Guest Blog by Jamie Herman, Firmwide Information Security Manager at Withers Bergman LLP
Law firms face similar information security challenges as financial institutions, yet they continue to drag their feet on developing a robust security strategy. Is cost the inhibitor or are we just witnessing a natural progression towards the multidimensional model of information security evolving within the legal industry? The answer can be broken down across three categories (which one might argue are variations of each other), of which are culture, cost, and alignment. I like to call this the CCA model (self-explanatory I know). Like most partnerships, law firms have culture to contend with, not just culture within the confines of the firm, but for an international firm, the cultural asymmetry between the American offices, European offices, and Asian offices. This unconformity creates a slippery slope that information security leaders and business leaders must navigate their way around to achieve an agreed upon strategy and set of policies. Let’s take a look at the CCA model in slightly more detail, and put parameters around achieving success in this space.
- Understand the culture of the firm, the partners, the support staff, and the regions the firm operates in.
- Work within the structure provided at your firm, as deviating too far aware from current practices will throw up red flags and hinder progress.
- Most firms have a minimal amount of budgetary resources allocated for infosec…change this. Creating business cases or ROSI (Return On Security Investment) projections can go a long way to convincing the firm that it can’t afford not to increase infosec spending. This is not about technical controls solely, but more about user awareness training, administrative and operational controls collectively.
- Work with other I.T. leaders to identify projects that might be of a lesser priority in favor of information security initiatives in the coming year. Having all technology leaders aligned in their thinking will present the unified front necessary to push it forward, without resource conflicts.
- Align the information security strategy with the business strategy. Without doing so, your attempts will fail. This takes time, not only to draft the strategy within proper alignment, but to get the much-needed feedback from other key stakeholders to ensure you are on the right path. Nobody wants to draft an infosec strategy and find out a week later that the business has shifted the organizational goals for three to five years from now. Remember, we are identifying how infosec can not only protect the firm and client’s data, but also potentially give the firm a competitive edge in the end.
- Recognize legal or regulatory drivers that can help to expedite the buy in for infosec in your organization. There is legislation, directives, and regulatory requirements passed throughout the year, which can impact the stance that the business takes.
Look, this is the white elephant in the room, and everyone knows that at some point they need to get their checkbooks out and get their house in order. But this is not just about the money…for the first time in technology we can innovate and make drastic changes that can massively benefit the business, without a great deal of spending! They key is shifting the mindset from a reactive position to a proactive one. Training the business to conduct itself in a more secure fashion is priceless, and it is not until that is achieved that you will see the ultimate return on your investment. This is not about installing some really slick IPS and carrying on with your business. Infosec is a living, breathing animal, which needs care and feeding. Nurture security like it was your child, take care of it and build the right foundation for it, and you won’t be bailing anyone out of jail, being deposed, or sitting up at 3:00 am trying to figure out where you went wrong, and how you were compromised.