Cyber Risk Preparedness: The General
Counsel’s Responsibility

November 6, 2023

3 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us


In today’s increasingly regulated business climate, cyber risk—specifically data risk—is a top priority. The general counsel (GC) has a critical role to play in cyber and data risk preparedness.

As the legal officer of the company, the GC is responsible for ensuring that the organization complies with all applicable laws and regulations. They must ensure the organization has the appropriate policies and procedures in place to protect its data and operations. They need to monitor governance and oversight without complicating either function.

The GC also plays a key role in communicating cyber and data risk to the board of directors and senior management. They must be able to explain the risks in clear and concise terms and recommend practical steps that the company can take to mitigate those risks.

GC As “Chief Proactive Risk Management” Officer

In my almost 20 years running a data risk management consulting firm, I’ve come to understand that the GC’s role in cyber risk preparedness is:
  • Widely misunderstood and undervalued
  • Essential
Beyond board and C-suite (CEO, COO, CFO) awareness, the most important factor in overall cybersecurity outcomes is the involvement of and leadership from the chief legal officer’s/GC’s office. Without it, few organizations can build or maintain effective, layered defenses, and fewer still can successfully recover from a data breach or security crisis.

Four Steps To Better Prep

There are four specific steps that the GC can take to ensure improved cyber risk preparedness:

1. Understand your cyber risk and data risk profile.

Malicious insiders and external hackers are trying to steal your sensitive data to ransom it, knock it offline, sell it or otherwise compromise your organization. The GC must work with the CISO’s office and IT to identify the company’s most critical data assets and threats to those assets. The problem has always been: How do you get started?

One solution is to perform business unit data risk assessments (BUDRAs) to scope, discover, classify and analyze the sensitive data assets of a single business unit. When approaching this solution, start small. Investigate business processes and data assets that are:
  • Business-confidential (trade secrets, proprietary intellectual property, unique know-how and specialized knowledge, for example)
  • Contractually protected (such as M&A documentation, business partner confidential SLAs and internal SLAs)
  • Regulated (like personal health information under HIPAA, personally identifiable information, payment card industry, California Privacy Rights Act, Virginia Consumer Data Protection Act, etc.). Review who has access to this data and why. Analyze how the data is collected, stored, processed, shared and deleted.
Beyond board and C-suite (CEO, COO, CFO) awareness, the most important factor in overall cybersecurity outcomes is the involvement of and leadership from the chief legal officer’s/GC’s office. Without it, few organizations can build or maintain effective, layered defenses, and fewer still can successfully recover from a data breach or security crisis.

2. Develop and implement a data-focused cybersecurity plan.

The GC must be actively involved in driving the creation of a plan for cyber defense, data security, incident response, employee training, executive reporting and crisis communication.

Several years ago, we worked with a large transportation logistics company to create a data-centric cybersecurity program using our own security controls framework aligned with their existing information security management system (ISMS). At a certain point in our program development efforts, organizational leaders began to “tune out” of the process.

We’ve found that one effective way to combat that disengagement is to have the chief legal officer hold a workshop for senior leaders. In doing so, prepare the officer to focus on how each executive’s “focus area” is dependent on a mature, effective cybersecurity program. This can help encourage a surge of involvement from the very top, carrying your team through the process and over the finish line.

3. Communicate cyber risk to the board, senior executives and regulators.

The GC must be able to explain the company’s cyber risk in clear and concise terms, and they should recommend steps that the company take to mitigate those risks.

Consider the implementation of training cohorts to achieve this goal, and remember that participants will come from widely varied backgrounds and motivation levels. For example, one of our recent training cohorts (from an insurance carrier client) had course participants from across its legal, compliance, risk management, cybersecurity, IT and HR departments.

The organization had suffered a recent data breach. The audit committee’s investigation with an outside firm pointed to failures in how the organization managed and reported on risk.

In instances like these, build a baseline, shared understanding of why cybersecurity risk reporting and risk management efforts were critical in the scenario, what was required, who was responsible (and accountable), what needed to happen and when, how disclosures were to be made and what types of follow-up were required.

4. Network with peers, share information and stay current on cyber threats.

The GC is ultimately responsible, along with senior executives, for defining an organization’s risk appetite, tolerance levels and thresholds. The GC must “digitally transform” to the same extent organizations have digitally transformed their infrastructure and operations.

One way to support this transformation is through targeted organizational change management consulting. Even if a GC understands how their role has changed, they may lack a clear plan for “up-skilling” personally or redirecting the legal department to prioritize cybersecurity risk and concerns.

Assess their professional capabilities and knowledge as well as the organization’s structure, and perform an organizational network analysis (OAN). We’ve found it’s effective to devise a “get-better” plan (including detailed action steps and an overall program timeline) aimed at getting the team “leveled up” within a reasonable timeframe—nine months, based on my experience.

Wrapping Up

By taking these four steps, the general counsel/chief legal officer can help to ensure that the organization is prepared for cybersecurity threats and data risks. This proactive approach can help inform board members and senior executives, support better risk decision-making and protect the organization’s data, reputation and bottom line.
This article originally appeared on

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022