The Often Underestimated Role Legal Plays in Corporate Security


Whether you’ve worked in the world of security for two years or twenty, it doesn’t take an expert to tell you that the role of protecting others extends far beyond the traditional corporate security roles. It takes a coordinated approach to know the full story of a suddenly disengaged employee or unfamiliar visitor circling the company headquarters. Knowing all prior complaints filed with HR and knowing the legal ramifications of capturing information on external systems is crucial to connecting the dots and mitigating threat activity.

At the 2022 Ontic Summit, the theme of ‘widening the aperture’ was a popular theme discussed at large. CEO Lukas Quanstrom explained how allowing more intelligence into security programs illuminated the bigger picture of an organization’s threat landscape. One of the primary methods for widening the aperture is uniting departments across an organization to share data and insights in order to have a more holistic view of its security posture.

The legal team plays a key part in security’s role of creating risk, resilience and security strategies for an organization. They influence every part of the business; however, historically legal teams have worked independently from the security program. Security and legal leaders took the stage to discuss their guiding principles for strengthening business resiliency by keeping intelligence risks and physical threats at the forefront of their strategies. They discussed the importance of breaking down internal silos to integrate these two teams in order to better reduce corporate liability — because being proactive in today’s threat landscape demands a unified process

Ron Worman, Founder and CEO of The Sage Group, led the discussion amongst Julie Bowen, Senior Vice President of Operations & Outreach and Chief Legal Officer at MITRE, Josh Massey, Department Manager of Enterprise Security Assurance, Security & Risk Management at MITRE, and Debbie Maples, VP of Intelligence, Investigations & Protection at Salesforce. Below you’ll find the main takeaways from their conversation:

Getting to ‘Yes’ Faster

The discussion was energetically kicked off with a strong agreement over the fact that security has traditionally lived in a silo within organizations. Bowen shared the story of her efforts to have the security team reporting to the legal department so she could be kept informed of decisions and stay proactive. 

“I like to know what we need to plan for. Business solutions all factor into cost and insurance. Having security under me helps me stay more informed on how to mitigate risk so we can get to the ‘yes’ faster,” she shared. Bowen then went on to elaborate on the many benefits of MITRE’s security team reporting to legal due to the complexity of the threats faced in today’s world. 

Additionally, most legal teams don’t have the bandwidth to investigate where the company vulnerabilities originate, making collaboration between the two teams all the more critical. Having a close relationship between legal and security also means more real-time information, which significantly impacts both teams.

“Having an alliance between the legal and security teams means you will have a robust and reliable audit trail,” Massey added. 

Creating Allies Internally and Externally

Cultivating relationships secures ongoing support. The panel unanimously agreed that it’s imperative to not only have allies within your organization but ‘industry allies’ outside of your organization as well. In order to foster these relationships, bring in technical teams to convey terms in the ally’s language. Having support from all different areas looped in during the decision-making process allows for security leaders to rely on experts in different areas that see what they can’t see.

The panelists all agreed that establishing these relationships helps both teams to move faster and ensure better decision-making. By upholding these allies, security leaders will be better integrated into the organization and involved throughout processes, not left with the crumbs at the end.

Fostering a Proactive System

Implementing a proactive approach and steering away from the traditional reactive methods was one of the final points the panel touched on. Ensuring both teams are equipped with the right tools and technology to ‘see around corners’ lights up the bigger picture of physical threats in real-time — allowing the business to stay a few steps ahead.

“We need to focus on the connectivity to the business. We’re good at being reactive; our programs are designed for reaction, but we need to change that,” Maples explained. “Networking at this conference made me realize that we all have the same top risks and top priorities, but we need to start focusing on what’s on the horizon. If our systems are responsive, they are broken.”

For more insights, take a look at Ontic Resources.