The risk landscape dave cunningham quoted sep 2008
1. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 1 of 4
Search
M em bers Vendors Publcat ons
i i M eet ngs
i Archi
ves Recordi
ngs Servi
ces Aw ards login
E-Mail Print
the risk landscape apply
hom e archi
ves peer t peer archi
o ves novem ber 2008 - ri m anagem ent
sk t ri l
he sk andscape register
network
At ILTA's annual conference, the Risk Management Peer Group Track offered several informative and well attended panel discussions
about the new and growing challenges in legal IT security. Our volunteer panelists shared their thoughts on the current state of security, sponsor
risk and conflicts management, and they offered valuable and insightful predictions for firms to consider as they manage risk in the
context of new technologies and a changing economy. volunteer
We are grateful that many of these panelists were willing to put down some of their thoughts on these questions, and we present their
answers to you here. We think their answers to our seven questions will help firms form or fine-tune their risk strategies and enable them Am I a member?
to grow more confidently. The respondents in this article are: Browse the member listing...
• Richard Patterson, Director of Security, Sidley Austin, 1,800 attorneys
• Kevin R. Davidson, Director of Information Security, Stinson Morrison Hecker LLP, 325 attorneys
• Andy Jurczyk, CIO, Sonnenschein Nath & Rosenthal LLP, 550 attorneys
• Jim Soenksen, CEO, Pivot Group, LLC, an information security audit and assessment firm
• David Cunningham, Managing Director, Baker Robbins & Company, an independent technology consulting firm dedicated to
developing and implementing innovative solutions
• Dan Safran, Executive Vice President, Project Leadership Associates, a business and technology consulting firm focusing on the
legal market
What do you think are the three biggest risks facing law firms today?
Patterson: The three things I think are the biggest risks are the lack of an operational risk management role, data leakage - which is to
say there's too much client information leaving firm's on too many forms of media and technology - and physical security and IT security
at trial sites and with contract attorneys.
Davidson: I think the three biggest risks include a general lack of security awareness by attorneys and staff; myriad locations of
confidential information (Have we performed an EDD on ourselves lately?); and the Internet. Access to the Internet is no longer restricted
to computers that are safely behind a firewall; plus there are the social aspects of various Web 2.0 applications.
Jurczyk: I can list the three biggest risks. First, there's the evolving technical risk landscape. Over the past few years we've seen
technical attack vectors move from the network layer up to the application layer. This evolution magnifies the risk because these
application-layer attacks can be used to steal information (e.g., corporate espionage, state-sponsored espionage, etc.) and have a direct
link to productivity. Second, there are the recent changes and global differences in the rules and regulations surrounding information
handling. These range from privacy regulations to discovery laws and are a major source of risk to law firms given our diverse customer
base. Third, it's the economy. The partnership model has its strengths and, weaknesses but, simply put, the underlying causes of this
recession and the symptoms in the open market are the perfect storm for this model. This rears its ugly head in a partnership's ability to
raise capital and operate in the short term, and may present long-term problems without extensive risk management efforts.
Soenksen: I see the three biggest risks being vendor management, data privacy and insider threats; and by that last one, I mean
attorneys leaving the firm and taking intellectual property with them or disgruntled employees sabotaging the network, as well as the
general loss or leakage of data that accompanies this.
Cunningham: First, financial growth and overall stability: To quote from a recent issue of The Lawyer, "Around 500 firms have been
referred to the so-called intensive care units (ICU) of their banks because they are facing financial difficulties. It is understood that 21 of
the United Kingdom's top 150 firms are being treated in Barclays' ICU, which is known as 'business banking support', although the bank
refused to confirm this number."
Second, there's malpractice, mostly via rogue lawyers who cause the firm to be sued or to lose significant business. This is not the most
likely risk, but it is serious enough that general counsels in New York reported it as the risk that keeps them awake at night . . . well, at
least it did before the risk described above became an issue.
Third, I consider information governance a major risk. Inability to identify and control the firm's online content results in firmwide holds to
address litigation, inability to match clients' retention policies, massive duplication of data, lack of clarity around the retention of new
media (electronic voice mail, instant messages, etc.) and increased recovery times for lost data.
Safran: The three biggest risks today are, first, complying with the revised Federal Rules on Civil Disclosure and other global/national
rule sets. I realize this isn't pure security but it certainly overlaps relative to information access and overall firm risk management. Next, I
think it's the challenge of staying on top of continually changing security threats in rapidly changing internal and external environments to
protect the firm's intellectual and client data. And finally, it's raising management and employee awareness to fund proactive security
measures and identify threats.
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011
2. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 2 of 4
As many firms look toward going global, do you see their security problems growing, shrinking or staying the same and changing?
Patterson: It's growing, especially if you ignore the risks that other corporations have addressed when they globalize.
Davidson: It's growing, especially in complexity.
Jurczyk: In the context of the risks I mentioned above, I foresee the security problems growing exponentially. Although I see many of
the technical problems remaining the same, I do expect our technical security problems to grow linearly as a function of the amount of
technology we use. And it's no surprise that the financial risk will grow at a non-linear rate as we look to fund larger operations.
However, I see the exponential growth coming largely from changes in rules and regulations and client demands from different areas of
the world.
Soenksen: It's growing. Lack of control of systems in other countries, change management issues, the configuration of a network to be
uniform and other considerations are increasing the complexity of security. Also, knowledge and compliance with different data privacy
laws will add to the complexity.
Cunningham: Almost by definition, security issues will grow and change. Electronic data interchange agreements are a fine example of
security problems that few firms have yet tackled well.
Safran: With complexity in growing and managing global enterprises comes a natural increase in security problems. More things and
people to manage, different cultures, different values and different levels of government controls and rules based on location all
contribute to the increased complexity. An example is where certain countries monitor Internet traffic or others that have stringent rules
around transmission of in and outbound data . . . all of this adds complexity to privacy and security requirements.
Differences in security and privacy laws as well as practice guidelines vary from country to country. Do you believe these differences are
giving an advantage to local and regional firms focused in primarily one country?
Patterson: Not really; the lawyers in the offices in those locations become the experts on the local regulations, you just develop internal
local expertise.
Davidson: Not yet.
Jurczyk: I believe that non-revenue generating functions can only impact two of the three dials linked to competitive advantage:
customer perceived value and cost of operations. It is my opinion that compliance with these rules and regulations in many countries is
required and/or implied, therefore, it cannot impact customer perceived value. To the extent that a firm is able to demonstrate
compliance with these rules and regulations at a cost less than its competitors, I believe strong risk management/security programs can
contribute to a competitive advantage so long as revenues associated with serving the clientele necessitating compliance are realized.
Soenksen: Maybe . . . The local attorneys in each office should or will be aware of their particular laws and educate the other partners
as to what their requirements are for their jurisdiction. The issue will be whether the firms' technologies, policies, training and support
infrastructure will be in place to keep the local offices competitive.
Cunningham: A one-country firm would only have potential advantage with one-country clients. A firm dealing with multinational clients
has to understand and address these multinational issues, not stop working across borders.
Safran: They may have a slight increase in competitive advantage, but knowledge of local laws does not provide a high barrier to entry.
A firm's local or regional understanding of security and privacy rules can help support local and collaborative law practices; however, my
sense is that the competitive advantage of local or regional firms does not greatly differ from global firms. After all, many global firms
acquire local or regional offices of other firms or lateral hires or they hire local talent with that competitive knowledge.
Everyone admits the technical landscape is changing, and nobody argues the link between technology and risk. As a result of these
changes, do you foresee risks increasing, decreasing or staying the same in size, scope and magnitude?
Patterson: Risk will always increase as you make systems and data more widely available to people on more platforms and over new
and varied mediums.
Davidson: I see it increasing, as it is only more difficult to stay on top of the risk with the methods, laws, and exploits changing so
quickly.
Jurczyk: I believe that as new technologies are developed, released and adopted by the masses, our cumulative risk does grow; not
growing is simply unavoidable in this context. However I also believe that a good risk management process can balance the incremental
risk against potential value to the firm. For example, by producing more donuts, you are increasing the total calories that I can consume,
thus my belt size. However, by my choosing to only eat half of the donut or better yet (and less likely) me not eating the donut, I am
controlling my calories, thus belt size. These same basic rules apply to managing technical risk.
Soenksen: I see it increasing; as technologies such as Web applications and software as a service become more prevalent, the risks
associated with sharing confidential or private information become an increasing challenging to protect.
Cunningham: Technical risks increase but in a relatively small way compared to information management and people risks.
Safran: For much the same rationale in question three, I see risks increasing, mostly due to the increased complexity in firm growth,
geographic expansion and increasing country rules and regulations. Technology continues to evolve and progress, which adds increased
complexity to user and network environments. Integration with other rapidly advancing technology sets also causes greater risk.
If you had to identify three technologies that carry with them the greatest risk, what would they be?
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011
3. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 3 of 4
Patterson: VoIP, virtualization and Outlook Web Access, which is less a technology and more an application, but I had to throw it in.
Davidson: Mobile devices, flash drives and WiFi.
Jurczyk: First, there are the peer-to-peer technologies, including collaboration technologies such as instant messaging, that place the
firm at great risk. The pressure to allow the use of these technologies in service of our clients is rising globally while, at the same time,
recent studies released by the FBI suggest that these technologies are becoming a conduit for information theft by crackers, hackers and
state-sponsored espionage programs. Although our options for blocking and logging use are getting better, I believe many are reactive
and largely useless in the long term, and the only real solution lies in embedding security into the information which transcends corporate
boundaries.
Also, portal and information collaboration platforms, which represent the melding of my two top risks - the upward trend in attack targets
(application layer) and the increasingly complex regulatory landscape. Without belaboring the point, I believe this melding of the technical
and non-technical represents quite possibly the biggest risk facing firms today and over the next two to four years.
Third, mobile devices carry a lot of risk. These devices continue to grow in storage and processing capability and are becoming required
in order to practice law. This trend, coupled with the rapid integration of non-business features such as music, video and the Internet, has
opened up a new dimension to the risk landscape. I believe these technologies will grow in use, will become more and more consumer-
focused and will be a future attack platform of choice.
Soenksen: Ubiquitous computing, meaning the use of BlackBerry devices, PDAs and iPhones outside of the confines of the traditional in
-house network, is the greatest risk since these devices can contain highly sensitive information and are easily lost. Next, there are the
Web-based portals; accessing highly confidential data from outside the boundaries of the law firm carries the risk of this data being
compromised, either by a hacker or unauthorized party. This data can be accessed from any public computer and leave residual
confidential information on the hard drive of an unauthorized computer. Or, it is accessed from home where employees do not have the
same level of security found in the enterprise. If this data is then downloaded to the home computer, the risk increases. Then there's e-
mail. Due to the capacity of e-mail accounts, the "smoking gun" of a lawsuit will be buried in the countless number of e-mail messages.
Additionally, if the uses of Web-based e-mail such as Gmail accounts are incorrectly used by employees to conduct law firm business,
the risk of this information being compromised is great, since the law firm does not have control over the Gmail servers.
Cunningham: The use of e-mail has single-handedly broken down the former partner review and records management processes of
firms. What used to be a letter carefully read by a partner before it left the door is often now a casual e-mail message sent directly by a
junior lawyer. Then there are remote access configurations; many are poorly or thinly configured and have password-only authentication
- a hacker's dream. And then there's Google, which is used more often than any partner thinks.
Safran: The three most risk-filled technologies are mobile devices, websites and mobile workers. Mobile devices lead to more local data
that needs to be secured and further decentralizes where risky documents and records reside. Also, collaborative applications and
websites are risky, for the same reasons as above. And the increasing number of mobile and dispersed home knowledge workers
means more data records need to be protected in environments that are inherently localized, unstructured and flexible.
How do you think the economy is affecting security in law firms?
Patterson: As clients go under firms lose revenue streams. Plus, clients are using firms like banks; they're not paying their bills or they
are very slow to pay the bills.
Davidson: As our clients are affected, we become affected. Some verticals (bankruptcy, for example) are stronger.
Jurczyk: The economic problems we're facing today are unprecedented in modern history - at least since technology has become
mainstream. In light of these extreme circumstances, I believe all non-revenue generating activities have been affected in varying
degrees, which include a firm's investment in technology, accounting, marketing and security.
However, after looking at our finances and reflecting on what my peers are doing, I believe the economy is having less effect on security
spending (proportionally) than in other areas for two reasons. First, once security matures in an organization, capital and operating costs
tend to decline sharply making it one of the least expensive areas to operating when compared to others. Second, and probably more
important, you may be able to defer an upgrade one more year, but you can't afford to leave systems unprotected; in order to work, you
must protect systems from viruses and respond to intrusions. In that respect, security is like accounting - you have to pay your bills in
order to keep the lights on, just like you have to protect your organization's capacity to work.
Soenksen: Law firms are feeling the effects of the recent downturn in the economy as the demand for some legal services are
declining. Thus, law firms are reviewing all capital and expense items and are determining what security initiatives need to be performed
this month/quarter/year or delayed until the next month/quarter/year.
Cunningham: No noticeable effect seen yet. More firms are auditing IT now, so that could have a long-term effect by ensuring firms at
least understand their security situation. However, this could be offset in the short-term by firms that may stop advancing the staffing and
investments in security.
Safran: As firms evaluate overall spending, it becomes harder to rationalize spending on information or other security measures versus
investments that spur business. I am already hearing about security budgets taking a squeeze in many of our clients - and headcount
reductions and freezes are having some effect.
Looking into the future, do you see a convergence between security as it exists today and broader risk management (e.g., enterprise risk
management)? If so, what's behind this shift?
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011