The First Thing We Do, Let's Kill All the Lawyers
The phrase “let’s kill all the lawyers” comes from William Shakespeare’s play, King Henry VI, Part 2. This is one of the most misinterpreted lines in all of Shakespeare’s works, and it is often used inaccurately, expressing a dislike for attorneys. This is not the way that Shakespeare intended it. Shakespeare was not one to suggest the slaying of lawyers as a way to cure society’s problems. As an information security professional, have you often found yourself frustrated by the growing collection of cyber-based rules, guidance, regulations, and contemplations that our lawmakers can conjure up? As if the job of securing network systems isn’t hard enough, now we need the long arm of the law reaching in to offer more hurdles? Do you often wonder aloud “whose side are these attorneys on anyway”?
If you have found yourself in the vexing position described above, perhaps it is time to look at this from a different perspective. While Shakespeare was not an adoring fan of lawyers, as shown in other plays, such as the graveyard scene in Hamlet, he recognized their necessity in the world. When we think of all the transactions in our lives that require legal guidance, it becomes clear that lawyers fill a valuable purpose. Would you ever buy a house without an attorney’s advice? Would you prepare a last will and testament without some legal guidance? Would you defend yourself in a court of law without a lawyer? It is clear that lawyers see things quite differently than non-lawyers. It is also clear that information security professionals see things differently than most non-security people.
Why We See Things Differently
Many information security professionals began their careers as curious youths who explored how computers worked, often pushing the machine, or the programs in that machine, beyond their expected behavior. According to history, what started as a club of model train enthusiasts, soon moved on to computers. These were the original hackers. Many of these hackers started to learn the value of securing systems against threats. Explorations of vulnerabilities became another favorite pastime.
Over time, these threat mitigation techniques, and vulnerability explorations gave rise to an entirely new profession known as information security. InfoSec, to which it is commonly referred, became a discipline with such abroad range of skills, that certification examinations were created to test these skills and knowledge. The most well-known InfoSec exams is the CISSP. A certification, such as the CISSP, adds legitimacy to a conversation with an executive, such as an attorney who may see things from a non-security perspective.
Viva La Difference
Regulations are often written by people with legal training. Many times, the stroke of a regulatory pen can create a rule that is beneficial towards individual privacy, but not necessarily technically easy to achieve, or administratively easy to maintain. For example, a cursory examination of some of the privacy regulations across the globe reveals some very common sentiments. Regulations from China, South Africa, the European Union’s General Data Protection Regulation (GDPR), and India all share the following principles:
- Consent to collect information
- Data obfuscation requirements
- Data retention limits
- Data portability
- Right to know if an individual’s data has been processed
- Right to withdraw consent
When viewed from the attorney’s perspective, these common themes make perfect sense. However, none of these rules can be achieved without technical consultation. Some examples include:
- An attorney will understand the legal meaning of “consent” when related to gathering information, but how does that translate to the method of execution? That requires consultation with an information security professional. Topics for the discussion would include the timing for presenting the request for consent, as well as tracking the response. This is also true if a person withdraws consent at a later time.
- An attorney will understand that data obfuscation will mask data, but may not know the different methods for doing so, or the best implementations for any given data set, such as structured versus unstructured data. The information security professional will be able to clarify the appropriate means towards accomplishing this requirement.
- An attorney will understand the need for limits on data retention, but may not realize the data flow, as well as where all the data is stored in an organization. The assistance of an information security professional would be vital to this endeavor.
- An attorney will understand the need for data portability, however, an information security professional can provide guidance about how to adhere to technical standards for different systems.
Why Does The CISSP Credential Matter?
Studying for the CISSP exam can be a challenge. There is so much information to understand, and some of the topics may be far from a candidate’s area of expertise or professional focus. However, that is why attaining the CISSP qualification matters to many hiring managers. An information security professional with the CISSP designation is known to bring a more mature perspective to any business critical discussion.
When speaking to someone who has undergone the rigorous training required to become an attorney, it is important to approach the conversation with the confidence of knowing the subject matter. CISSP training can help with the ability to explain technical concepts so they resonate with the attorney’s mindset.
Attorneys are necessary for so many important aspects of our lives. Contrary to the days of Shakespeare, our world has become tightly intertwined with electronic data. This has introduced the need for strong information security, and a person who holds the CISSP credential can bridge the gap between the legal teams and other technical teams to create a secure, legally sound organization.
How The CISSP Credential Can Help You Succeed
The knowledge required to be a successful Information security professional is vast, and constantly expanding. Every day, new events reshape the security landscape, requiring a combination of experience and knowledge. When an organization needs subject matter expertise, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience that is not limited to just information security.
The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles, including those in the following positions:
- Chief Information Security Officer
- IT Director/Manager
- Security Analyst
- Security Engineer
ISC2 was the first information security certifying body to meet the requirements of the American National Standards Institute (ANSI) ISO/IEC Standard 17024 and the CISSP certification has met Department of Defense (DoD) Directive 8570.1.
To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.