I've written about defensibility and recoverability before, touching on the notion of using a legal basis for building a defensible security position. (See here; here; and my March 2010 ISSA Journal article, "Architecting Adequacy: When Good Enough Really Is.") More recently, I floated the idea at the ABA InfoSec Committee meeting during the RSA conference. The response was very positive and even got me some air time on a couple panels in the RSA LAW track.

But what is "legal defensibility," really? How does it amount to a new doctrine for the infosec community as a whole? And, most importantly, how and why should you use it to successfully promote security initiatives?

A Definition

Legal defensibility is defined as follows: An organization must proactively build a case that can withstand legal scrutiny, demonstrating that it has done everything reasonable to protect itself and its assets in order to preserve and build long-term value. The organization should operate under the assumptions that: 1) it will experience a security incident; and 2) as a result of such an incident, it will be subject to legal proceedings (civil or criminal) that challenge whether or not it did what was necessary and reasonable in protecting itself. The principles inherent in networked system survivability (PDF download), including defensibility and recoverability, should become the basis of the proactive approach to building a case against negligence.

A Security Strategy

First and foremost, I view legal defensibility as a security strategy, rather than as a legal strategy. (Disclaimer: IANAL, and thus this is not legal advice.) The driving factor behind this belief is that the traditional arguments for security are tired and failed. We've been only marginally successful within infosec in compelling business and government to do what is necessary to protect its own interests, protect its intellectual property, and act in the best interests of its shareholders, employees, and customers. Now we need to try a different approach.

The best two examples I can give for why legal defensibility is a plausible and useful security strategy are:

1. The case of Heartland: Heartland Payment Systems thought that it was compliant with the Payment Card Industry Data Security Standard (PCI DSS). The company's managers thought their systems were secure. However, as this interview with their CEO shows, Heartland didn't look at security holistically; rather, it took on blind faith that compliance with a single regulation (that only covered a portion of their IT environment) somehow made them "secure."
2. Risk management confusion: Let's admit a couple of hard truths. First, outside of insurance and financial services, very few organizations are doing true, formal risk management. Second, most security "risk management" is based on a house a cards, failing to pin risk ratings to anything material and meaningful. As a result, there is generally a lot of confusion among executives and senior management about what information "risk" means at any point in time. Companies need to define risk more concretely and specifically, linking risk assessment findings to concrete business motivations.

The goal of legal defensibility is to address these strategic gaps by providing a far less abstract approach to enterprise security that looks at the whole of the organization—starting from what is core to the business and working on a couple key premises.

Fundamentals of Legal Defensibility

There are two premises that underpin the notion of legal defensibility:

1. "When," not "if": The reality today is that all organizations should expect a security incident to occur. In fact, it's reasonable to expect that every organization has already experienced, or is currently experiencing, a security incident of some type. These incidents range from malware infections to targeted attacks to severe data breaches. Acordingly, the organizational focus should be exclusively on when a breach will occur and how your organization will respond.
2. Protect what's valuable: As part of the legal defensibility doctrine, it is important to know what is important to the business. By "important," I primarily mean material: if X process/system/application/data is affected, then it will have Y impact on your business. In my experience, businesses tend to intuitively know what is mostly important; although it seems rare, especially in the SMB space, that businesses these days are actually enacting security in defense of these interests (see my previous post "A Sense of Self-Preservation"). It is imperative that organizations know themselves very well—and that they consequently act to preserve their long-term value, rather than merely obsessing over quarterly results.

There's another aspect of the legal defensibility approach that should be considered in regard to business value: Not all security breaches are materially detrimental. In many cases, publicity of data breaches has little or no long-term negative financial impact. Heartland, for example, took an initial hit on its stock price (see this analysis from July 2009), but it's now back to trading at about the same levels that it had prior to its breach announcement. More importantly, it has developed a new product strategy that will undoubtedly add long-term value to its business.

The Key: Reasonability

The key to success and viability in legal defensibility is simply reasonability. In the US court system, the concept of "the reasonable man" is often used to gauge whether assessed actions were appropriate in a given context. This concept has ties back into the world of "common law." (If you're super-interested, I recommend taking a couple law classes just to see how crazy the legal system used to be.)

There are actually two uses of reasonability that are core to the legal defensibility doctrine:

• A reasonable standard of care: I've heard lawyers bandy about the concept of a "reasonable standard of care," which essentially means that your organization has done what is demonstrably "reasonable" to protect its assets. The term "reasonable" essentially addresses whether or not your interpretation of protection is consistent with the interpretation of the general populace. The case I've heard referenced in a classroom environment is that of the T.J. Hooper, in which a shipping company failed to use technology that was "so extensive as to be a nearly universal practice or custom, but not required by statute." The company was found to be negligent and liable for client losses stemming from its technology failure. Although this case might not be popular in modern case law, it nonetheless gives us a notion of how the courts can interpret "reasonable standard of care."
• Reasonably foreseeable: This is another concept that can make legal defensibility a bit challenging. We've already conceded that security is a matter of when, not if, an incident will occur. Now consider the consequences if, in building your legal defenses and hedging with recoverability capabilities, you didn't defend against the latest, greatest zero-day attack. Would that be negligence? The answer lies in the development of case law and the fair application of that law. A company should be prepared for the emergence of zero-day vulnerabilities and exploits, and it should have a methodology in place to address them. Although you could not reasonably be expected to somehow patch a zero-day vulnerability before the patch was available, you can be expected to have assessed the impact to your environment and taken reasonable compensating efforts to protect yourself in the interim.

The bottom line here is that you'll need to be prepared to make an argument to 12 angry men that demonstrates how your organization did what was reasonable to protect itself and its assets. Failing to make such a compelling argument will likely result in an adverse, costly judgment that your organization was not competent, may have been negligent, and who-knows-what else.

More than "Due Diligence"

My friend Alex Hutton recently wrote an article titled "Why I’m Skeptical of 'Due Diligence' Based Security," in which he discusses some potential failings in the traditional "due diligence" approach to security. He rightly notes that this approach is really the same as the compliance mindset, which focuses not on doing what is right or adequate, but on doing the bare minimum to meet the technical requirements of regulations and agreements. Such a limited approach excludes actions that are necessary to protect the business itself.

Legal defensibility is about far more than due diligence. Although due diligence and compliance, along with security risk management, are certainly part of building a legally defensible position, they are not the end goal. Rather, they are part of the means to the end. To reflect the reasonability standards mentioned above, legal defensibility is very broad, very flexible, and emphatically proactive.

Inclusive, Holistic, Comprehensive

The legal defensibility doctrine promotes an inclusive, holistic approach to protecting the business. By its vary nature, it cannot exclude anything that is reasonably part of a comprehensive strategy—barring measures that simply aren't cost-effective. This approach is not entirely analougous to the conventional concept of security risk management, however. I've often said that we need to throw out information risk management when we start talking about legal defensibility. For too long we've tried to justify security investments with arguments based on business risk, only to fail time and again. The reasons for these failures are myriad and largely beyond the scope of this post. Suffice to say, however, that they range from overly abstract conceptualization to controversies (true or hyperbolous) surrounding specific methodologies, such as whether or not we can accurately calculate incident probabilities. Overall, I view information risk management as being too myopic. It lacks the breadth of view and knowledge necessary to make quality decisions for the whole enterprise.

Of course, there is a time, place, and purpose for information risk management; particularly as a factor in a legal defensibility approach. In practice, you still very much need risk management—just not as the sole driving force for security decisions.

In fact, most areas of security management have a place in a legal defensibility case. How much do I believe this to be true? Enough so that I still believe that my TEAM Model v2 (diagram below) provides an excellent roadmap for implementing a legally defensible position. If you examine the diagram, you'll see there is a place for knowing the business, a place for information risk management, a place for information security operations, and a place for quality and performance management (which includes audit, compliance, pentesting, code analysis, and various metrics and measurements).

Total Enterprise Assurance Model (TEAM), authored by Ben Tomhave
Click image to view full size.

Promote Proactivity

Perhaps the most important aspect of legal defensibility doctrine is that it promotes a proactive approach to protecting the business, allowing the business to define itself in a manner that makes business sense. This approach requires de-emphasizing activities that are tied exclusively to regulatory compliance in favor of planning measures that benefit the business and help protect and grow long-term value. Simply put: if a given measure costs more than it benefits the business, then a legitimate argument can be made—proactively—that the measure should not be used because it does not add long-term value. As long as that analysis is reasonably complete, and that the decision is thoroughly documented for posterity, then it seems to follow that the position is defensible.

Codifiable

Part of the elegance of legal defensibility is that it is flexible in a way few regulations and standards currently are. It does not specify exact technical countermeasures; and, unlike regulations such as Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley (GLBA), it does create the basis for legal arguments that go to the heart of competence and negligence in business management. If there is one thing American business culture could use right now, it is a legal framework that sets the machinery in motion to build case law around what can (and can't) be reasonably expected in terms of self-protection and building long-term value.

Concluding Thoughts

Legal defensibility as a concept is still evolving, but the feedback I've already received has been extremely positive. The doctrine makes sense and is easily explained, regardless of the recipient's background. Another beauty of the legal defensibility approach is that the majority of people implicitly understand the goal: to make an argument that we did what we reasonable thought or knew to be right in protecting our assets.

At the same time, legal defensibility provides a good way to tell executives, boards, and senior management, "Listen: we are not doing what we need to do to protect ourselves, and it's going to lead to bad consequences." It also creates an excellent opportunity for security teams to partner with legal teams (who often hold more sway with executives and boards) in getting high-level support for better protection against security threats. And since security negligence has the potential to codified in law—making it litigable in civil and criminal courts—it seems likely that executives will start paying closer attention.

Hopefully you'll find this argument compelling. I look forward to your feedback. :)

[Editor's note: You can write Ben via his T2P commuity profile. To submit feedback and comments on this post, please use the form below.]