Should legal firms have CISOs at board level?

30th January 2019


Simon Whitburn
Senior Vice President Cyber Security Services

Law firms are aware that the data they manipulate on a daily basis makes them prime targets for cyber criminals – whether motivated by criminal or ideological leanings.

Three years ago ALM Legal Intelligence’s Cybersecurity Research report revealed: “95% of corporate counsel believe that cybersecurity breaches are becoming more frequent in their industries.” The situation has not improved – see our infographic which quantifies recent breaches and the state of cyber-readiness at many law firms.

Room for improvement?

The legal sector has a reputation for being slow to adopt new technology and implement IT best practice. This may be undeserved, particularly among global heavyweights, who simply could not function across territories without effective technology.

Yet the quarterly Law Firm Cybersecurity Scorecard produced by legal IT consulting firm LOGICFORCE demonstrates that law firms continue to fall behind the curve.

High level representation

Is the solution to appoint appropriate, highly-skilled information security personnel at the highest level?

Certainly appointing overall IT responsibility to boards, in the form of chief information officers (CIO), has been slow, specific responsibility for information security even slower. In 2012 the appointment of a global law firm’s first chief information security officer (CISO) was still considered noteworthy. Many small to medium firms don’t have the resources to hire an in-house expert and the team they would require. They could use outside advisors or specialist legal IT consultants to provide the necessary advice and decision making, an approach that is certainly better than relying on consumer-grade anti-virus technology.

But as legal organisations grow in size and revenue, and the stature and importance of their clients grows alongside them, it becomes clear that specialist skills are required by legal CISOs. It also becomes more likely that threats can only be mitigated against effectively when cyber security representation exist at board level. This will ensure that the issue receives the attention and resources it demands.

Blending legal and information security skills

The American Bar Association in 2018 urged lawyers to become more involved in cyber security, partly to help address the shortage in specific expertise. Another driver was to help lawyers add another service to their offerings – getting involved at the contract stage for SLAs and other contractual agreements.

Cloud technology adoption is increasing the number of third parties used by law firms (and others). It therefore becomes crucial to insist that those third parties adopt robust cyber security practices and tools. Lawyers with in-depth security understanding will be able to exercise those skills to protect their own organisations as well as provide a similar service to their clients.

Litigation cases

The Bar Association also pointed out that post-event litigation will increase the need for cyber security aware legal personnel. Instances of battles between insurance companies and victims of major breaches aren’t likely to decrease.

Legal firms will also need to defend themselves and their information security practices in cases where they fall victim to cyber crime. A team approach – developing cyber security expertise among legal partners and appointing a CISO to the board to work with them – could be the best approach for law firms intent on achieving growth and protecting themselves from cyber threats.

Take away our easy-to-digest infographic that lays out the landscape of threats facing law firms and how they are preparing to face them.

Will your Law Firm be Judged on its Cyber Security Solution?

Download here