6 Relationships that Matter Most to Cyber Security

We learned some great stuff at our first Nimble Forum on September 14, 2017.  Here is the first of a few posts on the great discussions we had and the insight gained by all that attended.

Cyber security is a complex, multi-faceted problem.  There is not ONE owner, so many different departments across an organization have to come together to manage the risk.  It’s critical to be proactive and get these parties together and working to protect the organization BEFORE anything bad happens.  

1. Legal

Legal’s primary job in working to prevent a Cyber breach is to make sure all of the right functions are included and have a seat at the table.  Legal can help lead the group but Legal cannot effectively do all of the work on its own.   Facilitating data mapping (where are Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) stored), preparing a Data Breach Incident Response Plan, arming Supply Chain and HR with “Cyber Protection and Breach provisions” for every vendor or supplier contract that could involve PII or PHI, are all areas where legal has to take lead.  

2. Supply Chain

Managing the contracts with the suppliers who may gather and store sensitive data about your organization in the course of doing business.  When negotiating the contracts that define the business relationship, you have to think about how that data will be managed--language that governs how the data will be protected,  who is responsible and what is the process if the data is breached,  if the business relationship ends how/when must the third party destroy the data.  

3. IT

Information technology departments set the strategy for the technical side of protecting systems and data.  From firewalls to email filters, they try to keep the bad actors out of company systems.  They will know where all your internal data is. Hackers move fast--IT needs to stay educated.  And they should be involved any time data is going to be shared with a customer/supplier to be sure the third party has adequate controls.  IT should work with Supply Chain, HR, and Legal to audit the Information Security practices of all vendors and suppliers on a regular basis.   

4. HR

HR is accountable for some of the most super-secret data--PII--birthdates, social security numbers, etc. HR also has plenty of employee PHI.  It is essential that HR, IT, and Legal partner up on the TRAINING of the organization’s employees when it comes to Cyber Security.  Training is the most effective way to minimize Cyber threats.  HR should partner with each of the other functions listed to ensure that their internal processes and third party vendors are up to snuff.

5. Insurance and Risk Management (“IRM”)

IRM must be intimately involved in the drafting of the Data Breach Incident Response Plan.  In particular, working closely with Communications, IT, and Legal to develop a plan that has few holes.  IRM should lead the cross-functional team through annual Data Breach Incident tabletop exercises where representatives from each function act out how they would respond to an actual Data Breach.  This will help identify gaps and improve the organization’s ability to swiftly and confidently respond to an inevitable Data Breach. IRM must work with Legal and Supply Chain regarding Cyber insurance requirements the organization is requesting from its vendors and suppliers.  

6. Communications

Communications plays a key role in the internal and external statements regarding a Data Breach.  Communications working with HR and Legal should prepare draft internal and external statements regarding a Data Breach  Communications should identify any internal leaders that would perform well in front of cameras and under intense scrutiny.  It’s important to have those leaders identified now - not after a breach has already occurred.  Now is the time for training.  

Don’t wait for some other department to take ownership.  If your organization doesn’t have all of these functions, you should work with your third-party vendors that fill those roles.  Get the ball rolling and work together because a cyber breach is not the ideal time to make new friends.