Alejandro Villegas has 10+ years of cyber security experience working for leading enterprises such as Amazon, Microsoft, Hewlett Packard, cPanel, among other IT companies. Alejandro has held various security engineering positions and has substantial experience in Secure Development Lifecycle, Operational & Network Security, Penetration Testing, Threat Modeling, Incident Response, Digital Forensics and Compliance. He has a JD in Cyber Security and Intellectual Property, MBA in Economics, MS in Information Assurance and Digital Forensics, and a BBA in Computer Information Systems. He also holds security industry certifications such as CISSP, CISA, CEH, CHFI, ECSA, LPT, MCITP:EA and BSI Lead Auditor for ISO 27001:2013.
2. DISCLAIMER
The views and opinions expressed during this
presentation represent my personal and professional
experiences and do not necessarily reflect the opinion or
position of my current or previous employers, and/or
educational institutions.
3. SPEAKER: ALEJANDRO VILLEGAS
Ethical Hacker with a Business and Legal Education
• Seasoned Cyber Security Engineer with over a decade
of experience working for various leading tech
companies.
• Law school graduate.
• Education: JD, MBA, MS, BBA
• Certifications: CEH, CISSP, CISA, CHFI, ECSA, LPT, MCITP, ISO 27K
Lead Auditor.
4. QUESTION
Raise your hand if you are 100% assured that your
company will never experience a security breach.
6. WHY A LEGAL PARTNERSHIP?
Cyber Security has become a predominant
challenge for organizations responsible for
protecting and safeguarding customer data such
as Cloud Service Providers (CSPs).
Attorneys serve a critical function ensuring that
companies conduct due diligence and adhere to
the cyber security requirements mandated by
local, national, international and industry
information security frameworks.
7. RELEVANT COURT CASES
SONY: Sony Gaming Networks & Customer Data Sec.
Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014)
TARGET: Target Corp. Customer Data Sec. Breach
Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014)
TJMAXX: TJX Co. Retail Sec. Breach Litig., 524 F. Supp.
2d 83 (D. Mass. 2007)
8. ASSUME SECURITY BREACH
Proactive engagement with Legal.
Pre-breach continuous interaction with Legal.
Always assume security breach.
9. THE LEGAL LIFECYCLE
Avoid reactive
Attorney engagement
(Incident Response
Phase)
Attorney engagement
throughout the entire
Software Development
Lifecycle
Attorney engagement
throughout the entire
Secure Operations
Lifecycle
11. END TO END LEGAL DILIGENCE
Attorney
Roles:
Advisory Compliance Drafting Audit Litigation
CISOs must partner with attorneys on every applicable role:
12. ATTORNEY ADVISORY ROLE
Proactive discuss cyber security
challenges such as
Ransomware.
Determine whether you should
pursue security breach
insurance.
Discuss your cyber security
program with your attorneys.
Advisory
13. ATTORNEY ADVISORY ROLE Advisory
Cyber Security Incident Response Plan
Cyber Security Liability Insurance
Post-Attack Public Relations
Cooperation with Law Enforcement (Apple)
Reporting Cyber Crimes
14. ATTORNEY COMPLIANCE ROLE
Discuss what security compliance
certifications are worth pursuing and which
ones are not.
What is the cost of non-compliance?
How do you plan to be continuously compliant
not just during the audit engagements?
Talk about the Security vs Compliance
dilemma.
Compliance
15. ATTORNEY COMPLIANCE ROLE Compliance
National Cyber Security Compliance: FISMA,
FedRAMP, CJIS (FBI), NIST 800:53.
International Cyber Security Compliance: ISO
27001; 27018, EUMC, GDPR.
Territorial Cyber Security Compliance: MTCS
Singapore, IRAP Australia, UK G-Cloud.
Industry Cyber Security Compliance: HIPAA,PCI
16. ATTORNEY DRAFTING ROLE
Review contract security addendums from a
security engineering perspective.
Evaluate the feasibility of the clauses and
contract obligations.
Determine if you are prepared to meet the
security contract requirements.
Are you getting the right assurances from
your vendors?
Drafting
17. ATTORNEY DRAFTING ROLE Drafting
Do the cyber security provisions make sense to
engineers?
Do the cyber security controls address the risk
adequately?
Are both parties equally agreeing to manage the cyber
security risks?
Is it best to use broad language?
Is staying silent on a specific provision the best
approach?
18. ATTORNEY AUDIT ROLE
Are you comfortable with the Right to Audit
clauses?
Can your company manage multiple
concurrent audits?
Have you consider the legal implications of
audit findings?
Are your audit papers and artifacts ACP
protected?
Audit
19. ATTORNEY AUDIT ROLE Audit
Terms of Right to Audit
Duration of the Audit(s)
Scope of the Audit(s)
Limit amount of concurrent Audits
20. ATTORNEY LITIGATION ROLE
Are you currently conducting due diligence
throughout your entire engineering lifecycle?
Are you prepared for a subpoena or a deposition?
Do you adequately invoke the Attorney Client
Privilege during your day to day security
operations?
Proactively talk about litigation strategies.
Litigation
21. ATTORNEY LITIGATION ROLE Litigation
The value of due diligence:
Pre, During & Post a Security Breach
Diligence vs Negligence
22. VENDOR MANAGEMENT
Vendor Security
Do your vendors
meet the same
security bar than
your company?
How often do you
audit vendor
security
compliance?
Do your vendors
have vendors? Do
they also meet
the security bar?
24. HIRE ENGINEER ATTORNEYS
Patent Attorneys generally have a science background
to prosecute patents with the US Patent Office.
Cyber Security Attorneys must be qualified to
understand the engineering intricacies of your Cyber
Security Program.
25. END TO END LEGAL PARTNERSHIP
Ultimately you must proactively engage your legal team
and leverage your attorneys throughout the entire
lifecycle of your security engineering operations.
Conduct End to End Legal Cyber Security Due Diligence!