CISOs: Stop trying to do the lawyer’s job