.png)
In the 1991 version of Father of the Bride, Steve Martin asks his future son-in-law about his “independent communications consultant” job. The young man reluctantly shifts in his chair, acknowledges that his job sounds “made up,” and then attempts an explanation. Being a “cybersecurity” lawyer is equally difficult to explain in an “elevator pitch” and sometimes awkward given the inability to identify clients without suggesting some sort of compromise.
For technology vendors or developers, a cybersecurity lawyers’ role is easily explainable. The cybersecurity lawyer often performs one of four functions: 1) Draft and negotiate different types of agreements such as “Terms of Use,” “Software-as-a-Service,” and “end-user license agreements” (all of which are very similar); 2) Study data-use and data-custody processes to ensure compliance with various civil regulations; 3) Incident prevention, mitigation, and response; and 4) Provide litigation support (if tasks 1-3 cannot prevent litigation).
For non-technology focused businesses, defining the role is more difficult. But in its most fundamental terms, cybersecurity attorneys are interpreters trying to keep his/her client subpoena-free and away from the courthouse. I, and my other niche-loving colleagues, understand enough technology terms and concepts to communicate effectively with the information technology and cybersecurity professionals. The attorney role gets invoked when looking to relay concerns, needs, and plans to decision-makers within an organization.
Most entities fail to realize that the “bad guys” sitting behind computer screens with devilish looks of excitement while choosing ransom demands are only 50% of the problem with cybersecurity. The other half of this problem stems from internal leadership like boards of directors, entity presidents, and other executive-level decision-makers whose backgrounds are in business, other forms of hard science, and/or finance.
Albeit playing a vital role in operability, these individuals often lack knowledge beyond the concept of “cybersecurity is [insert varying degree of] importance.” And without informed consent (a favored phrase and concept), these same people cannot justify the level of annual expenditures, and sometimes operational inconveniences, required to harden their networks against malicious actors and prevent liability inquisitions.
Just like any business hires consultants to conduct market studies for pricing adjustments or determine redundancies impeding efficiency, the interpreter-side of the cybersecurity attorney role is to translate the risks to executives and their boards in an understandable manner. And while critics argue that IT staff should learn to speak English to convey his/her message, this is a flawed rationale.
With a significant work-force gap in cybersecurity and the pace at which technology adjusts, IT professionals need to solely focus on their craft. It is the attorney’s role to read the case law (which is still unsettled or wholly unaddressed in most jurisdictions), negotiate with insurers, improve third-party agreements, and decipher regulatory principles to offer guidance on business-minded investment to risk ratios in terms of financial and human capital.
Over-burdening or ignoring the infrastructure needs advocated by technology professionals will cause them to leave for that higher-paying, remote work position, offered by a Palo Alto powerhouse. And then, when that individually cannot be suitably replaced with a lateral hire, the entity will spend more on recruiting and training new blood or retain third-party vendors who will demand the same infrastructure changes before agreeing to offer services.