Denver Security Conversations – An Interview with Dave Navetta
If the only place you know me from is this website, you may not be aware that I am a Denver guy. Colorado is my adopted home, and I am proud to be a part of it. Not only do we have the mountains just a few minutes away, combined with all the benefits of a city, we also have a thriving technical industry here. This post is the first in a series of interviews with some of the interesting security characters here in the Denver area. My goal is to find a variety of perspectives on security to help paint a full picture of the Denver security community.
First up is Dave Navetta. Dave is an attorney specializing in information law. His background includes helping spin up AIG’s cyber insurance offering, running his own information law practice, and most recently as a partner for the InfoLawGroup, a leading company in the information law field. The InfoLawGroup has a number of relevant practice areas including policy creation and compliance, setting up third party risk management programs, and performing IT transaction negotiations and breach notifications and litigation.
Dave is a regular speaker at security conferences (including RSA, and RMISC) and heavily involved in the American Bar Association’s Information Security Committee (which he formerly co-chaired). He also regularly writes relevant security and legal content here.
Dave and I met for lunch on March 3rd at the Bagel Deli, one of my favorite Denver gems, on Hampden, just east of 25. We both ordered a Reuben (half sandwiches only; the regular sized sandwiches are enormous), and talked security in between bites. My questions are indicated in bold, with Dave’s responses paraphrased below.
Dave, where do you see information law and security crossing paths? Where is collaboration important?
Collaboration is required heavily throughout an organization’s security program. One pervasive example is security policies. Organizations with policies that are more administrative in nature may be written by the legal side, with the security team providing a sanity check on what is possible in the current environment. Conversely, more technical security policies may be drafted by the security team, but require oversight and guidance by legal to determine what is appropriate, and supports the risk and regulatory requirements of the business. In either case, writing a policy from just one perspective leaves an organization vulnerable to a series of risks.
On the topic of polices, one of the most fundamental mistakes an organization can make around policies is to make a requirement that the organization cannot fulfill. The lowest legal test for a company to demonstrate due care is whether it is adhering to internal policies. If not, the case for a legally defensible security program is hard to make. Simply, if you cannot support a control, don’t put it in a policy. For complex organizations, to avoid this problem, risk exception policies should be developed that allow specific business units unable to implement certain controls to assess risk and identify compensating controls, if applicable.
Can you explain the idea of legally defensible security in a bit more detail?
The issue here is not a fully a security issue, but rather a question of “reasonable” security under the law. In the event that things go wrong, and the company ends up in front of a court, a company’s liability will be greatly impacted by the quality of their security program and the reasonableness of their choices. While it certainly doesn’t assure that a jury won’t find you liable, a program that adheres to its own security policies and follows industry best practice controls will give the organization a defensible position. Being able to document risk assessment and decision making processes can further buttress a “reasonable security” argument in front of a judge, jury or regulator.
What trends do you see in the information law arena? Where do you think things will go in the future?
Rules are maturing. As we get more case law, the expectations for what is acceptable is becoming better understood. Laws are going to get more and more prescriptive, requiring that legal and security work together more closely than ever before.
Can you provide an example?
Vendor management programs. While there have always been significant risks around third parties, regulations have become much more prescriptive. The Gramm Leach Bliley Act has now created specific requirements around third party risk. And this is another of those areas where there is a big cross-over between the law and security. The security team can do a security risk assessment, but an effective third party risk program will also include contractual provisions that detail safeguards and performance requirements that protect the organization and provide indemnification for the company in the event of a breach of the third party. It is important that the security team and legal team work together to develop a due diligence process that combines security and legal risk, and is consistent from the assessment process, to the contracting requirements, and all the way to areas like incident response. Security professionals should expect to be more involved in not only developing these processes, but also negotiating actual contract terms with third party vendors that impact security.
What advice do you have for those managing an information security program?
Don’t do your own breach investigation. Bring in a third party independent investigator whenever there is an event with significant risk. While you may have the competencies internally, there is an inherent conflict of interest whenever the same team that architected, managed or secured the environment is asked to report on what happened and why. An external organization will have more experience with incident response, protecting evidence, and maintaining the chain of custody, will be much less likely to be accused of bias, and their findings will be better trusted. Moreover, when legal counsel is involved, he or she can bring the forensic assessor under the protection of attorney-client privilege, and some communications between the assessor, legal counsel and the organization can be protected from scrutiny in court or in front of a regulator.
Incident response is another area where I see things changing. The risk of litigation and regulatory scrutiny has resulted in much more care with respect to forensic and legal analysis. In the past we saw organizations reporting breaches pretty early on, even if they were not sure that at breach occurred. I see a trend where organizations are much more reluctant to report a breach. They are considering the risk of harm to the victim, and whether there is definitive evidence of unauthorized acquisition before making any kind of notification.
What advice do you have for anyone looking to get into a career in information law?
There is a huge need for individuals with both a security and a legal background – I call them “hybrids.” The ability to speak to both the security and legal sides is essential. Hybrids can bridge the gap between security and compliance, and can also help make sense of things for C-level executives without legal or security experience. However, if you are interested in pursuing the field, strongly consider getting a legal degree. Taking some classes is helpful to obtain some base knowledge, but gaining credibility for speaking to both sides among the legal community is difficult without official legal training.
Last question: What did you think about your Reuben?
The Bagel Deli has itself a repeat customer.
Thanks to Dave for setting aside some time to talk law and security with me. I hope you’ve enjoyed this first glimpse of the Colorado information security scene. Let me know if there’s someone else in the region you’d like to hear from, and I’ll see what I can do.
Connect with Robb on Google+