Cybersecurity requires a strategic, team-based approach. Effective cybersecurity teams require an understanding of roles, personalities, and psychology. Strategic leadership is needed to develop both proactive security and reactive incident response teams. Tabletop exercises are important for assessing teams and allowing members to practice their roles. While cybersecurity lawyers cannot provide a "magic wand" of privilege, they can help by actively leading risk management programs and investigations to maximize potential privilege protections.

1. Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma
Cybersecurity is
a Team Sport
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma
Cybersecurity is
a Team Sport

2. Cybersecurity is a Team Sport
Why strategic leadership and an
understanding of roles, personalities, and
psychology is important for building and
managing effective cybersecurity teams.

5. What is the nature of a CSO / CISO’s role?

6. From my vantage point
What do you think is the most glaring thing missing
when I look at substantial incidents and data
breaches I have handled over the last 19 yrs?
1. Lack of hardware, services, gadgets, and gizmos?
2. Lack of support from management?
3. Lack of funding?
4. Lack of talent?
5. Lack of skills and knowledge?
6. Lack of strategy?

7. Strategy.

8. Sun Tzu
• “If you know the enemy and know yourself, you need not fear the
result of a hundred battles. If you know yourself but not the
enemy, for every victory gained you will also suffer a defeat. If you
know neither the enemy nor yourself, you will succumb in every
battle.”
• “The general who wins the battle makes many calculations in his
temple before the battle is fought. The general who loses makes
but few calculations beforehand.”
• “Strategy without tactics is the slowest route to victory.”
• “Tactics without strategy is the noise before defeat.”

11. People.

12. Cybersecurity is no longer just an IT
issue—it is an overall business risk issue.

17. Psychology & Personality
• Psychology: “the scientific study of the human
mind and its functions, especially those
affecting behavior in a given context.”
• Personality: “the combination of
characteristics or qualities that form an
individual’s distinctive character.”
• How do you tell the difference between an
introvert and extrovert IT guy?

18. Myers-Briggs Personality Type Indicator
Extraversion (E) Introversion (I)
How people respond and interact with the world
around them.
• (E) turns inward, deep meaning, time alone
• (I) turns outward, social interaction, w/others
Sensing (S) Intuition (N)
How people gather information from the world
around them.
• (S) focus on what learn from senses, facts
• (N) focus on patterns impressions, abstracts
Thinking (T) Feeling (F)
How people make decisions based on the information
they gathered from their sensing or intuition
functions.
• (T) focus on facts and objective data
• (F) consider people and emotions more
Judging (J) Perceiving (P)
How people tend to deal with the outside world.
• (J) prefer structure and firm decisions
• (P) more open, flexible, adaptable

21. Teams.

22. Common Questions about Teams
• Who should be on the team and what should they
know?
• What are the team members’ responsibilities?
• How do team members’ personalities affect their roles
and performance?
• How should the team be organized?
• Who is responsible for developing the strategy and
seeing the whole playing field?
• If you have cyber insurance, who is the contact person?

23. Security Team– Proactive
Key Players Primary Roles Desirable Personality Traits

24. Incident Response Team – Reactive
Key Players Primary Roles Desirable Personality Traits

25. Practice.

26. Incident Response Preparation
• Incident response plan
– Establish The Process
– How long or detailed should it be? -- “Complexity is the enemy of
execution”
• Preparing for unknown unknowns
– You can’t prepare for everything. But, being better prepared equips
you with the skills, ability, and mindset you need to improvise, adapt,
and overcome.
• Owner -- responsible for ensuring team is prepared.
• What is needed:
– Preparation: what helps you understand priorities, even as they
change
– Discipline: hold the course, knowing what you have to do
– Prioritize: quickly assess the highest priority
– Execute – execute that priority, then move on to the next priority

27. What is a great way to assess your team?
Tabletop exercises
• Team benefits
– Know their role
– Know each other
– Understand role, ask questions, work out uncertainties now, not
in time of crisis
– Preparation leads to more comfort
– Buy-in – get everyone to contribute
• Company benefits
– Evaluate your team
– Practice makes perfect
– Preparation

28. Lawyers.

29. Got Privilege?
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of privileges
but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk
management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.
Photo credit: dave_7
Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/

30. Got Privilege?
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of privileges
but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead cyber risk
management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.

31. Laws & Regulations
Types
• Security
• Privacy
• Unauthorized Access
International Laws
• GDPR
• Privacy Shield
• China’s Cybersecurity Law
Federal Laws and Regs
• FTC, SEC, HIPAA
State Laws
• All 50 States
– Privacy + security (some)
• NYDFS, Colo FinServ, CaCPA
Industry Groups
• PCI
• FINRA
Contracts
• 3rd Party Bus. Assoc.
• Privacy / Data Security / Cybersecurity
Addendum
Banks & Financial Institutions
• GLBA
• Dodd Frank
• FFIEC (Federal Financial Institutions
Examination Council)

32. Without a magic wand, how does
cyber legal counsel help?

33. Practitioner Editor, Bloomberg BNA – Texas Cybersecurity &
Data Privacy Law
Board of Directors & General Counsel, Cyber Future Foundation
Board of Advisors, North Texas Cyber Forensics Lab
Policy Council, National Technology Security Coalition
Cybersecurity & Data Privacy Law Trailblazers, National Law
Journal
SuperLawyers - Top 100 Lawyers in Dallas (2016)
SuperLawyers (2015-18)
D Magazine - Best Lawyers in Dallas (2014-18)
Officer, Computer & Technology Section, State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
College of the State Bar of Texas
Board of Directors, Collin County Bench Bar Conference
Past Chair, Civil Litigation Section, Collin County Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Shawn E. Tuma
Spencer Fane LLP
Partner & Co-Chair,
Cybersecurity & Data
Privacy Practice
O 972.324.0317
M 214.726.2808
stuma@spencerfane.com
web: spencerfane.com
blog: shawnetuma.com
@shawnetuma