The CLO strategist: Cybersecurity

A framework for CLOs to lead in developing an effective cyber strategy

The growing frequency and severity of cyberattacks has pushed cybersecurity higher on the agenda of C-suite executives, including chief legal officers (CLOs). Learn how CLOs can leverage cross-functional relationships to develop a strong cyber strategy for their organization.

What does a cybersecurity strategy mean from a CLO’s perspective?

It means predicting, managing, and balancing risk. But it also means helping leaders across the organization develop offensive and defensive game plans so they can:

  • Navigate the evolving regulatory landscape
  • Manage cyberthreats more effectively, starting with areas of greatest risk and value to the business
  • Plan for incident response so that it limits the impact of a data breach to the organization

Developing an effective strategy involves tackling cybersecurity by process versus organizational silo. Consider, for instance, the track that a customer’s data takes through the organization, from marketing and sales to finance to fulfillment and delivery—and that’s a simplified view. A dynamic approach like this can help build consistency, transparency, and defensibility into legal governance, risk, and compliance.

The CLO strategist: Cybersecurity

The costs of cyber incidents

Cyber incidents and breaches are common—and the threat is growing. Among C-level executives:

  • 72% of survey respondents say their organizations experienced between one and 10 cyber incidents and breaches in the previous year alone
  • 69% report an increase or significant increase in threats to their business between early 2020 and May 2021

Security breaches can lead to both direct costs—such as regulatory fines—and indirect costs—including lost contract revenue. The direct costs typically associated with cyber incidents are less than those of indirect costs like brand impact. These costs play out over years, rather than months; in fact, more than 50% of associated costs accrue after year one.

The five self-reinforcing choices

The CLO can develop a strong cyber strategy that is focused on both offense and defense and empowered by cross-functional relationships. To do so, consider the five self-reinforcing choices, which we’ve adapted from Lafley and Martin’s seminal guide:

  1. Vision
  2. Focus
  3. Value
  4. Capabilities
  5. Leadership

Let’s look at cyber strategy through the lens of these five choices:

Putting strategy into action

Because cyber risk is a quickly and constantly evolving threat, strategy also must evolve. It’s not enough to simply have a strategy. Effective implementation and continuous reevaluation are necessary as well. To help strengthen the organization’s cyber hygiene, legal departments can:

Get the fundamentals right

  • Take an active role in privacy and build fraud-prevention controls (expect cyber incidents)
  • Continually communicate with and further train employees to take an active role in security
  • Stay apprised of and communicate changes in regulatory requirements to stakeholders

Set expectations internally and externally

  • Frame what the organization will do
  • Convey what it expects your customers or partners to do contractually
  • Identify and practice incident response

Build toward continuous improvement

  • Understand risk
  • Identify and prioritize significant risks
  • Analyze trends and drive actionable insights
  • Actively influence compliance with near-real-time awareness



Bridging the gap between security and business

The growing frequency and severity of cyberattacks has pushed cybersecurity higher on the agenda of the board and C-suite executives, including the CLO. An effective cyber strategy needn’t take the legal team into highly specialized IT territory, but it does require a basic familiarity with the issues and what they mean from a risk and compliance perspective. With that, the CLO can create a multidimensional approach and leverage key relationships to proactive and effective cybersecurity co-owned by leaders across the entire organization.

Custom CSS

Insert Custom CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?