Law Firm Security Goes Back to School
Through department collaboration, hiring, and government and industry collaboration, law firms can better protect their data and that of their clients.
March 02, 2018 at 07:12 PM
9 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Most readers of this publication today are faced with making business decisions in the face of vast cybersecurity risks. They must act defensively and understand more than just what software is available to prevent or repair an ambush. If law firms want to prevent crime, they must recognize their vulnerabilities and the associated liabilities. As one conference in London marketed the concern, “No Cybersecurity, No Clients.”
Armed with technical and regulatory weapons for preventing cyber crimes, law firms must administer policies to protect client data and use the systems and services held standard by industries like medicine and banking. No one knows when disruption will take place. New methods of adverse action force executives to make more choices and decisions. All departments must merge their vigilance and join with IT services as IT takes center stage in order to stay prepared.
|What Are the Choices for Preparation?
Hiring the right people is a place to begin, but this is also a formidable task in a fast-paced risk environment. It is more difficult than ever to evaluate the credentials of new hires on the basis merely of where they worked or trained. Their focus, if not their training, must be very current. An IT staff member trained in network administration still needs regular briefing on the broader technical field. In every area of practice, whether tax or IP, the challenge is to keep up with IT advances and changes once school is out, the job search ends, and real work begins.
Andrew Jurczyk, CIO at Seyfarth Shaw LLP in Chicago, has spent three decades in law firm technology. He has a healthy perspective on the challenges law firms face in cybersecurity since he first faced post-9/11 risk management. In executive management at a major firm, Jurczyk also sees many substantive changes today in the way managers must work with technical staff. More people work from home, for example, and staff are spread across the country or world. In the risk environment, education of a Cybersecurity Specialist never ends.
Since cybersecurity is a threat to every industry, Jurczyk has seen a need to cross-train technical staff and provide support for a variety of educational goals and interests. Doing so improves the contribution each person makes to solving real workplace problems wherever they are. Formal training can be mixed with peer learning and mentoring at work, learning from each other to serve traditional hardware, software, and application needs, as well as ward off cyber crime.
Just as Seyfarth has responded to demands by integrating specialists throughout the organization, there is a growing collaboration with industry and government. Technology penetrates everything, and so is affected by regulation, policy, and credentialing. While industry and government try to inform the schools of future personnel needs, schools are not able to keep pace. Learning must be introduced in the workplace in order to meet client demand for security. The churning process demands renewed understanding of the talent pool and what new jobs are undertaken.
To help accomplish this, firms look to people such as Karla Jobling, a corporate governance recruiter who specializes in cybersecurity talent. Karla worked to develop the BeecherMadden consultancy into becoming an award-winning recruitment company and partner of choice in the UK for risk and resilience.
Complexity in the labor market has created a need for specialists like Karla. While practice management literature provides an overview of what is current, it does not always provide sensible direction for hiring or policy decisions. With less experienced firms, a specialized recruiter can introduce a practical outcome in the effort to unite legal obligation and management practices to protect stakeholders and their data from tampering and destruction. Confusion from the over-abundance of information has a chilling effect, so learning more may help to assuage some fear.
There are opportunities at almost every level to study computer technology. The focus breaks down into topics involving information, networks and security, but advancement is easy when most students enter colleges with a serious exposure to computers. Bright students are even foregoing MBAs to get a head start with new areas such as blockchain. Why not? Consultants at Fortify Experts identify cybersecurity as a field of zero unemployment for some time to come.
As risk and liability intensify, law firms are faced with employing the best talent for IT leadership as it becomes central to all firm activity. It is enlightening to get a handle on the latest scope of training and the investment needed. There are many possibilities among degrees, certifications and credentials for capable staff already in place. As each firm is different, it may be better to train the best generalists. This can help them get to Best Practices, for example, which can always change, but the firm can lead itself with a defensive cybersecurity strategy that takes advantage of best practices at a particular moment.
At the industry level, cybersecurity strategy grows out of what we already know: the global demand for valuable information is unlimited. The demand for legal services, however, may not be. Strategy for the profession follows what we know, but it also must be developed within the individual firm. Training throughout the organization should be part of the strategy. The levels of sophistication in training reflect heightened risk, which narrows the availability of expertise from outside the firm. This adds good reason for developing capability from within. But training those already doing well is just good policy.
The Department of Homeland Security has developed its own training initiative, including those requiring security clearance. If a firm supports a cybersecurity practice, this clearance could be an asset. The number of other opportunities for training are extensive, from free webinars to formal training through the doctorate. Cyberdegrees.org lists more than 10 institutions offering online degree programs from the basic security analyst to a master's degree.
With the global marketplace trending toward increased specialization and participation, it makes sense for law firms to expand all training into protecting client and firm information and electronic space. Heimdal Security posts a blog listing 50 cybersecurity online courses. Several of the courses are for beginners, others are more specialized. The online campus at Capella University even offers government-approved digital badges when they issue certificates.
More specialized courses in cybersecurity can be found with Syracuse University. Syracuse also grants a Certificate of Advanced Study for law students in National Security Law and Counterterrorism Law. Syracuse also provides access to sponsorship from federal government programs. Independent of how current these topics happen to be, this direction is a sign of things to come in advanced training. They can enhance a legal career as well as offer practitioners greater ability to contribute to data and system protection.
From a defensive posture, law firms will find it imperative to use the cross-training approach to help their IT staff get the latest wisdom on cybersecurity. The deeper the knowledge, the more specialized the staff will become, and thus better able to mentor their team or recommend the right scope of training. Executives and managers will sleep better.
From a risk-management perspective, it would be wise for interested and willing attorneys to select CLE options in cybersecurity. A handful of states require it. Law firms themselves should encourage or require it. Opportunities for CLE are abundant. They are offered by bar associations, such as the ABA, universities, such as the Cybersecurity Institute at the University of Texas (San Antonio), private law firms, such as Steptoe & Johnson, government agencies, such as the U.S. Computer Emergency Readiness team, and CLE specialty groups, such as Lawline. More and more lawyers are involved in robotics and new applications for research and transactional practice. Lawyers can take on new roles in law firms and corporations, and advise their clients on the risk they assume. The demand for cybersecurity personnel will not soon diminish; projections already suggest a shortage of 1.5 million personnel in 2019.
In such a market, lawyers can close the shortage gap by training themselves. A partner in IT would give a firm greater awareness of its vulnerabilities and give clients greater confidence. Cybersecurity will continue to grow as a practice area as clients seek defense and recovery. Firms will be led by IT rather than merely employing it. Lawyers with technical knowledge could better communicate with clients about applications, as well as security. They are already helping to build new computer applications.
Georgetown University is offering a Cybersecurity Law Institute this May for lawyers to stay abreast of legal developments. Designed to attend in person, the program nonetheless offers a live webinar, addressing the latest law on the topic. From a purely CLE perspective, LMG Security offers some unique topics nationwide or online at affordable rates, such as courses for Cyber First Responders for attorneys in law firms.
|Conclusion
From any point of view, we no longer have a choice merely to leave the due diligence to the IT department, comfortable with the safeguards of the latest trade in software. This is an arms race like no other; being continually aware of developments will be everyone's job.
Nina Cunningham, Ph.D., is president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250