This post was originally published on CloudExpo by Brad Thies.

Cybersecurity is a complex field, and with laws varying across states and countries, keeping cloud usage compliant can become a real headache for enterprise security decision-makers.

As regulations continue to lag behind the rapid pace of technological advancements, many IT security professionals turn to the expertise of cybersecurity lawyers, who not only understand the ambiguities of the law, but are also able to secure and protect their employers’ interests in the case of a breach.

When Is a Cybersecurity Attorney Needed?

There are times when cybersecurity lawyers are essential. Given recent developments such as Edward Snowden’s National Security Agency leaks, the exponential growth of the Internet of Things, and the throwing out of Safe Harbor Rules, privacy is an ever-evolving concern for businesses. Every company must ensure the safety of its users’ data, and a qualified cybersecurity attorney should review privacy policies and programs to ensure proper compliance.

The use of such legal experts should be incorporated into the incident response plan in addition to having the experts review procedures. When a breach does occur, the public relations team cannot be left to draft communications on its own.

Each state has its own laws on what is required when making a breach public. The laws set thresholds for dollars and numbers of affected records, and even criteria relating to the level of data encryption, to help determine whether a breach must be reported. This means companies have to be careful when disclosing breaches, as poor communication can risk litigation.

Staying Compliant Without One

Cybersecurity attorneys are not necessary, however, for everyday operations. While they play an important role in dealing with specific crises, it is possible for a company’s security officials to cope with most situations on their own. Many companies would be better served by hiring someone to manage their information security teams and train up their general counsel to address typical security risks than by spending top dollar on an attorney specializing in cybersecurity.

The creation of an information security plan, for instance, is a task far better suited to IT security professionals and chief security officers than to lawyers, as are decisions regarding cloud strategy. When it comes to ongoing monitoring of the environment and cloud services, unbelievable technologies are available to support information security management and to serve as the eyes and ears preventing a serious compromise of data.

A cybersecurity attorney is not equipped with the experience of running governance programs or of managing risk and compliance activities for all aspects of cloud computing. The CSO must instead take the lead on those.

Performing a Risk Assessment

Before proper compliance can be built into the system, all business risks and technical controls must be reviewed. How mature are the security management practices? Organizations generally fall into three maturity levels:

  1. Basic protocol is the blocking and tackling of security. It is understaffed and lacks reporting metrics, controls, policies, and processes. It may even lack executive support for security budgeting.
  2. Compliance-driven cloud security goes beyond the basic and looks toward compliance frameworks, such as ISO 27001/2, to drive security. This is better but still lacks the focus of a proper and authoritative security system.
  3. Risk-based security is multilayered. It can correlate events, such as security incidents, across multiple disciplines and business environments to rank and respond to them. It uses dynamic information security and IT audit controls to ensure that data are safe, secure, and routinely inspected.

Once the security environment has been assessed and its maturity defined, companies must look to implement a framework that improves security in the following elemental areas:

Source: KPMG LLP's Security Maturity Continuum

Several IT governance, risk and compliance tools can be used when building the best security management programs. These help the system to run smoothly and also aid adaptation to changes in personnel, ensuring that employee turnover doesn’t lead to a breach.

Cybersecurity attorneys are still important in times of crisis, but for day-to-day security they are an expensive luxury. Compliance can be achieved without them.