SecureWorld celebrated its 15th year in Seattle this week, with a wide-range of sessions on everything from cloud management to how Edgar Allan Poe relates to cybersecurity. It’s clear how legal counsel fits into cybersecurity, but what about their role before you ever even get hit with a subpoena? And how does trauma relate to cybersecurity?
The Attorney’s Role
With so much information provided by different government standards, industry best-practices, and cybersecurity frameworks, how do you protect yourself from attack with so much knowledge to sift through? Let alone the fact that the current FTC standards are derived from the culmination of more than 60 different settlements and lawsuits.
But even if your organization is trying its best to comply, if you pick and chose certain recommendations and then get breached, you will be liable for the processes you didn’t adopt.
Jake Bernstein, Attorney at Newman Du Wors, says to “keep the security assessment process from start to finish as confidential as you can,” in order to stay on the ‘due diligence’ side of the equation, and away from ‘gross negligence’.
By creating your cybersecurity response plan with your legal team, and including them in the assessment process, all of your documents and communications fall under attorney-client privilege (ACP), rendering them private and confidential in court.
Trauma and Cybersecurity
When Vanessa Pegueros, CISO at DocuSign, was reading up on trauma, she noticed distinct parallels between how trauma impacts individuals and how cyber-attacks impact organizations.
When people experience trauma they often relive the event, feel hyper-aroused, develop negative thoughts and beliefs, and avoid trauma triggers. And of course there’s the classic, fight, flight, or freeze mode.
After a cyber-attack occurs, have you ever seen anyone in your office feel become paranoid that another attack will occur, feel a deep sense of helplessness, or become obsessed with attribution? These feelings are extremely common in trauma victims, and are often how people feel after they’ve been attacked as well.
Pegueros says that it’s important to have your communication plan ready and to educate executives on the impacts of trauma and how to avoid creating more of it, should a breach occur. “The only way to not go into fight or flight mode is to practice, practice, practice,” she says.