By David Ruiz, From The Recorder

SAN FRANCISCO — The job of chief security officer is getting an upgrade.

In-house counsel, private practice attorneys and legal recruiters say they are seeing more lawyers in expanding CSO roles as companies update their C-suite lineups to deal more effectively with the costly and increasingly commonplace threats posed by hacks, breaches and the misuse of customer and corporate data.

Today’s chief security officer must understand the technology used to prevent data breaches. But companies are also looking to this role—whether packaged as a CSO, chief trust officer, chief information security officer, or even digital risk officer—to quarterback enterprise-wide security measures before and after experiencing the nightmare scenarios seen at companies like Sony, Target, Anthem Health and others in recent months.

In April, Uber Technologies hired Joe Sullivan as its first chief security officer. Sullivan, who had that title at Facebook, started his career as a federal prosecutor before joining the security team at eBay in its early years.

In 2012, electronic invoice and payments company Viewpost IP Holdings hired former Lewis & Roca attorney Christopher Pierson as both its chief privacy officer and CSO. Two years later, he took on the general counsel responsibilities. Workday Inc.’s chief privacy officer and former CSO Barbara Cosgrove is a lawyer. Matt Hollcraft, hired by Maxim Integrated Inc. as CISO last month, is attending law school.

A survey published last year by Ari Kaplan Advisors found that of 26 corporate security officials, about a quarter said they meet daily with in-house counsel, eDiscovery and information governance teams. On a monthly basis, 54 percent meet with such teams. Legal consultant and advisor Ari Kaplan said he only expects that number to go up.

“The CISO is being increasingly tapped for more significant leadership roles,” Kaplan said. “It isn’t surprising that there would be an interest in having someone with a legal background because of the ramifications around data protection and security.”

Security roles are in a state of flux, with companies commonly naming officers for security, information security, privacy, trust and also risk. The range of names and responsibilities can depend on the nature of the industry and the threats it faces. CISOs often report to the CSO, who handles all things related to security, including fraud and physical threat.

Privacy officers tend to deal with user and employee privacy, and they respond during any break of privacy—like a data breach.

Silicon Valley Law Group of counsel Stephen Wu said he takes on many of the responsibilities of a CISO for his outside clients. He writes security policies, reviews technology management issues and helps develop procedures for background checks, among other tasks. Previously, as in-house counsel at Verisign Inc., he helped craft encryption policies and digital signature procedures.

It’s important, he said, to have someone who is looking at the overall security picture, not deep in the technical weeds, which makes a lawyer well-suited for the job. “A CISO shouldn’t be looking at individual firewall settings or checking out the antivirus software,” Wu said.

He said it is a given that a good CISO has information security knowledge and technical expertise. “But if you asked me what are some of the non-technical things a CISO should be doing? Perhaps the top thing is helping the board and the executive management understand the risks having to do with information security, the vulnerabilities and being able to properly budget and prioritize the information security department to make sure the company’s risks are mitigated.”

Like most things a lawyer handles, security is inextricably tied to risk—risk of data breach, risk of fraud, risk of credit card numbers getting stolen, risk of laptops going missing.

“The old fashioned notion of security meant you were responsible for the guard at the front door, the locks, the card keys—physical protection,” said Chegg Inc. general counsel Robert Chesnut. When Chesnut hired Uber’s Sullivan at eBay because of his prosecutorial experience. Chesnut also hired three other people for his security team. All were federal or state prosecutors.

“I think it’s fair to say that eBay is the one that did this first,” Chesnut said. “EBay recognized a number of issues faced by private companies that have legal and regulatory complications, and federal prosecutors have experience.”

ViewPost’s GC and CSO Pierson said he’s seen more CSOs with a prosecutorial background. “State or federal prosecutors are able to analyze and assess the hostile actions of foreign hackers or even insider threats,” Pierson said. “They’ve dealt with this stuff before, they have law enforcement contacts.” Pierson said having a lawyer as a CSO also cuts down on the transalation problem that occurs between security and law.

A CSO or CISO has to be able to oversee and work with multiple departments, Kaplan said.

“It’s more like an information security ambassador,” Kaplan said. “They are the liaison between senior leadership and all other divisions of the organization. They and their teams are relied on almost universally.”

Stanford Law School professor F. Daniel Siciliano said that lawyers are more readily trained to work with multiple groups and explain complicated items to many people.

“Lawyers make really good CSOs and CISOs because they’re really good communicators,” Siciliano said. “Obviously a CISO has to have serious tech knowledge, but given a lawyer has that, they can bridge the knowledge gap that even the brightest tech genius might fall short at.”

For more on this story go to: http://www.therecorder.com/id=1202728586254/As-Risks-Mount-Lawyers-Take-on-Security-Roles#ixzz3cU0BZ7oE