Last month’s column addressed the security organization reporting to the Chief Executive Officer, which has been a phenomenon that has been on the rise. This month we will discuss the advantages and disadvantages of reporting to the General Counsel (GC). Most enterprises combine a number of functions under the Office of the General Counsel... the most common include Chief Legal Officer, Chief Compliance Officer, Secretary of the Board of Directors and, in many enterprises, Chief Administrative Officer.
Reporting to the GC can be a good fit for the security function. The GC is typically one of the first people in the company to know when an issue arises and is also heavily involved in key decisions like acquisitions, mergers, divestitures, new facilities, plant closings, layoffs, etc.
If the GC shares information with her or his senior staff about these kinds of developments, then being at the table will help prepare the security organization for providing early support to initiatives across the enterprise. In many organizations, the security function also handles a broad range of business practices reviews (please note that I did not refer to them as investigations – some of you may know why, and others may be left scratching your heads... I’ll cover this issue in detail in a future column). While I am not an attorney and do not profess to offer a legal opinion, I have been shown documentation by GCs in the past that established legal precedent where a business practices review conducted by security falls under Attorney-Client Privilege/Attorney-Client Work Product rules when security is a direct report to the GC. My understanding is that the only other way to accomplish this is through a letter from the GC directing the security department to conduct a business practices review under her or his authority (which also typically establishes Attorney-
In every enterprise in which I have worked, the Legal Department usually was referred to as the department of “NO” by the rest of the business. Many GCs are extremely risk adverse, as their main role is to keep the enterprise out of legal binds and regulatory non-compliance issues. This can create huge conundrum for the security executive, whose focus is at helping the business leaders of the enterprise find the path to “YES.” This dichotomy of approaches to managing enterprise risk can result in the security executive being caught between a rock and a hard place. By nature, many GCs keep things close to the chest and may not share much with her or his direct reports. As a result, the security executive may be left to seek information from a network of relationships with other business leaders and colleagues throughout the enterprise. This can result in a fair amount of disagreement with your supervisor over management philosophies and leave the security executive feeling disenfranchised.
I would welcome receiving feedback from any CSOs on their experiences reporting to the GC of their enterprise. Please provide your insights on what you have found to be the pros and cons of reporting to the GC in the comments section of SecurityMagazine.com.
Next month’s column will explore the pros and cons of reporting to the Chief Financial Officer.