If you’ve been paying any kind of attention to the headlines lately, you’ve seen law firm after firm become victim to data leaks, malware, ransomware, and all manner of info security (and PR) chaos. It’s just crazy out there, and law practices seem helpless to defend themselves. Every firm needs a Jedi Knight. Let me explain.

As I’ve been reading recent articles, blogs, and papers explaining the breeches and offering solutions in the form of security frameworks, best-practices, and mitigating technologies, several realities are worth noting:

  1. Attorneys and law firms are being targeted by cyber criminals like never before because they are a clearing house of salient client data, including IP, financial information, PII, plans for M&A, and more.
  2. Threats are sophisticated, effective, ongoing and pervasive. From spear phishing and social engineering to drive-by malware infections and ransomware (now available as a service), attorneys are no match for the tradecraft of seasoned, or even relative newbie cyber-criminals.
  3. The problem cannot be ignored because of what’s at stake.Attorneys and firms have ethical and practical reasons why failing to address the problem could mean a malpractice lawsuit, or worse, closing shop.
  4. The solution is technical, complex and ongoing. Creating a comprehensive strategy to protect against cyberattacks requires subject matter expertise and mastery around a technical body of knowledge, and these do not fall with the core competencies of most attorneys. “Security is not an event, it’s a process” is a popular reminder given by security experts. It requires diligence over a long period of time.

Given these realities, I think it’s clear that attorneys are not the ones who can solve this problem. Don’t get me wrong, attorneys are certainly part of the solution because they are part of the problem, but as we’ve seen thus far, they won’t be the ones to lead the charge. They won’t be the one to architect the solution, because that’s not what they do – not what they’re good at. And even if they could, that’s not really what they should be doing. It’s simply a function of, um, function.

Enter the Jedi

A chief information security officer (CISO) is basically the Jedi Knight of the information security (infosec) world.  According to Wikipedia, “A CISO is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance.”

Okay, okay.  That job doesn’t sound as cool as embarking on secret missions to protect princesses who are being stalked by Sith Lords bent on either controlling or destroying the galaxy. But given recent headlines and the trajectory of cybercrime rates, perhaps it’s just as heroic.

“Help me, Obi Wan. You’re my only hope!”

Therefore, it’s about time every law practice hire a CISO in some form. For the same reasons why it could be argued attorneys (bona fide legal subject matter experts) ought to be hired to advise in legal matters, doesn’t it make sense to hire CISOs (bona fide infosec subject matter experts) to advise on infosec matters? In both cases, this seems axiomatic: let the SMEs be responsible for their respective subject matters; considering the present reality, amateurish efforts are ill-advised.

“But I already have a CIO.”

Even if you already have a CIO, you may still need a CISO. What’s the difference?  As one authority quoted in CIO.com put it,

“The CIO’s role is operational … their job is to keep things running. The CISO’s role, on the other hand, is to reduce IT risk.”

It’s may simply be a difference of emphasis, but there could be substantive differences in subject matter with divergent training and certifications paths. Top infosec certifications include CCISO (Certified CISO), CompTIA Security +CEH (Certified Ethical Hacker), and CISSP (Certified Information Systems Security Professional) among others. Not all CIOs have analogous training or real world experience. Don’t assume that because you have a technology person at the helm you also have an infosec Jedi.

“Fantastic. But how we pay for it?”

Larger law practices may be able to afford a full-time CISO,  staff, and perhaps a budget for security technology, etc. DO IT! But what about mid-size practices or solo-practitioners who, although they have no less responsibility to protect client data, simply don’t have the resources of their big firm counterparts? Thankfully, a full-time CISO is not the only option; budget-conscious attorneys might engage the services of a virtual CISO or MSSP (Managed Security Service Provider), who:

  • Can help your CIO or managing partner with specific scopes and projects,
  • Can be engaged monthly, on retainer or with pre-paid hours (often much less expensive than full-time staff), and
  • Can help you create a job requisition, interview and vet prospective W2 CISO candidates should you decide you need someone full-time.

Here’s a short video from one such provider, Stonehill Technical Solutions, explaining what you get by outsourcing this to SMEs.


Next steps

After you identify potential CIO or vCIO candidates, they will likely want to meet with you for an initial consultation to learn about goals and challenges, followed by some kind of security audit or risk assessment. The results of the audit might cause some alarm as they will reveal how vulnerable you already are, and the findings will form the basis of the provider’s scope of work/proposal. It should, among other things, include a component to shore up your defenses initially, prescriptions for ongoing diligence, and some clue as to what they will put in place when (not if) the inevitable happens.

Don’t be too quick to use the proposal to price-shop the market, awarding the business to the lowest bidder; not all providers are created equal. Rather, let each candidate pull their own weight and come up with something original. This approach will give you the best sense of the capabilities of each candidate, and how they will help protect you.

There are evil Sith Lords who are bent on benefiting from your loss. Whether on the payroll, hired as a contractor, or as an outside vendor, make sure you have a Jedi Knight on your team dedicated to protecting the privacy and integrity of your data. And may the force be with you.

Originally posted by Kevin Krusiewicz on LinkedIn. Used by permission.