translating cyber-security defenses into language that demonstrates meeting regulatory expectations and legal requirements. The industry response to this challenge has traditionally been checklists—a way for legal/compliance personnel to translate requirements into “layman” terms and for IT professionals to translate technology into something others can understand upon review—but checklists alone likely aren’t sufficient any more.
One reason for this is increasing demands from securities regulators. In an increasing number of jurisdictions, boards are either expressly told that cyber security must be an issue within their oversight or it’s overtly implied. Because general counsels (GC) often steward (or in some cases shepherd) the board, GC engagement is critical, especially in light of the contractual, statutory and regulatory consequences potentially arising from a cyber-security event.
Skroupa: It appears that the General Counsel and CISO may be challenged in finding a common language through which they are able to identify, plan and manage against risks. Do you find the legal and technological dimensions of resilience planning share a platform?
Dolan: There is a common language and perspective that underlies the day-to-day jobs of each—identifying and implementing a risk-based approach. Accomplished GCs and CISOs understand that there is no such thing as perfection in any enterprise. The challenge and, from my perspective, responsibility of CISOs is taking traditional metrics and reporting and transforming them to the next generation—actionable information that the GC, or for that matter senior management or the board, can truly internalize and act upon.
Cyber-security professionals must acknowledge that other employees are going to do the best they can to meet their business objectives, and that’s honorable.
Skroupa: The human factor has received more attention recently. Is this a governance issue?
Dolan: I’ll give you a lawyerly answer—it depends.
On the one hand, a bad actor is going to try to do bad things regardless of what a policy says. On the other hand, one can anticipate these activities and establish a control framework designed to address the actions or mitigate their consequences. Governance and the technologies implementing or supporting policy also play a role in guiding the behavior of “good actor” employees. Cyber-security professionals must acknowledge that other employees are going to do the best they can to meet their business objectives, and that’s honorable. It’s up to us to ensure that they can do so, and understand how to do so, in a way that minimizes the risk to the organization.
For some organizations, this will require a shift in mindset—the IT department may not “own” in a traditional sense some of the information technologies employees are using, especially in the context of software as a service. But from my perspective, the CISO owns the responsibility of ensuring that an organization’s information security program, of which governance is a key component, encompasses, identifies, and reasonably mitigates all material information-security risks. And this means that program governance must have a scope beyond the traditional IT department purview to address the human factor.
Skroupa: Looking into the future, nascent technologies will embed cyber defense into business planning and process, enabling companies to have a fully integrated system of detection and response. Do you believe this innovation will disrupt and if so, in what manner?
Dolan: Vendors have long promised one-size-fits-all solutions, and none have delivered to date, so I hesitate to accept the premise of your question. What I think is important in this space is to be thoughtful, deliberative and recognize that technology solutions alone cannot provide the answer. For example, let’s say you collect sensitive information in the course of your business. Do you need it? And if so, how long do you need it in its current form? There very well may be reasons you need the personal data for a certain period of time, often driven by legal concerns, but the “big data” folks may not later need the personal component at all to accomplish their objectives. So keep the data, but eliminate the personal component. As with nearly all considerations in this space, this is easier said than done, but be smart about it and it can be.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.