August 25, 2008

Should a security professional have a legal background?

Graeme points to this entry that posits that security people need a legal background:

My own experience and talking to colleagues has prompted me to wonder whether the day has arrived that security professionals will need a legal background. The information security management professional is under increasing pressure to cope with the demands of the organization for access to information, to manage the expectations of the data owner on how and where the information is going to be processed and to adhere to regulatory and legal requirements for the data protection and archiving. In 2008, a number of rogue trader and tax evasion cases in the financial sector have heightened this pressure to manage data.

The short, sharp answer is no, but it is a little more nuanced than that. First, let's take the rogue trader issue, being someone who has breached the separation of roles within a trading company, and used it to bad effect. To spot and understand this requires two things: an understanding of how settlement works, and the principle of dual control. It does not require the law, at all. Indeed, the legal position of someone who has breached the separation, and has "followed instructions to make a lot of money" is a very difficult subject. Suffice to say, studying the law here will not help.

Secondly, asking security people to study law so as to deal with tax evasion is equally fruitless but for different reasons: it is simply too hard to understand, it is less law than an everlasting pitched battle between the opposing camps.

Another way of looking at this is to look at the FC7 thesis, which says that, in order to be an architect in financial cryptography, you need to be comfortable with cryptography, software engineering, rights, accounting, governance, value and finance. The point is not whether law is in there or not, but that there are an awful lot of important things that architects or security directors need before they need law.

Still, an understanding of the law is no bad thing. I've found several circumstances where it has been very useful to me and people I know:

  • Contract law underpins the Ricardian contract.
  • Dispute resolution underpins the arbitration systems used in sensitive communities (such as WebMoney and CAcert).
  • The ICANN dispute system might have an experienced and realises that touching domains registries can do grave harm. In the alternate, a jurist looking at the system will not come to that conclusion at all.

In this case, the law knowledge helps a lot. Another area which is becoming more and more an issue is that of electronic evidence. As most evidence is now entering the digital domain (80% was a recent unreferenced claim) there is much to understand here, and much that one can do to save ones company. The problem with this, as lamented at the recent conference, is that any formal course of law includes nothing on electronic evidence. For that, you have to turn to books like those by Stephen Mason on Electronic Evidence. But that you can do yourself.

Posted by iang at August 25, 2008 03:38 PM | TrackBack


I enjoyed meeting you at the recent conference. I have also enjoyed reading your blog. It is a problem that formal courses in law do not treat electronic evidence in depth. It is even more troubling that judges do not have adequate training to understand even the basics of electronic evidence. Consequently, some judges defer to special masters in electronic discovery issues.

In an August 21, 2008, article "Beware Masters in E-Discovery," William McLean cautions that reliance upon masters can, in many instances, exacerbate the problems. Litigation is now more of a discovery battle than a contest upon the merits of a dispute.

The solution will never be to expect or require security professionals to have formal training in law. While security professionals can, in only some instances, benefit from such training, it is far better to have legal professionals provide their insights and advice to security professionals and the public in a more comprehensible manner. As suggested by "Richard Susskind , lawyers can gain a competitive edge by packaging their legal knowledge and information (as opposed to advice) in a more easily digested form (e-books, intelligent agents, etc,). I look forward to the day when I can sell my legal knowledge (information, really) at a reasonable cost to a vast audience. Perhaps a legal information e-book for security professionals would be a good start!

Daniel Perry
US Attorney and Civil-Law Notary

Posted by: Daniel Perry at August 26, 2008 07:23 PM

Thought I had correctly submitted the links but here they are: Beware Masters in E-Discovery

Richard Susskind

Posted by: Daniel Perry at August 26, 2008 07:28 PM

Having worked as an information security professional, gotten a law degree, and done much thinking at the intersection of security and law, I'd say the answer is "yes and no." At a high level view law and security are trying to solve the same problems: fraud, theft, privacy, etc. In this regard much of the law is highly evolved and information security is a neophyte. Much law condenses centuries worth of practical experience about what people tend to do to each other and ways of preventing or redressing it. On the other hand, many security threats are novel and neither the law nor information security deals well with them.

Today, law as well as security professionals and protocols are generally both needed to address major information security problems, such as phishing and identity theft. Often, as Ian suggests, accounting and auditing is also needed.

When security protocol designers invoke imaginary entities such as "trust third parties", usually in practice this means that law, accounting, or both are needed. A security protocol designer who is aware of the strengths and limitations of these traditional methods can do a far better job, for example by using information security to enhance legal enforcement (e.g. through better evidence gathering), or by filling gaps in the law, rather than trying to invent complete solutions from scratch.

As a practical matter, though, people with law degrees tend to get channeled (by guild regulations as well as cultural habit) into doing just law, and security professionals tend to be unaware of most legal issues. As a result, cross-learning and teams involving both lawyers and security professionals are a more practical way to go for solving real-world security problems than trying to find people experienced in both. For information security professionals getting a law degree will probably not substantially advance their careers unless they want to switch entirely to law.

Posted by: nick at August 28, 2008 08:24 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.