CSOs need to be legal eagles

Compliance with regulations dictates adherence to the word of law

By Tim Greene, Network World
May 23, 2007 01:10 PM ET

. What's this?

LAS VEGAS -- Chief security officers need to comb through the wording of the governmental and industry security regulations their businesses must comply with if they want to secure their networks and stay out of legal trouble.

The cost of failure to comply can hit close to home as laws make corporate officers personally responsible for protecting sensitive financial and personal information handled by their data networks, attendees were told at Interop Las Vegas’s CSO Bootcamp

“If I were 20 years younger I would be getting a law degree,” says Al Kirkpatrick, CISO for First American, one of the speakers at the event.

Related Content

CSOs need to understand the regulations themselves and the requirements for proving they have complied and are continuing to improve network security, he says.

In addition, CSOs have to hire auditors to prove they are compliant, and that requires a whole separate set of legal challenges. “Now, on top of everything else, you have to become a contract lawyer,” he says.

Outside audits are necessary to know whether security programs are working, but they need to be done carefully. Contracts with auditors should lay down what exactly will be audited with clauses to shut down the audit if it disrupts or threatens the functioning of the network. “The last thing you want to do is open the doors and say 'wander around and call us when you’re done,'” he says.