Like most other industries across the country, law firms are dealing with the realities of a cybersecurity services market that has a surplus of demand and not enough talent to go around. But is throwing more bodies at the problem really the best response?

Sometimes it's barely even an option. Kermit Wallace, chief information officer at Day Pitney, noted that law firms face the added challenge of having to service clients across a multitude of industries and verticals.

“While we don't have the same regulatory requirements that say a health care company does or a financial services company does, we have the expectation from those clients that we can match and model their requirements. So we're competing for the same [cyber] talent in a lot of cases,” he said.

Still, there are some interesting options available to firms and other organizations looking for holes to patch in their systems. Take, for example, using freelance hackers. Back in 2016, the Department of Defense's Defense Digital Service's (DDS) launched a “Hack the Pentagon” initiative, which used ethical hackers to discover vulnerabilities in military assets.

DDS also maintains contracts with security firms such as Synack, Bugcrowd and HackerOne to continue performing similar assessments. While it's feasible that firms could do the same, Wallace pointed out there are inherent security risks that clients may not ultimately sanction.

“Your clients expect you to do this stuff, and if you're doing it with 'Joe's Pen-Testing Company' that may not be good enough. They are going to want to know that Joe has the appropriate controls in place,” Wallace said.

To be sure, there are definitely situations where clients are better off cleaning their own houses rather than passing the broom to a maid. Wallace pointed out a law firm's cyber risk profile can ebb or flow with each client that passes through either side of the door. A firm representing Planned Parenthood, for example, could attract threats from a certain kind of cyber infiltrator.

The problem, however, is that firms and other organizations can be prone to categorizing cybersecurity as an IT problem with an IT solution. Frank Gillman, chief information security officer at Lewis Brisbois, has heard responses along those lines before.

“It's like well, the minute you tell me that, I know your plan is terrible,” he said.

Instead of engaging new hires or freelancers from outside the organization, firms might be better off investing whatever resources they have allocated toward cybersecurity toward engaging existing personnel.

Adam Stock, chief information officer at Allen Matkins Leck Gamble Mallory & Natsis, said that previously his firm's biggest cybersecurity hole was the gap in employee education, specifically around things like how to handle documents or what to do if they clicked on a link and it started taking over their computer. Earlier this month, the firm completed the first in what will become an annual round of cybersecurity training geared towards answering those questions.

“If you view cybersecurity as something that just a few geeks in your IT department deal with then I guess there's a shortage. … I actually think our biggest issue is our current users,” Stock said.