No More ‘Ship, Then Fix’: Why GCs Should Lead the Charge in Cybersecurity

Increasing regulations in the tech industry make cybersecurity efforts more important than ever. Here’s why general counsels should ensure all company leaders are educated about their business’ software development and risks.

Authors

  • Danielle Sheer

    Chief Legal and Compliance Officer

    Commvault

Privacy & Cybersecurity

As regulations increase transparency around cyber incidents and require disclosure of programs that mitigate cybersecurity threats inside a company, it has also become well-established that boards of directors and executives must be actively involved in cybersecurity risk management efforts.

But… how exactly?

Let’s make this relatable and compare a company to a house. The ultimate responsibility for the safety and security of that house lies with the adults who live in it. If you leave the stove on, the doors unlocked, or the water running, you cannot rely on or blame the gas company, the alarm vendor, or the plumber. It is ultimately your responsibility to make sure you’re using the stove safely, the doors are locked before you go to sleep at night, and the faucets are turned off.

Let’s expand this analogy and say you run an ice cream company. Your ice cream cannot make people sick, right? To ensure Americans weren’t consuming rotten food, The Food and Drug Administration was established in 1908 and happened to replace “over 100 bills… that aimed to rein in long-standing, serious abuses in the consumer product marketplace.”

Let’s take something even more relevant to our world today. You run an airplane manufacturing company. Your airplanes have to be constructed so they don’t fall apart. The Federal Aviation Agency and Act were established in 1958 to oversee “the safe and efficient use of national airspace.”

If you live in a house, if you eat ice cream, and if you’ve ever flown on a plane, these examples all make sense to you.

Key Takeaways:

  • The tech industry has been living in an era of “ship, then fix,” but with an influx of regulations around software development and cybersecurity, company leaders must be actively involved in cybersecurity risk management efforts.

  • To truly mitigate risks, all executives and board directors, even those without a technical background, must understand the tech and its development process.

  • GCs often act as translators between functions, so they can add incredible value to the business by leading cross-functional teams in cybersecurity education efforts.

  • Tactical steps include educating leaders on key risks in products, informing the board of recent regulations and cybersecurity news, and asking board directors to share what they’re seeing at other companies.


Now, let’s talk about developing and selling a software product. Many of us have been living in the high-tech era of “ship, then fix.” But we are also living in the era of ransomware attacks, daily cybersecurity incidents, and theft of personal data and personal identity. If at-risk ice cream can’t hit the market, why should at-risk software get to?

World governments, industry, and 15 U.S. states have passed an explosion of legislation to regulate software and the software development process. Complying with the myriad of requirements is itself a significant challenge. Sounds to me like the same problem that inspired the FDA in 1908.

I hope that a single national or governing regulation is in our future, for all the reasons why it was good for food, consumer products, and airplanes. But in the meantime, while we’re waiting for regulation to catch up to reality, I want to focus on a narrower question: How should our board and executives engage with this problem?

It is the question du jour and has a very simple answer, although not so simple to execute.

Know. Your. Business.

What does that mean?

If your company sold ice cream, it seems obvious that the board and management need to understand how ice cream is made safely so that the product doesn’t harm its customers.

If you are selling planes, the board and management need to understand how a plane is built to operate safely, too.

This is no different for the development of software. Just because a director or a member of management isn’t a trained engineer or developer, doesn’t give them a pass from understanding what the product is, what risks are inherent in how it's built, and what harm can come from using it.

As corporate leaders, it is our job to know our business. And as general counsel, the great translator between so many different functions, you can help.

GCs can create the environment for and enable discussions to educate boards and corporate leaders on key risks in products and lead cross-functional communication to educate and advocate for remediation of those risks.

GCs can also educate boards on global privacy regulations, discuss relevant news from recent ransomware or cybersecurity attacks, and review what can be learned from these unfortunate situations. Ask directors to share information they are learning from other boards, too.

We can all do better. When I think about ways the GC can add value to the business, this is at the top of the list.

About The L Suite

Called “the gold standard for legal peer groups” and “one of the best professional growth investments an in-house attorney can make,” The L Suite is an invitation-only community for in-house legal executives. Over 2,000 members have access to 300+ world-class events per year, a robust online platform where leaders ask and answer pressing questions and share exclusive resources, and industry- and location-based salary survey data.

For more information, visit lsuite.co.

Request an Invite