At first glance it might seem like an unlikely match up. I do, however, ask for your indulgence and allow me to state my case. Both roles are intrinsically similar in nature on a fundamental level, they are both predicated on securing the organization, the organization’s assets, and its employees. Even with the divergence of both methods and means between Information Security and Legal, you will find that they still go hand in hand on several key aspects. They both provide advice, perform research , process documents, identify risks, and direct staff. Oft-overlooked, and critically important, they must be able to communicate effectively with most if not all people in the organization, from executive management, legal, IT, even to the janitorial staff. That being said, I will attempt to illustrate further overlaps, starting with the Information Security Officer. 

An Information Security Officer has to work within the confines of the law, an obvious statement to be sure. However, due to the increasing maturation of the industry they deal with a multitude of legislations, both national and transnational. And this will only grow in number. We can see this in the additional segmentation in the field of Information Security with the growing importance of the Governance, Risk and Compliance (GRC) specialization. Privacy would be another prime example: It has fallen to Information Security Officers in the EU to implement the GDPR legislation, while those in the US’s medical field are implementing the HIPAA legislation. 

Both legislations are focusing on Personal Identifiable Information (PII). The EU’s GDPR has led to the role of Data Protection Officer (DPO) becoming more prominent and in demand as of 2018. Another example for Compliance is the Sarbanes Oxley (SOX) act of 2002 (in particular sections 302 and 404, as well as Title 2), which deals with internal controls that need to be adhered to for organizations who wish to do business in the US. A Security Officer, it seems, might almost need a legal degree to deal with all the legislation and implement what is needed to be compliant! Especially if there is no legal department or legal officer in the organization, as is a common occurrence with Small to Medium Enterprises (SME’s).  

But what about the other side? How does a Legal Officer’s job intersect with that of an Information Security Officer? To start, both jobs involve securing the organization, its assets, and people, from both internal as well as external risks. Often this will be centered on compliance with factors such as legislation, contracts and reviewing external contracts in order to secure the organization (Review of 3rd party contracts in order to mitigate risks to the organization being another instance of overlap with the Security Officer). Commonly it falls upon the legal department to interpret legislation and then advise upon it, a perfect example of this is the GDPR in regard to PII. The natural choice is to hire a DPO or promote within the ranks. The obvious pick would be to consider legal personnel as they already have a background which involves vast amounts of legislature and feel comfortable with interpreting it. There is even more overlap with governance, as writing policy is akin to legal writing (drafting a contract, for instance). They will have been confronted with the value of a properly structured, well-written, binding document (and the frustrations of finding loopholes). Last but not least, they are practiced in dealing with the flood of paperwork in their day to day business life.  

To summarize, there is enough overlap between the two respective functions, that with a slight alteration here and a bit of retooling there, a person of similar profile to one of the above would be able to support and help secure their company due to the commonalities of the respective roles. 

However, this can be a time consuming and arduous affair, especially when having to deal with the daily grind at work as it is. This is something we at Toreon can further help you with by providing a DPO-as-a-service or CISO-as-a-service.