How Law Firms Can Better Implement Information Security Coordinating Security Roles
What is information security, and how do we do it better? At LegalSEC 2018 I had the privilege of participating on a panel that addressed this topic. Our panel included a Principal Security Architect (myself), an Information Security Officer, and an IT Manager.
The takeaway: Different roles in a firm each have a different view of information security and coordinating between them is the only way to do information security well.
Let’s look at some common roles that impact information security:
Primarily a service delivery role which prioritizes meeting and/or exceeding users’ expectations with how and which technologies they have access to. Their contribution to information security focuses on the implementation of technical controls to protect the services that they deliver.
Concerned about the efficient and effective operation of the organization, with an emphasis on the business drivers of the firm. This role manages the processes within an organization, and maintains awareness regarding the activities of personnel, including on/off boarding of staff, physical access to resources, and defining the roles that staff will fulfill.
Structure varies between firms, but often includes a Steering Committee which provides guidance on firm direction and allocation of budget, and General Council which provides guidance regarding legal and regulatory considerations unique to the organization.
Translates security for and between each of the roles above in a way that looks at security across all functional groups in an organization, ensuring there are proportional security controls applied to an organization without gaps in coverage. This is a risk management role.
As an evolving profession, the Security Manager role is inconsistently assigned. IT Managers are often the default to fulfill this role, sometimes leveraging security consultants to augment their efforts, or they incorrectly assume that cloud delivery of services protects them.
How can we improve our information security?
Make sure the Security Manager knows how to speak the language of information security (i.e. risk assessments, business impact analysis) and that the security role is properly positioned in the organization. To paraphrase PriceWaterhouseCooper’s annual report on the Global State of Information Security, in which 9000+ organization were surveyed – if the information security professional reports to the IT manager, on average the organization experiences a 46% increase in costs and a 14% increase in downtime associated with security incidents. If the security manager reports to anyone else in the organization, this increase goes away.
Learning any language takes time and effort. The language of information security is no different. If you have the need or desire to learn the language, find a way to get the training you need. If you bring in outside support, help position them to look at the whole organization, and have patience as they help IT, Operations, and Leadership speak the language of security. In the end, it’s worth it!
For information on how Adaptive can assist you with your security efforts, please contact firstname.lastname@example.org.