There’s a joke that’s been floating around boardrooms for years: “What’s the difference between lawyers and engineers? Lawyers don’t think they’re engineers.”
This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into technologies nobody trained them to handle. Lawyers, on the other hand, aim to find problems, navigate gray areas, and anticipate risks.
While these differences might seem like a recipe for conflict between the two professions, they can often lead to a strong partnership. By combining their skills, these two groups can navigate the ever-evolving intersection of technology, innovation, and regulation.
“Cybersecurity and data breaches are not just technical issues,” says Michael Welch, former CISO and managing director at MorganFranklin Consulting. “They can be intertwined with legal, regulatory, and reputational risks that require a collaborative, proactive approach.”
While the relationship between CISOs and their legal teams is essential, things don’t always go smoothly. Differing priorities and communication gaps can create tensions or even lead to conflict. However, strengthening this partnership is not just beneficial — it’s critical for the organization’s ability to manage risks and respond to complex cybersecurity and compliance challenges. And CISOs can do a few things to make this partnership work.
CISOs must have a relationship with Legal
When it comes to cybersecurity and privacy, new legislation is emerging at a swift pace across the globe. For companies, particularly those with international operations, staying informed about these changes is mandatory to ensure compliance. Having constant conversations between CISOs and their legal team can help organizations stay on top of things.
“It’s good to be mindful in advance of the security and privacy requirements in the jurisdictions the organization is operating within, and to prepare possible responses should there be incidents that violate those laws and how to respond to those,” says Christine Bejerasco, CISO at WithSecure.
Of course, the conversation between the two parties can go smoothly if there’s an existing relationship. If not, that relationship should be built. “Reaching out to legal experts should be as straightforward as reaching out to another colleague,” Bejerasco adds. “Just talk to them directly.”
When the relationship is just getting started, WithSecure’s CISO suggests finding some common ground to connect on. She also points out how important it is to communicate clearly and keep things straightforward. “For instance, during an incident, it’s good to get the facts on the table at the start of the conversation: the issue, the jurisdiction, the company impact of the incident and your intended response,” she says.
CISOs should frame conversations with lawyers as solution-oriented discussions focused on both immediate and long-term risk management, adds Welch. “By framing the conversation as a partnership where both sides are working toward the same goal of protecting the organization, the CISO can ensure that legal counsel is equipped to offer timely, informed advice that aligns with both security and business objectives.”
Avoid the “rubber stamp” mentality
Legal teams are not there to simply greenlight decisions but to provide insight, mitigate risks, and to help the company adhere to regulations. “One sure way to damage a relationship with Legal is by treating Legal as a ‘rubber stamp,’” says Trevin Edgeworth, red team practice director at BishopFox and former CSO.
When lawyers are expected to simply provide approvals, they may feel frustrated and undervalued. CISOs who fail to involve them throughout the process risk unintentionally signaling a lack of respect for the critical expertise these professionals have.
“If they feel their role is reduced to mere approvals without meaningful engagement, they’re unlikely to prioritize your efforts or view them as collaborative,” Edgeworth adds. “A successful partnership requires mutual respect, open communication, and ongoing collaboration.”
Don’t try to “handle it”
Of course, sweeping issues under the rug is not the way to go. Legal departments must be involved early on in case of a crisis to guide the tech teams through regulatory and compliance complexities and to help them protect confidential information.
“Don’t follow the fix it first, tell them later mentality,” says Welch. “Engage Legal at the outset to ensure a coordinated response and document everything.” He adds that waiting before engaging the Legal department could cause delays in meeting mandatory reporting deadlines, which can lead to risks for the organization.
Transparency should also be part of the mindset. “The CISO needs to be transparent, sharing relevant information without overwhelming Legal with technical jargon,” says Welch.
When it comes to full transparency, Bejerasco recommends that CISOs be open about what they know and what they don’t know. “These lawyers are there to protect the organization the same way as you, the security people, are there to protect the organization,” she says. “At a high level, you have the same mission. When in doubt, remind yourselves to go back to that common mission so that the job gets smoother moving forward.”
Stay in your lane
Some CISO have a legal background of have an extensive amount of experience working with general counsel. However, this does not mean they should act as legal advisors or take on responsibilities outside their role. “It is important to respect boundaries and not overstep job functions,” says Stacey Cameron, CISO at Halcyon. “There’s nothing wrong with differing opinions, interpretations, or healthy discussions, but for legal matters, it will be the lawyers’ responsibility to make a case on behalf of the company, so we need to respect each other’s roles and stay in our respective lanes.”
According to Cameron, overstepping boundaries is one of the biggest mistakes CISOs can make, when they are trying to build a relationship with their organizations’s lawyers. “Lawyers spend the bulk of their time staying current on laws applicable to the organization, building/reviewing contractual agreements, SLAs, MSAs, company policies, business structure, patents, and additional tasks to make sure the company is operating successfully and maintaining a strong reputation,” she says. “When CISOs begin making internal/external decisions that conflict with other areas within the organization, it can cause confusion and may lead to future legal problems.”
Whether done intentional or not, this can strain the relationship between the CISO and the legal team — a situation that might prove tough to mend. “The lack of trust is often difficult to rebuild and can lead to organizational-wide difficulties,” Cameron adds.
Organize cross-training sections
Both teams — lawyers and security experts — can collaborate by sharing their expertise and educating one another. “Run tabletop exercises that simulate data breaches or security incidents,” says Welch. “This will help the CISO and the legal team understand each other’s roles and responsibilities in such situations.”
Andy Lunsford, founder of BreachRx, suggests running incident simulations across the business in quarterly intervals, in which both Legal experts and security experts are involved. He also suggests conducting realistic training sessions that expose teams to legal scenarios: “Run a deposition workshop for CISOs/security teams to show them how easily the work that is done by their teams can be used against them in court.”
While security and legal teams might be worlds apart, it’s useful to keep in mind that they share common ground. “Both are focused on protecting the organization by identifying, assessing, and mitigating risks. Both ensure adherence to external and internal rules to avoid regulatory or reputational harm. And both face the ongoing challenge of balancing organizational protection with supporting strategic business objectives,” Edgeworth says.
Build collaboration into your daily routine
In their book The Friction Project, Stanford professors Robert I. Sutton and Huggy Rao argue that great leaders “make the right things easy and the wrong things hard.” If we follow this advice, it becomes clear that one way to foster collaboration between CISOs and legal teams is to create systems and processes that would help streamline it.
“Implement a secure out-of-band communication platform specifically designed for incident response, crisis management, and ongoing security discussions,” Welch says. “This will enable real-time updates, document sharing, and collaborative decision-making.”
He also recommends organizations set up a clear process for escalating security issues to legal to ensure that legal experts are brought in early when things like a potential breach are detected. “By creating a structured channel for communication, separate from email or informal messaging, you can be aligned without the risk of missing crucial details, ensuring timely and informed decision-making during high-pressure situations,” he adds.
Edgeworth suggests going a step further. He invited the company’s legal experts to attend his red team’s weekly calls once every month. “When I first mentioned this change, my team looked at me wide-eyed questioning my sanity, but they quickly recognized the value,” he says. “Legal helped us avoid mistakes in planning, executing, and reporting adversarial operations, particularly by encouraging factual, objective reporting.”
Knowledge transfer can also happen whenever needed, even outside of structured activities. Cybersecurity experts don’t typically have formal training in the legal aspects of their work, and they need it. “The letter of the law is alien to most of them,” Bejerasco says. Her advice is to be open to learning and ask questions whenever they need clarifications.
Involve legal experts as often as needed
Legal teams can offer their perspective on a wide array of tasks. They can review contracts with third-party vendors or service providers to ensure that data protection and breach notification clauses are included. They can help with compliance and offer their insights when it comes to potential risks the organization might face.
“Try to involve Legal in discussions about emerging risks, key strategic decisions, and projects such as red team operations that tend to uncover or potentially even create organizational risks if you’re not careful,” Edgeworth says.
Legal teams can help the CISOs identify risks early and avoid operational or financial inefficiencies before delivery to the business. “Consider involving your Legal team early in the development and execution of security initiatives,” says Welch’s colleague, Kevin McGovern, who is a senior director for strategy and risk. “Endorsing this kind of partnership will build mutual trust and shared institutional knowledge that results in better, more effective solutions for the business.”
Bond over beers
Don’t underestimate the power of a good chat over coffee — or a beer. Sometimes, collaboration happens in a relaxed setting. “Legal folks are people too,” says Bejerasco. “Having beers and discussion with them makes you see a different perspective to the work they have, and how they perceive some of the legislation that has caused compliance pains to the rest of us.”
After doing this herself, she was surprised that legal experts “are not as frustrated with the increased requirements as I was! Mind blown.”
Cameron agrees, noting that one activity that helped her team build a strong bond with legal experts was none other than karaoke nights.
Edgeworth also sees the potential of informal activities for building stronger relationships: “Build personal rapport with Legal by treating Legal as a vital partner rather than an obstacle,” he says. “A strong interpersonal connection just tends to make collaboration so much smoother.”
By stepping out of formal settings, both sides can gain fresh perspectives and build the trust needed to tackle challenges together. Sometimes, just sitting down and having a laid-back conversation can yield impactful results.