Successfully reported this slideshow.
Your SlideShare is downloading. ×

The CISO Legal Partnership by Alejandro Villegas

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 26 Ad

The CISO Legal Partnership by Alejandro Villegas

Download to read offline

Alejandro Villegas has 10+ years of cyber security experience working for leading enterprises such as Amazon, Microsoft, Hewlett Packard, cPanel, among other IT companies. Alejandro has held various security engineering positions and has substantial experience in Secure Development Lifecycle, Operational & Network Security, Penetration Testing, Threat Modeling, Incident Response, Digital Forensics and Compliance. He has a JD in Cyber Security and Intellectual Property, MBA in Economics, MS in Information Assurance and Digital Forensics, and a BBA in Computer Information Systems. He also holds security industry certifications such as CISSP, CISA, CEH, CHFI, ECSA, LPT, MCITP:EA and BSI Lead Auditor for ISO 27001:2013.

Alejandro Villegas has 10+ years of cyber security experience working for leading enterprises such as Amazon, Microsoft, Hewlett Packard, cPanel, among other IT companies. Alejandro has held various security engineering positions and has substantial experience in Secure Development Lifecycle, Operational & Network Security, Penetration Testing, Threat Modeling, Incident Response, Digital Forensics and Compliance. He has a JD in Cyber Security and Intellectual Property, MBA in Economics, MS in Information Assurance and Digital Forensics, and a BBA in Computer Information Systems. He also holds security industry certifications such as CISSP, CISA, CEH, CHFI, ECSA, LPT, MCITP:EA and BSI Lead Auditor for ISO 27001:2013.

Advertisement
Advertisement

More Related Content

More from EC-Council (20)

Recently uploaded (20)

Advertisement

The CISO Legal Partnership by Alejandro Villegas

  1. 1. THE CISO LEGAL PARTNERSHIP What CISOs can do Better
  2. 2. DISCLAIMER The views and opinions expressed during this presentation represent my personal and professional experiences and do not necessarily reflect the opinion or position of my current or previous employers, and/or educational institutions.
  3. 3. SPEAKER: ALEJANDRO VILLEGAS Ethical Hacker with a Business and Legal Education • Seasoned Cyber Security Engineer with over a decade of experience working for various leading tech companies. • Law school graduate. • Education: JD, MBA, MS, BBA • Certifications: CEH, CISSP, CISA, CHFI, ECSA, LPT, MCITP, ISO 27K Lead Auditor.
  4. 4. QUESTION Raise your hand if you are 100% assured that your company will never experience a security breach.
  5. 5. OPERATIONAL TRIFECTA Engineering Business Legal
  6. 6. WHY A LEGAL PARTNERSHIP? Cyber Security has become a predominant challenge for organizations responsible for protecting and safeguarding customer data such as Cloud Service Providers (CSPs). Attorneys serve a critical function ensuring that companies conduct due diligence and adhere to the cyber security requirements mandated by local, national, international and industry information security frameworks.
  7. 7. RELEVANT COURT CASES SONY: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014) TARGET: Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014) TJMAXX: TJX Co. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007)
  8. 8. ASSUME SECURITY BREACH Proactive engagement with Legal. Pre-breach continuous interaction with Legal. Always assume security breach.
  9. 9. THE LEGAL LIFECYCLE Avoid reactive Attorney engagement (Incident Response Phase) Attorney engagement throughout the entire Software Development Lifecycle Attorney engagement throughout the entire Secure Operations Lifecycle
  10. 10. QUESTION How often do you proactively talk to your attorneys on a regular basis?
  11. 11. END TO END LEGAL DILIGENCE Attorney Roles: Advisory Compliance Drafting Audit Litigation CISOs must partner with attorneys on every applicable role:
  12. 12. ATTORNEY ADVISORY ROLE Proactive discuss cyber security challenges such as Ransomware. Determine whether you should pursue security breach insurance. Discuss your cyber security program with your attorneys. Advisory
  13. 13. ATTORNEY ADVISORY ROLE Advisory  Cyber Security Incident Response Plan  Cyber Security Liability Insurance  Post-Attack Public Relations  Cooperation with Law Enforcement (Apple)  Reporting Cyber Crimes
  14. 14. ATTORNEY COMPLIANCE ROLE Discuss what security compliance certifications are worth pursuing and which ones are not. What is the cost of non-compliance? How do you plan to be continuously compliant not just during the audit engagements? Talk about the Security vs Compliance dilemma. Compliance
  15. 15. ATTORNEY COMPLIANCE ROLE Compliance  National Cyber Security Compliance: FISMA, FedRAMP, CJIS (FBI), NIST 800:53.  International Cyber Security Compliance: ISO 27001; 27018, EUMC, GDPR.  Territorial Cyber Security Compliance: MTCS Singapore, IRAP Australia, UK G-Cloud.  Industry Cyber Security Compliance: HIPAA,PCI
  16. 16. ATTORNEY DRAFTING ROLE Review contract security addendums from a security engineering perspective. Evaluate the feasibility of the clauses and contract obligations. Determine if you are prepared to meet the security contract requirements. Are you getting the right assurances from your vendors? Drafting
  17. 17. ATTORNEY DRAFTING ROLE Drafting  Do the cyber security provisions make sense to engineers?  Do the cyber security controls address the risk adequately?  Are both parties equally agreeing to manage the cyber security risks?  Is it best to use broad language?  Is staying silent on a specific provision the best approach?
  18. 18. ATTORNEY AUDIT ROLE Are you comfortable with the Right to Audit clauses? Can your company manage multiple concurrent audits? Have you consider the legal implications of audit findings? Are your audit papers and artifacts ACP protected? Audit
  19. 19. ATTORNEY AUDIT ROLE Audit  Terms of Right to Audit  Duration of the Audit(s)  Scope of the Audit(s)  Limit amount of concurrent Audits
  20. 20. ATTORNEY LITIGATION ROLE Are you currently conducting due diligence throughout your entire engineering lifecycle? Are you prepared for a subpoena or a deposition? Do you adequately invoke the Attorney Client Privilege during your day to day security operations? Proactively talk about litigation strategies. Litigation
  21. 21. ATTORNEY LITIGATION ROLE Litigation  The value of due diligence: Pre, During & Post a Security Breach  Diligence vs Negligence
  22. 22. VENDOR MANAGEMENT Vendor Security Do your vendors meet the same security bar than your company? How often do you audit vendor security compliance? Do your vendors have vendors? Do they also meet the security bar?
  23. 23. QUESTION Do you get involved in the attorney recruitment process?
  24. 24. HIRE ENGINEER ATTORNEYS Patent Attorneys generally have a science background to prosecute patents with the US Patent Office. Cyber Security Attorneys must be qualified to understand the engineering intricacies of your Cyber Security Program.
  25. 25. END TO END LEGAL PARTNERSHIP Ultimately you must proactively engage your legal team and leverage your attorneys throughout the entire lifecycle of your security engineering operations. Conduct End to End Legal Cyber Security Due Diligence!
  26. 26. Q & A

×