Blessed are the lawyers, for they shall inherit cybersecurity
Discussing a controversial idea that the future of security will be defined by lawyers, not security practitioners
In 2021, Daniel W. Woods and Aaron Ceross published an excellent research paper titled “Blessed Are The Lawyers, For They Shall Inherit Cybersecurity”. It offers a great perspective that deserves a deep dive and an industry-level discussion. Since I connect my own ideas to those expressed in Daniel’s & Aaron’s article, please assume that anything not listed in quotations is my perspective and not that of the original authors. I recommend reading the original article to get the actual take of its authors in addition to my not-at-all-scientific take on it.
This issue is brought to you by… Wiz.
2024 Gartner Market Guide for CNAPP
Why are leaders are increasingly adopting a CNAPP to transform their cloud security operations?
This guide reveals strategic recommendations and the growing need for a comprehensive platform with breadth and depth of functionality.
Read the report to learn:
The benefits of a CNAPP solution in your cloud security strategy
Key capabilities and characteristics to look for in a CNAPP
Recommendations for how you should approach a CNAPP evaluation and deployment
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Security in context: current state of the security industry
Security continues to struggle with embracing evidence-based security
Just over two years ago, I published an article titled “Future of cyber defense and move from promise-based to evidence-based security”. In that piece, I, perhaps overly optimistically, expressed the conviction that the security industry is maturing, and that process of maturation is going to redefine how our field will look in the coming years.
A lot has changed since 2022. First, it has become apparent that a revolution in security is less likely than an evolution. The industry will continue to mature, but engineering-centric advancements like continuous testing, continuous compliance, detection engineering, policy as code, etc. are propagating slowly and for now they are likely to continue to only be accessible to the very top of the market. As Rami McCarthy pointed out, “Security Engineering is not on the horizon. It has already become mainstream … in certain circles.” Second, security teams are not incentivized to do more of security in-house. Outsourcing certain security functions transfers risk to a third party, and doing more work internally concentrates risks on the security team. Third, and most importantly, we have not been great at embracing the science-based or engineering-centric approaches to security (not yet anyway).
Security continues to struggle to move towards documented and verifiable security best practices
Just over two decades ago, Dan Geer, Kevin Soo Hoo, and Andrew Jaquith argued that “the future belongs to the quants”. Their idea was that the accumulation of scientific evidence would soon make it possible to move away from having to deal with “oracles and soothsayers” who rely on anecdotes and personal experience, and towards a more robust, reproducible, and reliable approach to security rooted in science. In the future proposed by these highly regarded security leaders, we would see companies build security programs based on the effectiveness of individual controls that can be tested, verified, and reasoned about.
Fast forward to 2024, and it’s easy to see that we continue to lack data that links cybersecurity losses to specific technical measures. First, we simply don’t have any way of tracking historical data that would show what controls, processes, and technologies each of the organizations that suffered an incident had in place, which of them were working well, and which failed. Second, we are unable to isolate the effect of individual controls on organizations’ security posture. Institutions such as FAIR, and now a long list of cyber risk quantification vendors seem to still be pretty far from solving the problem. Third, even if we take all the right steps, we can still suffer an incident. The amount of infrastructure that needs to be protected is enormous, and it’s practically impossible to get everything right. Something will be missed, something will be forgotten, and something will fail, leading to a security breach. This reality doesn’t spark a lot of confidence from executives who are used to getting a clear answer about the return on investment (ROI) of every business investment.
Even when there appears to be enough scientific evidence to prove or disprove the value of specific controls, the security industry pays little attention to this. Great examples are forced password resets and phishing simulations. Both have been seen as problematic and yet both are still widely adopted, and embedded in compliance requirements. This is not to say that there has been no progress - recently, for example, NIST stopped enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Change is happening but it’s not as fast as we would like it to be.
We continue to struggle to see the lasting impact of security incidents on the companies’ financial performance
When breaches do happen, we have been struggling to see the lasting impact of security on the companies’ financial performance.
As Daniel and Aaron explain in their piece, markets “reward post-breach informational interventions rather than technical measures”. They reference research that shows that releasing a bundle of positive news can easily offset the negative impact of announcing a data breach, and that market reaction to an incident is less damaging when the company commits to what they call “action-oriented” security improvements following a breach (expanding a security team, buying new tools, or obtaining new certifications, as an example).
These findings are in line with the fact that the effects of security incidents on company stock in the long term are simply nonexistent, even if in the short term, the stock price may dip a few percentage points. The evidence simply doesn’t support the idea that most security breaches are detrimental to the business, even if there are all kinds of stats floating around suggesting that a large percentage of companies can't recover after an attack. I have previously discussed why we can't trust most stats about the cybersecurity industry, and why we must stop creating numbers out of thin air.
Quantifying cybersecurity won’t get any easier
I am optimistic but somewhat skeptical that in the coming years, we will have much luck quantifying cybersecurity and distilling it into a pure science. As the authors of the article explain, the problem is that our environments have become too complex for us to be able to confidently verify the security of all interactions between sub-components of every system even if each sub-component was formally tested in isolation.
“A more practical approach is to use past attacks to guide decisions. This is how knowledge accrues to the InfoSec “oracles and soothsayers”. A common approach is patch management in which vulnerabilities in software are discovered or observed in the wild, fixes are developed, and then applied by firms who deploy the software. Again, knowledge about possible attacks increases with each new vulnerability. Empirically this can be seen in the proliferation of CVE IDs over time” - Source: Blessed Are The Lawyers, For They Shall Inherit Cybersecurity.
Where there could be hope is cyber insurance. Insurance companies are the ones that know how much different businesses pay to cybercriminals in a given year, and therefore they are perfectly positioned to estimate the actual amount of security-related losses. Since insurance companies know or ought to know how each incident happened, they should also be in a good place to suggest where security teams should be concentrating their efforts to achieve the highest return on investment. I hope that the government will find a way to get insurance companies to share anonymized data about security incidents, which would then help us aggregate the data and make our security knowledge more scientific.
While we have many reasons to be optimistic about the future of cybersecurity, it is rational to conclude that increasing technological complexity, rise in connectivity, and the sophistication of adversaries will continue to make it hard for us to learn and secure our digital infrastructure.
One of the visions of the future: lawyers will be the driving force in cybersecurity
Why this idea has the right to exist
While we as an industry are struggling to wrap our heads around all the technical controls that need to be in place for us to get the cyber risk down to the level acceptable by the business, it is becoming apparent that legal profession is starting to develop its own ways of dealing with the world of security.
In 2024, the work of security leaders is becoming closely intertwined with the work of legal counsel. From changing policies, and analyzing whether or not some event has a privacy impact, to ascertaining a third-party risk, nearly every day there is some kind of a conversation CISOs need to have with legal.
It is important to note that while Daniel and Aaron titled their research “Blessed Are The Lawyers, For They Shall Inherit Cybersecurity”, they do not suggest that security leaders will lose power or security teams will be reporting to legal. Their suggestion is much more nuanced - that “Lawyers inheriting cybersecurity means that legal reasoning—referencing cybersecurity law, regulatory guidance, precedents and the anticipatory interpretations of individual lawyers—will displace reasoning about security as a technical property.” It’s hard to completely disagree with this take. I share the belief that the role of legal in cybersecurity will continue to increase, and young attorneys could do well by choosing security and data privacy as their areas of specialty. If I had another 24 hours in my day, I think I’d be very interested in focusing on cybersecurity law.
How legal influences cybersecurity practice today
Lawyers are a critical part of compliance
Due to the growing complexity of compliance requirements, lawyers are now a critical part of ensuring that the company is checking all the right boxes and thus reducing its potential liability.
As the number of compliance requirements continues to grow, so will the gap between being compliant and being secure. Most companies aren’t funded and aren’t sufficiently staffed to do both. Once the business needs to decide what security initiatives to prioritize and what to focus on, security as a sales enablement wins. This means that anything that checks the compliance box will always be prioritized above the things that don’t.
There are many examples of how these trends manifest themselves in security. Daniel and Aaron talk about PCI DSS requirements and the fact that they influence data security practices when it comes to handling credit card data. I think that an even better example is the field of third-party risk management (TPRM).
For the longest time, it’s been understood that TPRM is an intractable problem. A company that works with 10,000-50,000+ vendors simply cannot predict which of the multitude of partners will become a problem. Theoretically, companies could embrace what Jason Chan refers to as “Rambo Architecture”, but what we see in practice is that legal risk transfer has become the standard way of handling third-party risk. The whole debacle of security questionnaires is just a formality, and recently it looks very much like this meme image below: vendors are starting to use ChatGPT to fill out questionnaires, and buyers are using ChatGPT to summarize their answers and gain “insight” into potential risks.
The whole questionnaire game is funny, but it doesn’t matter since it’s not designed to provide security. Instead, it is very much focused on satisfying compliance requirements. The security part of TPRM is handled by lawyers who add all kinds of provisions to the contracts with third parties that define who will be held responsible in case of an incident. For example, I’d argue that the CrowdStrike incident will change little in terms of how technical teams evaluate tools but it will be instrumental in informing how lawyers draft contracts with SaaS vendors moving forward and what language they include.
Lawyers are a critical part of incident response
Lawyers play a critical role in incident response which is increasingly being overseen by corporate attorneys and cybersecurity-focused legal advisors. There are several reasons why that is the case, all coming down to liability reduction:
During incident response, the company needs to make sure that everything is done in compliance with applicable laws, properly documented (but only what should be documented), and the right information is shared with the right parties.
In case of an incident, the complexity around what needs to be filed, when, and with which authority is enormous. Given that many businesses today are operating in different countries, navigating this complexity without specialized legal advice is simply not possible. Every country, every state, and every regulator is starting to develop their own notification requirements.
Law firms are starting to be placed in the epicenter of incident response which enables them to claim attorney-client privilege, and consequently make all the evidence related to the incident not discoverable, providing it was produced in anticipation of litigation. As Daniel and Aaron explain, “To argue this more clearly, law firms hire the forensic providers only after an incident is known. This avoids the situation following Capital One’s data breach. A judge ruled that a forensic report was not protected by client-attorney privilege because the contract with the forensics firm was signed before the incident”.
The role of legal in cybersecurity continues to increase
The role of legal in cybersecurity continues to increase. There are several dimensions that are worth calling out:
As CISOs are starting to be held accountable for both their decisions and actions outside of their control, lawyers are becoming not just a part of incident response but also a part of running the security function.
As business starts to question the incremental value of additional security investments, CISOs are at risk of losing the ability to advocate for the adoption of controls not directly required by the regulation. Daniel and Aaron describe this phenomenon as follows: “The concept of effective security controls is rooted in the scientific method’s ability to quantify effect sizes, but it will soon be replaced by notions like reasonable or appropriate controls. This results from the failure of quants to produce evidence about effectiveness.”
Although there has historically been little research on the relationship between law and security, we are starting to see some early steps in this direction. The case in point is discoveries that Daniel and Aaron cite in their piece, such as that “... firms offering free credit monitoring after a breach are 6 times less likely to be sued. This represents the clearest evidence regarding the efficacy of a cybersecurity intervention, albeit a post-breach one. The study also provides evidence about prioritizing protection efforts given that lawsuits are 6 times more likely when the breached data contains financial information”. Discoveries such as this make legal concerns a critical consideration for security leaders.
How security could look like if lawyers were to start playing a more active role in shaping it
We may see limited information sharing in the industry
One of the most critical potential consequences of lawyers shaping the behaviors in cybersecurity is the impact this would have on information-sharing. As I have previously discussed, one of the most impactful developments in security we have seen over the past few decades is the emergence of trusted networks for information sharing and collaboration. Two of the most important ones are Information Sharing and Analysis Centers (ISACs) and peer networks.
“ISACs solve the problem of trust when it comes to threat intelligence sharing and collaboration. Historically, security leaders sworn to secrecy and bound by non-disclosure obligations had no incentives to share their most sensitive findings. There was always a danger that their attempt to be helpful would backfire and expose them to personal and professional liability. Since ISACs are supported by the government, they make it possible for CISOs to open up with their trusted peers in ways they are not able to do anywhere else. Many other forms of collaboration take part in peer networks for CISOs and security practitioners. Usually, these are invite-only communities that congregate in Slack, WhatsApp, Discord, or on proprietary platforms and encourage professional collaboration. While these communities are invisible and inaccessible to outsiders, they play an important role in the dissemination of best practices, peer support, aggregation of feedback about vendors, professional development, and more.” - Source: Cyber optimist manifesto: why we have reasons to be optimistic about the future of cybersecurity.
Sadly, this trend of increased information-sharing which has greatly benefited our ability to respond to attackers may be impacted if the role of legal in cybersecurity continues to grow. Daniel and Aaron explain it really well in their article: “Technical and legal risk can be compared in terms of the role of information. Technical risk considers how likely an adversary is to use information about technical vulnerabilities to compromise a system. Legal risk considers how likely a complainant or the judiciary is to use legally relevant information against the defendant. Whereas technical risk can be mitigated by sharing information and fixing vulnerabilities, legal risk is amplified when information is shared as it could be used as evidence against the defendant. In this way, the legal view breaks from the scientific perspective that evidence should be shared widely. We can expect lawyers inheriting cybersecurity to reduce information sharing. Indeed, organizations are less likely to disclose information when they could be held liable for doing so.”
Another aspect worth discussing is the impact of lawyers on evidence generation at large. When lawyers run the incident response process, the emphasis is made on liability reduction for the company that got breached, not on enriching the body of knowledge for other defenders. In practical terms, this means avoiding documenting anything that could later be used against the company in court. Daniel and Aaron put it this way: “A less widely appreciated implication is the potential for lawyers to influence the creation and documentation of evidence. Such influence anticipates pre-litigation discovery processes in which claimants and defendants can request evidence from each other (and these can be legally enforced via motions to compel). For example, shareholders may sue a breached company and request a forensic report detailing which security procedures were in place. Lawyers can mitigate this legal risk in multiple ways, which are illustrated when lawyers run incident response (notably thousands of incidents are already run by lawyers each year).”
Image: Incident response process coordinated by lawyers. Source: Blessed Are The Lawyers, For They Shall Inherit Cybersecurity
We may see the prioritization of commonly acceptable over effective security controls
Security leaders are living with a permanent sense of inevitability: no matter what they and their teams do and how much effort they put into making sure their organizations are protected, they are still likely to suffer an incident. Worse yet, when breaches occur, the business isn’t doing a retrospective to recognize the security team for all the great work they have put in in the past. Right there and then, all that matters is the most recent incident and the fact that it wasn’t prevented.
When it seems like there is no winning, it is no wonder that experimentation and efforts to do things better are not always recognized. If a security leader can show in the post-breach investigation that the team did everything that was considered a best practice, they are much more likely to be forgiven compared to if they went against what is seen as a commonly acceptable way of doing things. When the mindset that “nobody gets fired for buying Palo Alto” drives people’s decisions, they are highly unlikely to consider working with startups.
When lawyers direct decision-making, this drive for self-preservation can reach an entirely different level. Daniel and Aaron surmise that in that world, “Risk decisions may be guided by concepts like reasonableness or appropriateness rather than effectiveness… Whereas an effectiveness criterion strives to be better than current practice and rewards innovations that do so, reasonableness emphasizes following established practices and may even punish deviating from them… Firms should follow “established recommendations” offered by regulators. Deviating from such recommendations brings legal risk unless the deviation is based on scientific knowledge, which is broadly unavailable.” They reference another paper which concludes that “security incidents are tolerated more easily if one can show that they occurred despite the affected IT system being compliant with all applicable security regulations”.
In a world where security is overseen by legal, we get a compliance-first mindset. We see examples of this all the time. Some companies continue buying firewalls despite not having a network so that they can satisfy compliance requirements, while others continue mandating regular password changes and sending people through phishing simulations despite all the evidence that both come with serious trade-offs.
Legal could turn into a distribution channel for established security vendors
If lawyers were to gain more power to influence cybersecurity, that would mean they would likely get more say in purchasing decisions. And, if that were to happen, then established companies could look for ways to leverage law firms as distribution partners. Since legal firms seek certainty and liability risk reduction, startups would stand little chance of being picked (remember that “nobody gets fired for buying Microsoft or Palo Alto”).
There are more ways in which law firms could impact the way companies in security do business with one another. Daniel and Aaron’s article provides insight into some of the possibilities: “For example, the lawyer-led model of IR disrupts the integration of ex-ante monitoring and ex-post investigation recommended in NIST-800-61. In traditional IR, visibility from network monitoring helped to guide investigations, logs were set up to collect evidence, and internal investigators were often familiar with the systems. In the new model, lawyers choose the firms they want to work alongside independent of whether the firm has existing network access. This introduces new business logic. In the old model, firms first sold monitoring and offered investigation as an optional follow-on service. In the new model, firms first sell investigations and then try to sell network tools used during investigation as an on-going service.”
The number one factor that will influence whether or not lawyers will define the future of security
If lawyers will indeed start playing a bigger role in cybersecurity, it most likely won’t be a great thing for the state of our infrastructure and the technical defenses designed to protect it. If the pendulum swings towards compliance, if we start prioritizing controls that lead to liability reduction over those that increase the robustness of defenses, and if we start sharing knowledge less because of the fear of litigation, our industry and the future of security will suffer. Worse yet, given that cybersecurity is already suffering from too many voices and the lack of agreed-upon best practices, a shift to legal thinking would introduce even more ambiguity. As the authors of the essay explain, “While further research is required to understand the full implications, it is reasonable to conclude that less documentation limits knowledge generation by quants. In this way, lawyers inheriting cybersecurity may actively undermine the science of security”.
Now, let me be clear: we aren’t talking about legal taking over security but rather the fact that legal thinking, arguments, and frameworks may become more dominant in cybersecurity. Daniel and Aaron caution against misreadings of their idea: “The law is less seizing control of cybersecurity and more reluctantly taking authority due to the knowledge vacuum. As a result, the law leaves many problems ambiguous. One can expect different areas of cybersecurity to be more or less exposed to the law as a system of social control, and our paradigm’s explanatory power tracks these variations.”
How likely are lawyers to define the future of our industry? That depends on what will be a bigger concern to companies in the years to come - the cost of data protection and business continuity or the cost of legal defense and compliance. If the government continues to increase fines for non-compliance, if the cost of litigation goes up, and if CISOs continue to be held liable for any missteps, or even factors outside of their control, then the power of lawyers will increase. If, however, the cost of keeping the business running will outpace the cost of legal risk, the equation will change. The authors of the essay put it this way: “Finally, the tide could turn against lawyers if the growth of technical risk outpaces that of litigation risk. For example, lawyer-led incident response was clearly beneficial when the primary cost-driver was post-breach litigation. The added-value is less clear when litigation rates are around 1% while ransomware payments grow 1000% year-on-year. Such a movement will be tempered by the tendency for power hierarchies to entrench themselves over time.”
I hope that instead of focusing on liability avoidance, we will be spending our time and resources on implementing security controls that are actually effective (hence evidence-based security). That said, only time will tell which path wins and what the future of our industry will look like. Most likely, it’s not going to be either or but the combination of the two approaches - technical and legal - which will shape cybersecurity of tomorrow.
