Maksim Kabakou - Fotolia
Why CISOs should build stronger bonds with the legal function in 2025
The Computer Weekly Security Think Tank considers how security leaders should best navigate the multitude of new national and multinational regulations affecting their work, and ensure their organisations remain compliant and protected.
For chief information security officers (CISOs) still looking to set some professional goals for the New Year, or to expand on a list they’ve already compiled, consider strengthening the relationship with your organisation’s legal function.
You may well have already spent a great deal of time building bridges with company lawyers. After all, it’s now a significant aspect of the modern CISO role, according to the 2024 Global CISO Organisation and Compensation Survey from executive recruitment firm Heidrick & Struggles, a poll of over 400 CISOs worldwide.
When asked which functions they spend most time working and consulting with, the top two responses offered by respondents involved other IT professionals, with network, cloud and engineering groups in first place, and software development and product development/engineering in second place. In third place was legal, compliance and risk – way ahead of finance, HR or the board of directors.
In 2025, the links between cyber security and legal teams need to be closer than ever, because around the world, the IT security function – and the people who lead it – are increasingly the target of new regulations and sharp government scrutiny.
Legal challenges
Regulatory changes and uncertainty place huge stress on cyber professionals. Even where rules are clear, the volume is increasing and the burden of compliance growing heavier. Any company operating on an international basis faces a wide range of country-specific regulations that may well contradict each other, or at least include requirements that don’t clearly align.
In the EU, companies face the EU AI Act, NIS2 and the Digital Operational Resilience Act (DORA). The incoming administration in the United States could propose significant changes to current regulations, too. And every organisation already faces strict PII mandates when it comes to how the personal information of customers, suppliers and partners is stored and managed.
All this makes it a real struggle for IT security teams to figure out how to best implement regulations in their organisation. Their colleagues in the legal department will be their best allies in helping them to navigate this minefield.
Lawyers can help a CISO and their team to develop a stronger and deeper understanding of how and where rules apply to their specific organisation and where they do not, for example. The scope of coverage of a regulation can be a pretty subtle matter and legal expertise is often needed to analyse it effectively and accurately.
Another significant task – and another area of potential conflict between different regulations – is identifying communication and reporting requirements, and figuring out the different schedules and types of information that need reporting. Here, the IT security and legal functions need to work on effective procedures and ensure they are communicated clearly to the appropriate personnel.
Mutual benefits
But this is not a one-way street. The legal function may have an important role to play as an advisor to cyber security, but the CISO isn’t just a passive consumer of the information offered. While regulations typically have good intent, sometimes wording or proposed implementation is not as effective as it should be. The CISO must be able to spot the gaps and contradictions and consult with legal teams on how best to tackle them.
Working together, cyber security and legal teams can also define and implement best practices; for example, they might adopt the ‘three lines of defence’ model, most commonly seen in the financial services sector.
In this model, Level One defence is provided by the frontline employees performing the day-to-day work. Level Two is provided by managers responsible for those teams, monitoring their work to ensure it meets predefined standards. Finally, Level Three defence is provided by internal and external auditors – those responsible for ‘watching the watchers’. By marshalling resources into these three lines of defence, organisations from any industry sector can achieve new levels of visibility and accountability.
Another area in which the CISO can be a big help to their legal counterpart is in technological understanding. It’s no secret that technology evolves much faster than the time it takes to write regulations and get them agreed and implemented. As a result, it’s not uncommon to see regulations put in place that simply don’t know how to deal with new technologies. That was certainly true with cloud technology, and it’s increasingly the case with artificial intelligence (AI) approaches. There is much here that a CISO can offer in terms of advice to their organisation’s chief legal counsel.
This can be an enormously valuable relationship. The CISO and the chief legal counsel, after all, have much in common. Both perform a crucial and complex function, the goal of which is to protect their organisations from threats. Both are deeply concerned with building resilience through policies, procedures and employee education. And both need to plan ahead when it comes to mitigating new risks to their organisation. Above all, both are crucial to good corporate governance and smooth-running operations.
In 2025, my advice to CISOs is to continue building on these firm foundations.
Read more from the Computer Weekly Security Think Tank
- Mike Gillespie and Ellie Hurst, Advent IM: CISOs will face growing challenges in 2025 and beyond.
- Elliot Rose, PA Consulting: The most pressing challenges for CISOs and cyber security teams.
- Pierre-Martin Tardif, ISACA: Six trends that will define cyber through to 2030.
- Stephen McDermid, Okta: In 2025: Identities conquer, and hopefully unite.
- Deepti Gopal, Gartner: CISOs: Don't rely solely on technical defences in 2025.
- Paul Lewis, Nominet: Decoding the end of the decade: What CISOs should watch out for.
- Rob Dartnall, SecAlliance: 2025-30: Geopolitical influence on cyber and the convergence of threat.
- Elliott Wilkes, ACDS: Look to the future: How the threat landscape may evolve next.