Why Security Needs Legal at the Table: Protecting Practitioners and the Organization

In security, our work doesn’t always look neat and tidy. We investigate, we simulate attacks, we engage threat actors, and we collect forensics. These aren’t abstract IT tasks; they’re activities that walk right up to the edge of legality, ethics, and organizational risk. That’s why when someone from compliance or HR comes knocking with questions, my first move isn’t to sit down and casually explain how I do my job. My first move is to involve legal.

The Misunderstanding

From the outside, it may seem strange. If you’re not hiding anything, why not just answer the questions? But here’s the problem: security tactics, techniques, and procedures (TTPs) can be easily misunderstood. An activity like running a phishing campaign against employees or extracting volatile memory from a compromised workstation sounds very different to someone outside of security than it does to a practitioner. Without context, the story gets twisted, and suddenly the security team is the problem instead of the defense.

I’ve seen this firsthand during phishing simulations. Employees who clicked links or entered credentials often became upset, frustrated, or even embarrassed. To them, it felt like a “gotcha” moment. To us, it was a controlled test, using real-world phishing tactics, designed to strengthen defenses and reduce the risk of a real-world compromise. Without careful communication and the right legal framework, these internal campaigns can quickly create tension, misunderstanding, or even liability.

The Role of Legal Counsel in Security

This is where legal counsel becomes critical. When an attorney is present:

• Attorney-client privilege applies. That means discussions are protected, preventing sensitive details from being unnecessarily exposed or used in ways that harm the organization.

• Legal acts as a translator and shield, ensuring that security’s work is understood in the right context and not mischaracterized.

• The attorney’s presence reinforces that security is a professional discipline governed by rules, not cowboy hacking.

A Real-World Example

In one of my previous roles, I once had a request from Workplace Compliance to discuss how I conducted my work during an employee investigation. On the surface, that seems straightforward. But as a diehard security person, I wasn’t going to casually walk through my forensics process, phishing simulations, or engagement tactics without guardrails. I requested that our Security attorney be present. Compliance thought I was being cagey. I wasn’t. I was protecting myself, my team, and ultimately, the organization.

The Broader Lesson

Security is unique because it looks adversarial, even when it’s defensive. If practitioners aren’t careful, their own tools and methods can be held against them. Without legal, you risk being scapegoated, misunderstood, or worse. Mature organizations don’t treat legal as a last resort; they treat them as a partner from the beginning.

Another important angle is communication. Security teams often send internal emails to IT departments about vulnerabilities, incidents, or risks. These messages contain privileged security information and should not be casually discoverable in data requests or FOIA requests. Security should work with their legal team to develop clear marking conventions so these communications are easily identifiable as privileged in the future.

How to Mark Privileged Security Communications

• Subject Line Tags: Add a standard prefix such as [Attorney-Client Privileged] or [Security Privileged] to the subject line of sensitive messages.

• Footer Disclaimers: Use a legal-approved footer that specifies the communication contains privileged security information and should not be disclosed without authorization.

• Retention & Classification: Ensure these messages are tagged in the email system or DLP tool with the correct classification label so they’re archived properly and excluded from routine discovery.

• Policy & Training: Document these practices in policy and provide training so both Security and IT staff know when and how to mark messages as privileged.

• Legal Awareness: Make legal advisors aware ahead of time that they may be CC’d on security communications. This ensures that when Security feels it’s necessary to protect a conversation under attorney-client privilege, counsel understands the intent and is ready to provide support. Examples include:

  • Employee investigations where forensics evidence is being reviewed.

  • Suspected insider threat activity.

  • Sensitive vulnerability disclosures that could create liability if improperly shared.

  • Communications involving potential legal or regulatory reporting obligations.

Best Practices

• Normalize legal involvement. Make it standard procedure, not an exception.

• Document when legal is required. Situations involving investigations, employee monitoring, or engagement with external actors should never proceed without them.

• Educate other departments. HR, compliance, and leadership should understand why security methods are sensitive and require protection.

• Mark communications. Work with legal to identify how emails and reports containing privileged security information should be labeled.

• Build relationships. Security, Compliance, and Legal should meet regularly, not just during a crisis.

Conclusion

Security is more than a job; it’s a way of life. And part of that life means recognizing when you need to protect yourself and your organization by bringing the right people into the room. Legal isn’t a blocker; they’re a shield. If your organization wants to mature its security program, start by making sure legal has a seat at the table.