Building Relationships – Legal Team

If you’ve spent the last year (as I have) coming up with ways to do more with less,  you’ve realized that it’s better to identify and leverage stakeholders with common goals, than vainly hoping to add staff to your team. It would be easier if those stakeholders were pro-actively reaching out to you, but that rarely happens. Identifying those strategic relationships and investing in them in advance is often the most effective way to ensure success.

Information Security and the Legal team have many areas of common focus. They both need to develop structure in advance to protect the enterprise; for Information Security by defining key technology
controls, and for Legal by defining the contract language, agreements, and disclosures required to ensure informed consent and mutual agreement. Information Security and Legal are often brought in by other groups only when
specifically needed, and not necessarily in advance of business projects, initiatives or negotiations where they may have important insights. Both teams must be tactical and address the business needs in a compressed time-frame.  Frequently, both InfoSec & Legal look to the business to provide better forecasting of when and how much of their resources will be needed, often with little feedback. Articulating these commonalities can be a key way to develop some ongoing points of interaction and cooperation.

1. Define an ongoing update process – Find out how the Legal team is notified of upcoming contract and agreement requests and get plugged into that process. Create regular update meetings when you notify the Legal team of projects where their expertise may be needed and gain insight into their current initiatives that may benefit from your support. If you have a notification process they can leverage, be sure to volunteer access and training.
2. Create process gates – Determine if specific points or milestones in your processes require verification of the Legal
   team’s involvement. Ensure that proper engagements have been performed prior to granting signoff on security deliverables and request that Legal do the same.
3. Define subject matter expertise – If the Legal team is responsible for defining outsourcing contracts and master services agreements, they’ve encountered security addendums. Helping them to define what contracts necessitate security language and the classes of security language required, helps the Legal team start negotiations in an informed way. The Information Security team can also assist the Legal and business teams set service level agreements and quality benchmarks, thereby developing stronger, more dependable contracts. Giving the Legal team the tools to build
   those addendums in advance helps reduce the strain on your team, especially where time-frames are tight and Information Security resources stretched.
4. Create shared calendars – Don’t be caught by surprise when contracts expire. Set shared reminders to revisit
   contracts and vendor relationships before they are renewed. Prior to renewal is the time to determine if changes in regulation or industry practice will require updates to contract language, service level agreements, or security language. It also creates key reminders that new vendors may be considered and an opportunity to guide business on new considerations for building RFP/RFI language.
5. Share regulatory and legislative insights – Legal compliance is a complex subject. The Legal team likely understands what is required while the Security team understands how compliance can be achieved and evidenced. Educate the subject matter experts on how you can help them define management priorities and guide the submission of legislative comments, if necessary.

Legal and Security share the burden of being cost centers not revenue centers. They are a necessary evil for most businesses. Taking the steps to improve efficiency, decrease business reporting requirements, and to cooperate in achieving business goals, improves the stature of both teams. By sharing business intelligence both teams can transform themselves from reactive order takers and process drags, into  proactive business  enablers and strategic partners integral in keeping the business competitive and risk averse.