Heading 1

Legal BlackBook

TM

OCTOBER 2018
DESIGNING HOW
CYBER LAWYERS AND
IT PROFESSIONALS INTERACT

Many people agree that the partnership could work better. Here’s a proposal to show the way.
By Dauna Williams
EFFECTIVE MANAGEMENT of a company’s cybersecurity and privacy risks requires a strong and straightforward partnership between IT and the law department. But no matter the organization, and regardless of whether you are an IT or a legal professional, both groups will acknowledge that improvements can be made in how they work together.
     Let’s start by reviewing some of the challenges.

Venus v. Mars
Lawyers and IT professionals come from very different disciplines, and little about their training overlaps. Typically, they don’t speak the same language, and they see the world through very different lenses. And yet, when it comes to cyber compliance, the perceived roles and responsibilities of these two departments can overlap. And if they are not speaking the same language, much less coordinating their efforts, the results can be duplicative actions, actions at cross-purposes or no action at all.

Designed v. Evolved
The EU’s General Data Protection Regulation (GDPR) calls for “privacy by design,” which implies an expectation of “controls by design.” The Federal Trade Commission and the New York State Department of Financial Services also call for proactively and intentionally designing security architecture. In contrast to this approach, compliance controls and workflows that have evolved over years (as opposed to being intentionally designed) may suffer the realities of evolution. By definition, evolution means that suboptimal processes will coexist with optimal ones, until the suboptimal ones are replaced. But within complex organizations, where change management can be difficult, “if it ain’t broke, don’t fix it” becomes a default philosophy, triggered by institutional compromise, inertia or lack of resources.
     Compliance workflows tend to grow organically, building on past regulatory solutions, as opposed to being intentionally designed for the “regulation du jour.” Back in the day, institutions saw cybersecurity as a technology problem—one for technologists to solve. And, honestly, few lawyers were comfortable enough with technology to feel up to the task. The resulting compliance workflows ended up mirroring these collective sentiments.
     Today, IT and legal professionals may be collaborating more often, but the holdover compliance workflows and mindsets that guide their behavior often remain, and they often are ill-designed to meet the growing complexity of today’s regulatory environment. New cybersecurity and data privacy regulations continue to come down the pike, and faster than in the past. And if these are simply incorporated into a system that didn’t work properly before they arrived, the company is prepping for more pain ahead.

A New Approach
So, what is the solution? One approach is the application of Lean design principles as a means of identifying and addressing points of compliance dysfunction between Legal and IT.
     Lean design is said to be more of a mindset than a method. It originated with Henry Ford, with his assembly line improvements, and was later enhanced by Toyota with the “Toyota Way.” It is a method of continuous improvement that maximizes value and process through the elimination of waste from an organization’s activities. The idea of continuous improvement and elimination of waste makes this a smart method for unwinding and streamlining the relationship between IT and legal professionals—especially when it comes to cyber compliance and response programs.
     While Lean has an entire science behind it, let’s consider a simplified process for the sake of illustration.

The Key Steps to Implement Lean

(1) Select a process that needs fixing. Pick a pain point that all acknowledge is not working smoothly and could stand improvement. Then break down that workflow to determine the processes necessary to get to a shared and valued goal.

(2) Map the current state and the desired future state. Once the processes have been identified, determine which are not valuable. Perhaps they are redundant or are in place only because of institutional habit or fear of letting go. Eliminate any wasteful activities or belief systems.

(3) Build for the future state. At this stage it’s important to push forward, keeping to your envisioned future state and avoiding veering away from your valued goal. What are the requirements necessary to transition to your future state? Will new policies and procedures be required? Will new checklists and new stakeholders be added to the mix? Will others be removed? Are new contract templates required? What about training? Does the future state eliminate stress, or redistribute it, creating new stress for others? Is it leveraging people’s strengths? Make certain that the proper people are performing the proper roles, and reassign tasks accordingly.

(4) Experiment. Here you implement your new processes, adjusting along the way to fix and refine whatever is not working in support of your goal.

(5) Repeat and improve. This is a journey, not a destination. As internal knowledge and organizational awareness grow, more opportunities will present themselves to further refine the process, to shift to better resources and to remove additional waste. Continuous improvement is an ongoing task, and it is this element that makes Lean so appealing for IT and Legal shared workflows. The history between the two departments requires structured collaboration in order to learn about each other and learn how to improve through repeated efforts.

The Collateral Benefits
You will strengthen roles and responsibilities. In many organizations, you may need to make room for additional legal risk assessment, which means getting more lawyers comfortable with assessing technological architecture and interrelationships to determine where risk is being generated. It also means that IT may need to relinquish certain decision-making, or have more conversations with Legal in the room than they used to have. The biggest cyber risks from a legal perspective are the risk of litigation and the risk to reputation. Class actions are expensive and a lot to manage, and any resulting judgments and/or regulatory fines are significant. The more that Legal can do at the compliance stage to help stave off litigation exposures and regulatory fines, the better it is for the entire organization.
    
You will remove the overlap. Most organizations manage cybersecurity by committee, with numerous stakeholders at the table. If they don’t understand how they are supposed to work together, what you may find is that everyone is shouting to be heard. Stalemates occur when stakeholders think that they own the same job. But compromises must be made for the betterment of the whole. By collaborating to create improvements and remove waste, the team will begin to see who does what better. Operating by committee will become a lot easier and more efficient as a result.
    
It is easy to learn using this system, and the results are contagious. No problem is too big or small. Given its simplicity, it does not require executive leadership or outside experts to implement, and actually may be most effective if carried out by middle management or the rank and file (i.e., the folks who suffer the most pain). And once there is one win for creating efficiency, the second project gets to ride on the coattails of the first.
   
It is a low-cost solution. One of the business activities that struggles for financing is compliance. A top-down “control by design” revamping could require third-party consultants, and the end result may be too disruptive. On the other hand, an internal team that is committed to ongoing Lean improvements can accomplish the same results, often baked into business-as-usual activities.

The Bottom Line
Leaner cyber compliance design needs to replace weaker legacy processes. It’s time for IT and legal professionals to improve their approach to shared workflows, remove wasteful overlap and learn how to problem-solve together. This will work best as part of a regularly scheduled project rather than under the pressure of meeting a regulatory deadline or responding to a data breach.

Dauna Williams has over 30 years of experience leading in-house and law firm IP, technology and privacy practices. She has also worked as a technology solutions architect, developing programs that focus on simplifying legal workflows using methodologies such as Lean and Agile. Williams is of counsel with Burgher Gray, LLP, in New York and heads its Technology, Privacy and Intellectual Property group.
Dauna Williams
Refining a workflow using Lean is a process, not a destination.
Don’t wait until you’re working under the pressure of a data breach.