Perspectives

The CLO strategist: Cybersecurity

A framework for CLOs to lead in developing an effective cyber strategy

The growing frequency and severity of cyberattacks has pushed cybersecurity higher on the agenda of C-suite executives, including chief legal officers (CLOs). Learn how CLOs can leverage cross-functional relationships to develop a strong cyber strategy for their organization.

What does a cybersecurity strategy mean from a CLO’s perspective?

It means predicting, managing, and balancing risk. But it also means helping leaders across the organization develop offensive and defensive game plans so they can:

Navigate the evolving regulatory landscape
Manage cyberthreats more effectively, starting with areas of greatest risk and value to the business
Plan for incident response so that it limits the impact of a data breach to the organization

Developing an effective strategy involves tackling cybersecurity by process versus organizational silo. Consider, for instance, the track that a customer’s data takes through the organization, from marketing and sales to finance to fulfillment and delivery—and that’s a simplified view. A dynamic approach like this can help build consistency, transparency, and defensibility into legal governance, risk, and compliance.

The CLO strategist: Cybersecurity

The costs of cyber incidents

Cyber incidents and breaches are common—and the threat is growing. Among C-level executives:

72% of survey respondents say their organizations experienced between one and 10 cyber incidents and breaches in the previous year alone
69% report an increase or significant increase in threats to their business between early 2020 and May 2021

Security breaches can lead to both direct costs—such as regulatory fines—and indirect costs—including lost contract revenue. The direct costs typically associated with cyber incidents are less than those of indirect costs like brand impact. These costs play out over years, rather than months; in fact, more than 50% of associated costs accrue after year one.

The five self-reinforcing choices

The CLO can develop a strong cyber strategy that is focused on both offense and defense and empowered by cross-functional relationships. To do so, consider the five self-reinforcing choices, which we’ve adapted from Lafley and Martin’s seminal guide:

Vision
Focus
Value
Capabilities
Leadership

Let’s look at cyber strategy through the lens of these five choices:

Vision

Articulate a sense of purpose, define your aspirations, and describe what success looks like.

The CLO may seek to educate the board, senior management, and business unit leaders on the risks associated with a breach, the shifting regulatory environment, and the impact to the organization. At the same time, the CLO can learn from these same colleagues about the risks they’re seeing.

By fully integrating with leadership across the organization and endeavoring to understand specific business or functional considerations, the CLO can determine where the organization’s opportunities and vulnerabilities may lie. The credibility built through a focus on relationships also positions the CLO to proactively work with business leaders.

Focus

Clearly define what you will and won’t do.

The CLO may seek to untangle the rapidly evolving legal and regulatory framework around cybersecurity, reducing ambiguity for business colleagues internally as well as providing feedback to regulatory agencies externally.

CLOs can add value where the legal perspective can be most helpful, including issues of regulatory change and compliance. But it may also extend to insurance and managing risk in the third-party contracting process.

Value

Identify the differentiated contributions that enable competitive advantage.

The CLO and legal team can lend the risk-sensitive legal and regulatory perspective in areas where risks are increasing or changing, taking care to consider not only how to respond to current risk, but also how to position the organization to proactively avoid or address risk in a forward-looking way.

Capabilites

Determine existing and in-demand assets and competencies, then identify investments, processes, and technologies to support them.

The CLO is someone who views basic compliance as table stakes and understands relative risk sufficiently to work productively with colleagues and stakeholders internally and externally. One of the most important relationships the CLO should seek to build is with the chief information security officer (CISO). Together, the CLO and CISO can enable the organization to conduct business with risk-based protections.

CLOs may also look to appoint someone—whether internally or from outside counsel—to stay abreast of developments in cybersecurity, both from a proactive regulatory navigation perspective and from a risk and liability perspective. Either way, this resource needs a firm grasp of the company’s business operations and appetite for risk, particularly in the context of business continuity and disaster response.

Leadership

Consider the culture, talent, training, and behaviors necessary to enable success.

The CLO needs to play in many spaces—both offensive and defensive. This can include advising on contracting so that the organization has more flexibility in data usage, helping to manage exposure created through commercial contracts, identifying and prioritizing risk, and navigating the evolving regulatory environment. Since some of these aren’t often exclusively under the legal team’s mandate, building influence will be key to helping the organization mature its approach to cybersecurity.

CLOs can set the example by being cyber savvy and creating opportunities for the legal team to develop its own knowledge of cyber, especially in the area of law the team practices in.

Putting strategy into action

Because cyber risk is a quickly and constantly evolving threat, strategy also must evolve. It’s not enough to simply have a strategy. Effective implementation and continuous reevaluation are necessary as well. To help strengthen the organization’s cyber hygiene, legal departments can:

Get the fundamentals right

Take an active role in privacy and build fraud-prevention controls (expect cyber incidents)
Continually communicate with and further train employees to take an active role in security
Stay apprised of and communicate changes in regulatory requirements to stakeholders

${column1-button-text}

Set expectations internally and externally

Frame what the organization will do
Convey what it expects your customers or partners to do contractually
Identify and practice incident response

${column2-button-text}

Build toward continuous improvement

Understand risk
Identify and prioritize significant risks
Analyze trends and drive actionable insights
Actively influence compliance with near-real-time awareness

${column3-button-text}

${column4-title}

${column4-text}

${column4-button-text}

Bridging the gap between security and business

The growing frequency and severity of cyberattacks has pushed cybersecurity higher on the agenda of the board and C-suite executives, including the CLO. An effective cyber strategy needn’t take the legal team into highly specialized IT territory, but it does require a basic familiarity with the issues and what they mean from a risk and compliance perspective. With that, the CLO can create a multidimensional approach and leverage key relationships to proactive and effective cybersecurity co-owned by leaders across the entire organization.

Learn more in our CLO strategist series:

The CLO strategist: A new kind of legal officer for the modern business

The CLO strategist: Intellectual property

The CLO strategist: Ethics and technology

Get in touch

Emily Mossburg

Principal | Global Cyber Leader & US Cyber Strategic Growth Offering Leader

emossburg@deloitte.com

+1 571 766 7048

Emily Mossburg is the leader of Deloitte’s Global Cyber practice and serves as the leader for the Cyber Strategic Growth Offering for the US member firm. In these roles, she leads the Global Cyber str... More

Adnan Amjad

Partner | US Cyber Leader

aamjad@deloitte.com

+1 713 982 4825

Adnan is a senior partner at Deloitte & Touche LLP and currently serves as the US Cyber leader for Deloitte’s Risk & Financial Advisory business, guiding the growth and strategy across commercial indu... More

Custom CSS

Insert Custom CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.
+++ DO NOT USE THIS FRAGMENT WITHOUT EXPLICIT APPROVAL FROM THE CREATIVE STUDIO DEVELOPMENT TEAM +++

Viewing offline content

The CLO strategist: Cybersecurity

A framework for CLOs to lead in developing an effective cyber strategy

What does a cybersecurity strategy mean from a CLO’s perspective?

The costs of cyber incidents

The five self-reinforcing choices

Putting strategy into action

Get the fundamentals right

Set expectations internally and externally

Build toward continuous improvement

${column4-title}

Bridging the gap between security and business

Learn more in our CLO strategist series:

Get in touch

Principal | Global Cyber Leader & US Cyber Strategic Growth Offering Leader

Partner | US Cyber Leader

Custom CSS

Recommendations

Link your accounts

You previously joined My Deloitte using the same email. Log in here with your My Deloitte password to link accounts. | | Deloitte users: Log in here one time only with the password you have been using for Dbriefs/My Deloitte.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.