ABSTRACT
Arguably, the CISO's most critical role is that of risk manager, albeit in a different context; instead of refereeing contractual liability, their role is focused on the risk inherent in the use of technology and, even more critically, data. Their training is highly specialized, just like the corporate counsel's, although often less formal. When working with legal counsel, a good CISO will need the skills of a paralegal and the eagerness of a courtroom advocate. But just like with the sales VP, corporate counsel is a relationship to be fostered, not ignored. Both roles are in high trust positions. Both deal with risk management. One of the most common errors we observe in enterprise contracts as they pertain the security is the wrongheaded attempt to specify precise technical controls. These are often enumerated in some form of 'data protection' appendix.
