Morris Manning & Martin, LLP

Cybersecurity Law & Strategy profiles MMM’s Bess Hinson


Bess Hinson, the head of MMM’s Cybersecurity & Privacy group, also founded the Atlanta Women in Cybersecurity Roundtable. Bess and several members of the group spoke recently with Cybersecurity Law & Strategy about the importance of the organization, protecting sensitive data, complying with changing regulations, and much more. 

Cybersecurity Law & Strategy

Q&A with Women Leaders in Cybersecurity and Privacy

Reprinted with permission


In 2017, Atlanta attorney Bess Hinson founded the Atlanta Women in Cybersecurity Roundtable, an invitation-only initiative to provide community and resources to advance women in cybersecurity in Atlanta. Here, we speak with some of those women leaders about their biggest security and privacy challenges and why women are pursing legal and other roles in the cybersecurity and privacy field.

Joining the Q&A are Bess Hinson, Chair, Cybersecurity & Privacy Practice at Morris, Manning & Martin, LLP; Kathy Fithen managing principal consultant at Secureworks and former chief privacy officer at The Coca-Cola-Company; Eden D. Doniger, assistant general counsel and privacy officer at Cox Enterprises, Inc.; and Susan Lam, vice president, global client security at Equifax, Inc.

Bess Hinson

Question: Why did you start the Atlanta Women in Cybersecurity Roundtable?

Hinson: Currently, women comprise about 10% of the cybersecurity workforce in the United States. This statistic is disheartening. My hope is that by coming together, Atlanta women currently working in cybersecurity will share insights that enable us to remain in cybersecurity leadership positions and to also lead the way for other women to pursue and advance within this field.

Q: Why should lawyers consider a career in cybersecurity and privacy law?

A: Women have an enormous opportunity in the cybersecurity field. Not only does the cybersecurity industry have a severe labor shortage, thus making jobs immediately accessible to women, but it is also a field that allows for early interactions with the C-suite. Although this specialty is often perceived as one that is strictly technical in nature, this view is a fallacy. In fact, cybersecurity is a field of professionals concerned with helping and protecting people — which is one of many reasons it is abundant with opportunity and appeal for women. Lawyers are well qualified because the work is often focused on strategically evaluating and managing varied risks.

Q: How do you prepare leadership at a company for the swift changes in privacy and data security laws and regulation?

A: Companies that are compliant with laws such as the GDPR or the California Consumer Privacy Act enjoy a competitive advantage. As a result, it is important to educate leadership on how legal compliance helps the sales team to procure additional contracts, as many larger customers now ask as a threshold question whether a service provider, for example, is GDPR compliant.

Q: Why do you think that women are well positioned to work in corporate cybersecurity and privacy roles?

A: In a crisis situation, such as a data security incident, there are many work streams to manage and tasks to complete simultaneously. Women are adept multi-taskers, and that skill set pays off in the event of a data breach. In addition, cybersecurity touches nearly every department and it is important for leaders to communicate with and listen to a wide variety of employees in order to obtain the information needed to resolve a cybersecurity incident. It is important to be diplomatic in these situations, and for some women, diplomacy is their strength.

Kathy Fithen

Question: When and how do you communicate “bad news,” such as the news of a data security incident, with leadership and stakeholders?

Fithen: This depends on the culture and relationship between the leadership and the security function. I think the most important part of the communication is clarity on what is known, what is believed, what actions are in progress, what actions are planned, and timing of those planned actions. I think “regular” communications is very important, but the timing of those regular communications will depend again on the culture and relationship.

Communications templates should be planned, and should include communications to not only the leadership and stakeholders, but also employees, contractors acting as “employees,” as well as the media/public.

Q: How do you prepare leadership at a company for the swift changes in privacy and data security laws and regulation?

A: There are a number of things we can do: 1) regular communications to the leadership about the proposed laws/regulations, and how the company is prepared to meet or could be impacted by a new requirement. Maybe a joint communication between CISO and Legal Offices (as part of alignment); 2) a regular part of executive and/or Board briefings as part of overall security and/or privacy program overview; and 3) partnership through external counsel for updates and their perspective

Q: In your role, what is your top security challenge with respect to the EU General Data Protection Regulation/Global Information Security and Privacy Program?

A: What I see from our clients is actually knowing what Personal & Sensitive Personal Information they have, where it is stored (all the locations), who has access to it (internally and third-party access for processing), how that data is protected, including protection obligations for vendors with access to that data, and breach response preparedness.

I think the next challenge is the partnership among IT, Legal, and the business owner of the PI and SPI to ensure that the data is protected but also the business is enabled through meeting GDPR and other security and privacy laws/regulations.

Q: Is the GDPR a new baseline for U.S. businesses? If so, why?

A: I think parts of GDPR are the new baseline, but when I speak to clients or at conferences, I focus on the knowledge of all company-sensitive data (not just PI & SPI) as our baseline. We should know what data, where it is, who has access to it, how it is protected, and be prepared for a breach. PI & SPI are very important, but so are other intellectual property data.

Q: How does the CISO (or Chief Privacy Officer, if that is your role) collaborate with in-house counsel to protect company data from threats? Alternatively, how does in-house counsel work with the CISO and/or Chief Privacy Officer to protect company data from threats?

A: What I see from our clients, often the CISO and legal offices do not work together. I believe it is extremely beneficial when these offices work together but they need to learn to speak to each in terminologies that they each understand. The CISO office needs to understand legal and regulatory protection requirements, and the legal office should understand how the CISO office is using technologies and processes to meet those protection requirements.

Q: What are the biggest challenges in tackling corporate cybersecurity risks from a management perspective?

A: Understanding and alignment on protection requirements across the business is probably one of the biggest challenges due to different priorities and different terminology/language. Second, ensuring that you are getting the value from security tools/technologies. So many clients have security tools/technologies that they have purchased but are not getting the full value from those tools, have tools that duplicate capabilities, or just have not yet installed the tools at all. Third, that knowledgeable staff be part of the security team, and keeping them.

Eden D. Doniger

Question: What are the biggest challenges in tackling corporate cybersecurity risks from a management perspective?

Doniger: All companies, large and small, are potential targets of organized cybercrime. Some are also potential targets of nation state actors and hacktivists. Businesses make great targets because they are swimming in valuable data, but their employees are often not cyber-aware and trained; their information security programs are either developing or non-existent; they don’t usually have tone at the top that cybersecurity is a critical priority; and they typically lack a process for communicating about cybersecurity risk and preparedness. Even a company with a privacy officer, a chief information security officer, and resources to build programs and defenses can still face a steep uphill climb if tone at the top and established communication protocols don’t exist. This is particularly challenging for large companies that juggle a multitude of employee training and communications priorities.

Q: What are some of the challenges for a woman who works as a CISO or in a similar security role?

A: I have met some incredibly talented, powerful information security executives who are women. The sense I get is that they have to work harder to prove they belong and have the chops in an IT world that has been male-dominated for a long time.

Q: Have you been able to find a community of women cybersecurity professionals?

A: Absolutely. There are a lot of women in privacy and cybersecurity in Atlanta. We love to share experiences, ideas and insights. There is a sense of camaraderie and a desire to mentor that seems unique to the field, probably because it is relatively new compared to so many other fields. The Atlanta community has also really benefitted from the Women in Cybersecurity Roundtable that Bess Hinson of Morris Manning recently created. We look forward to getting together every quarter and connecting informally outside of our meetings. My network has grown tremendously as a result. I think every major city should have a group like this.

Q: Why do you think that women are well positioned to work in corporate cybersecurity and privacy roles?

A: I don’t think it’s possible to come up with reasons that can be attributed to all women who work in this space. But I can say from my own experience as a corporate privacy attorney that the ability to lead by influence, patience, attention to detail, and a design mindset are key to one’s success in a corporate cybersecurity or privacy role. Whether I am drafting a policy, creating a new process, managing an incident, or advising on a business initiative, my business partners know that I will be even-keeled and steady. I will listen and consider alternatives. I will take the time to get to know their goals and concerns. And I will not be led by my own ego.

True partnership between a lawyer and a client in any endeavor that involves assessing risk or solving a problem — especially when there is a lot at stake — is not something that comes easily to everyone. You have to have the innate skills and traits to get there — hopefully quickly because there’s usually not a lot of time to waste.

Susan Lam

Question: What are key strategies for managing outside vendors and resources related to information security?

Lam: Outside vendors and suppliers are critical in augmenting performance of functions that are outside of an organization’s core competency. Resourcefully managing vendors starts with having a comprehensive understanding of the relationship and service agreement. From an information security perspective this extends to understanding the specifics of involved data flow, such as how data is being transmitted, what data is being transmitted, who can access the data, and how it will be accessed.

When sharing data with a third party, you are entrusting them with securing it, so it is important to proactively conduct security due diligence and assess their operating environment against industry best practices to identify gaps that need to be addressed. In the same vein, it is important to collaborate with your legal team to ensure that the appropriate contractual security requirements are documented in the vendor agreement.

While these factors are all critical in initiating a successful vendor relationship, the long-term success of your relationship with your vendors will ultimately depend on frequent, transparent communication with the third party in order to build meaningful partnerships. These long-term partnerships are mutually beneficial and allow organizations to develop better solutions together.

Q: Have you been able to find a community of women cybersecurity professionals?

A: There are some wonderful networks that I am a part of where women from cybersecurity, risk, and privacy come together to support and enrich one another. The Atlanta Women in Cybersecurity Roundtable is an initiative founded by women in Atlanta who want to share their experiences, collaborate on industry initiatives and inspire young women to enter the field. The Executive Women’s Forum is one amazing national organization that is focused on helping women leaders within information security, IT risk management and privacy industries. These professional organizations show women that they can achieve anything in the world of cybersecurity. In addition to support from women, it is really uplifting to see support from other leaders across the industry; our CISO, Jamil Farshchi, has been incredibly supportive of encouraging more women to explore a career in cybersecurity. Cybersecurity is a vast field where many women are able to find engaging and challenging opportunities, and I would highly recommend anyone who might be interested to consider it.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Click here to see the full article online.