Balancing legal and business risk: Q&A with Suzanne Tom, Delinea’s Chief Legal Officer
Barbara Hoffman
The legal team plays a key role in cybersecurity compliance, risk management, and governance. In the latest interview with Delinea’s leadership team, we sat down with Delinea’s General Counsel, Suzanne Tom, to discuss her approach to meeting legal and regulatory requirements. She shares her perspective on balancing legal, security, and business priorities, and the importance of collaboration across functions to measure and mitigate risk.
Q: How did your career journey bring you to Delinea?
I have a background as a public company General Counsel, which is very relevant to a company of our size and growth – a company that's trying to move forward pretty quickly but also thoughtful about navigating applicable law and regulation, risk management, and operational discipline.
I became enamored with the cybersecurity space based on my having worked with and advised technology companies my whole career. Unsurprisingly, cyber risk is one of the top concerns in the world of enterprise risk management, including in the boardroom. In my role, it’s important to always be mindful of threat actors, and cyber issues and, importantly, collaborate with leadership to manage cyber risk. In partnering to protect our company and stakeholders on the cyber front, I’ve been fortunate to work with and learn from amazingly intelligent and savvy cybersecurity professionals, whether in product security, information security, or technology compliance.
Coming to Delinea, a company that does this for a living, makes me feel I’m part of the fight, helping companies stay one step ahead. The solutions Delinea brings to customers are not only purpose-built to help arm customers in protecting their important assets and data, but also stand out with their ease of adoption and use. That’s a game changer when you consider the best way to protect your company assets and data is to make it easier for all your teams to use and embrace your cybersecurity tools. It’s also been very fulfilling being part of the Delinea team where the caliber of cyber expertise is truly world-class. Culturally, it’s one of the most close-knit and values-oriented companies I’ve had the pleasure to be a part of.
Q: What are you and your legal team responsible for?
Our team is small but mighty. When you have a small legal team, everyone kind of wears a few different hats. But we also hire strategically to support our key business needs. For example, our commercial team is focused on and prioritize supporting customer transactions in close partnership with the go-to-market team.
We have a subject matter expert leading all areas of privacy and data protection which we take quite seriously as a SaaS company. We want to make sure we’re proactive and thoughtful in how we respond to changing regulations. Our corporate attorneys oversee our governance and corporate programs and partners closely with our corporate teams.
Q: With so much going on, how do you determine priorities?
The role of the General Counsel isn’t one size fits all. Different companies implicate different areas of legal considerations, regulations, compliance, and enterprise risk. So, the way I built the team here at Delinea is very much dependent on business needs and risk considerations. Maintaining close relationships and transparent conversations with the executive team are key to prioritizing.
Legal advice, as you can imagine, has to do with the law, but it also has to do with risk management because there's a lot of judgment involved. My team places a premium on partnering and listening to our internal clients throughout the organization and having conversations to shape better advice for their business colleagues. As a company, Delinea has a customer-first mindset, which we naturally align with when partnering with our teams.
Q: How do you partner with the security team to understand and manage risk?
If you don’t really understand the risk, then you don’t know how to move forward, or you might offer a solution that is not helpful. I meet at least once a week with our CISO to talk about these issues. He sees them from a security perspective and I weigh in from a regulatory perspective. When we're having open conversations and collaborating closely, we become more attuned to the kind of risks we face, so we can shape it to be much more manageable.
I think that cross-functional collaboration is super important. The legal function is very much cross-functional with every other function in the company because to give the best legal advice, you must have your finger on the pulse of the organization. If I just sat in my office and thought, “Oh my God, the sky is falling,” we’d not get anywhere, but when I collaborate closely with my colleagues, I get the context that's important to size the risk. I understand and can prioritize what's important to us.
Q: Why is this type of collaboration so important for meeting compliance requirements?
I think it's important to always be thoughtful of how to best navigate within the law and regulations, but compliance also means you take reasonable steps and focus on continuous improvement. By collaborating closely across the company, you can tailor continuous improvement and ensure you have a reasonable fit between compliance steps and the risks you’re trying to address Even if you try to lock everything down, I don't think you can be 100% perfect, because the threat landscape and the legal landscape are constantly changing.
For example, by working closely with the CISO and the security team we can demonstrate that we’re taking reasonable steps that are taking into consideration their expert view of the threat landscape.
Q: What emerging legal issues are top of mind for you right now?
At the very top or very close to the top would be data protection and security. GDPR was a significant piece of regulation but that only applies to one part of the world. Many other countries and states are still evolving their own laws and they are all different. These regulations have a way to reach across borders and so the risk becomes fairly significant.
The other emerging area we’re closely managing is Artificial Intelligence (AI). We’re continuing to educate ourselves on the opportunities and the risks from a legal and a security perspective. This is so we can leverage AI in a smart way. AI is an area that’s constantly changing, and so many people are interested in leveraging AI for different reasons. The more viewpoints we learn, the more relevant guidelines we can put in place.
Q: How do you measure success?
The practice of law is both art and science, so not all of it is measurable. But, at the end of the day, attorneys are service providers, so one measure has to be client satisfaction—not necessarily whether the client got what they wanted, but whether they felt that the attorney was engaged, thinking and listening to the issues, and providing good advice as well as collaborating on solutions. I think it’s super important that attorneys be responsive.
Efficiency is also important for me. The legal profession started with lots of paper and a very manual approach. I’m a big proponent of automation and learning from our findings for more forward-thinking practices, policies, and templates, as well as leveraging technology.
And, of course, we measure the impact we have on risk reduction in terms of compliance issues, disputes and litigation, investigations, and other legal issues that come up. If we effectively support and provide sound advice to our colleagues and put policies and training in place, we should see that noise level come down.
Q: What advice do you have for someone who may be interested in a role like yours someday?
I think the biggest thing is to think about issues broadly, in business terms, not just legal terms. It drives how we grow the function and where we put our time and resources. You must always be learning new legal areas and expanding your knowledge of the business so you can give good advice.
If you understand the business, you can provide much more tailored and useful legal advice. Typically, there isn’t just one answer to a problem. As a legal advisor you can offer options and explain what the related risks are for different approaches. Then the business can be informed and make the best decision to meet their goals.