Bess Hinson became a data privacy lawyer because she was concerned about the way in which people’s data is being disseminated. Now, she has started the Atlanta Women in Cybersecurity Roundtable to help women advance in the fast-growing field.
“There is a tremendous opportunity for women to get involved,” said Hinson, an associate in the privacy and information security practice at Nelson, Mullins, Riley & Scarborough.
As cyber-attacks proliferate and intensify in severity—notably Equifax’s announcement September 7 that hackers had accessed social security numbers and other personal and financial information from 145.5 million consumers—there is a growing shortage of executives qualified to handle business’s data breach prevention and response activities.
Women make up only about 10 percent of the cybersecurity workforce, according to Cybersecurity Ventures and other trade groups. Hinson said this “disheartening” statistic was a major reason she started ATLWIC. The invitation-only group, whose members are women in charge of cybersecurity operations at their companies, will meet quarterly for lunch and discussion.
The first meeting late last month attracted 25 executives from Atlanta companies, including SunTrust, UPS, Cox Enterprises, Worldpay, Global Payments, Gwinnett Medical Center, Porsche Cars North America, Graphic Packaging and CareerBuilder. Hinson said the same number have already signed up for the next meeting.
The participants’ titles vary, but they include chief information security officer, chief privacy officer, and general counsel, among others. About 60 percent of the group are lawyers, Hinson said.
To facilitate the free flow of information, all the participants sign an agreement that what’s talked about at the roundtable stays at the roundtable.
Hinson hopes the luncheons will create an environment that encourages members to share ideas, educate each other and promote women’s advancement in the rapidly growing cybersecurity field.
The Girl Scouts have announced they will start awarding cybersecurity badges next year, so Hinson invited the Girl Scouts of Greater Atlanta’s CEO, Amy Dosik, to speak at the first roundtable. To earn a cybersecurity badge, young scouts will learn how computers and viruses work, how cyberhacks happen, and how to avoid hoaxes and scams.
The discussion topic at the first ATLWIC meeting was how a chief information security officer (CISO) works with in-house counsel to protect data and combat threats, Hinson said. The CISO is quickly becoming a permanent fixture at larger companies. About half of large companies had CISOs in 2016, and that’s already increased to 65 percent, according to ISACA, an international professional association focused on IT governance.
Hinson said meeting participants also debated where companies are best off locating their cybersecurity department—under the purview of the GC, the CEO, or somewhere else?
“This really matters. If you don’t have the right oversight, you may not get the [intrusion] report in a timely manner and find out about the issues,” she said.
For effective cybersecurity, people must communicate across all departments—the C-suite, IT, compliance, legal, the marketing department and areas that handle customer data, such as a financial institution’s commercial loan department, she said.
“Information is everywhere about your customers, so you have to work together,” Hinson said.
Delivering Bad News
While being a female cybersecurity leader offers plenty of opportunity, it can be taxing in a predominantly male environment, Hinson said.
“One of the goals of the roundtable is to provide support,” she explained. “You may be the only one in the room delivering news to your company that they don’t want to hear—and you have to deliver that as a female, which can present some challenges.”
The bad news could be a breach—or, more often—that the company needs to spend a lot more money on cybersecurity.
“It’s not news that people necessarily want to hear—that their business isn’t good enough in this area, they haven’t taken sufficient precautions, and they need to come up with money to make it better,” she said.
The cost of setting up a cybersecurity infrastructure “is almost equivalent, if not worse,” to the budget increases companies had to make when they started setting up IT departments with the advent of computers, Hinson added.
“A lot of companies have not budgeted for cybersecurity,” Hinson said. “They may have cyber-liability insurance, but they’re not thinking about hiring a cybersecurity officer to fully vet the vendors they are employing to assess threats and address gaps in security.”
Many of these vendors are forensic experts who are former NSA or military officers, she added. “A lot of that crowd is male.”
Companies often use lawyers, whether in-house or outside counsel, like Hinson, to oversee these vendors and make sure they are complying with legal and regulatory requirements. This also allows for attorney-client privilege, Hinson said.
At least 60 percent of Hinson’s practice is breach response cases, but increasingly she’s working with companies on the front end to build a strong threat-hunting program. In the event of a breach, a company’s ability to show it has taken appropriate precautions to prevent hacks can be a mitigating factor in any ensuing litigation or government investigations.
“Every company is going to be breached,” Hinson added.
Brave New World
Hinson, 33, was in college when Facebook launched, and through her twenties she witnessed the proliferation of people sharing information via social media.
“The ‘Brave New World’ aspect captured my imagination, the way all this information could be collected about us online—much more than ever before—and be used for discriminatory purposes,” she said. “It got me thinking about what companies do with information, why they collect it and how we can protect ourselves.”
Initially, Hinson thought she would become a civil rights lawyer for cyberspace. While at the University of Michigan Law School, she interned at the Justice Department’s civil rights division and at the Southern Poverty Law Center. But her focus shifted to the companies using the data.
“I think one of the reasons I love this practice so much is I truly feel I am helping our businesses and protecting our consumers,” she said. “Data is money these days.”
Hinson joined King & Spalding in 2013 following a federal clerkship. “I was very adamant about my interest in data security,” she said, noting that it was after the Target breach but before the Home Depot breach.
There Hinson worked on breach cases and class action defense with Phyllis Sumner, who heads King & Spalding’s data security and privacy practice. (Sumner is representing Equifax in its data breach. Sumner also represented Home Depot in settlements to consumers over its 2014 data breach exposing up to 56 million card numbers.)
Even then, the concept of data breach litigation was fairly new, Hinson said. There were fewer law firms and partners who really focused on this area or paid it much attention, other than touting their experience with the Fair Credit Reporting Act—a law enacted in 1970 that governs credit reporting agencies and how they use consumer credit data.
Hackers are more sophisticated now, she said, and their intrusions go way beyond “point-of-sale breaches,” detecting data from cards as they’re swiped, as in the Target case.
“Hackers are several steps ahead. I think breaches go undetected for longer,” she said.
In 2015, Hinson moved to Nelson Mullins to build her own data privacy and security practice. She was attracted to the firm because its rates and fees are more competitive for all different size companies, she said.
“Data security is an issue for the Fortune 50, but it’s also the local juice shop or the government agency that collects our water payments,” she said.