Law Firms Consider the Virtual CISO

Law firms have come late to the cybersecurity party. It took hacks on well-known firms and the ransomware attack on DLA Piper, which completely shut down all telephones and email of one of the world’s largest firms for two full days, to wake them up.

Are they now the cybersecurity equivalent of “woke”? They’re getting there. But some surveys suggest they still have a ways to go. A third don’t have standalone cyber insurance policies. Only half have designated cybersecurity teams. And a fifth don’t have a data breach plan in place. Even though, according to an American Bar Association survey, 25 percent have suffered a data breach at some point.

The law firms that are in the best shape are probably the largest ones, which have the most resources. Small- and medium-size firms seem to be lagging. And one area in which they can use help is in their staffing.

Most of the large firms have chief information security officers (CISOs). But plenty of the smaller ones don’t. And it’s not hard to understand why. CISOs are in great demand and short supply these days, and they can command salaries of $200,000 and up. That’s probably out of reach for lots of smaller firms.

Yet, this is a particularly important time to have a CISO. The Covid-19 pandemic has forced law firms to ask their attorneys to work from home for months. And this new arrangement has added risks that have prompted some firms to create new policies that may require training and monitoring. A CISO’s leadership in this area would seem to be desirable if not essential.

For firms that have not yet hired a CISO, there’s another solution. It’s one we heard a lot about when TAG Cyber analysts received a briefing recently from Lockstep Technology Group, based in Atlanta. The alternative is to hire a virtual chief information security officer, or vCISO.

Let’s make one thing clear from the start. The word “virtual” here does not mean that a vCISO is the equivalent of Siri. It means that the CISO works part-time.

Jonathan Kyle knows a lot about CISOs. He was a CISO himself once. Kyle is now Lockstep’s security practice manager, and he did most of the talking during our briefing. He speaks tech, but he also knows his way around the legal world. He spoke on a panel at an ABA conference on cybersecurity held at Georgia State University College of Law in March.

Lockstep has a program that sets up law firms with virtual CISOs. There are several reasons law firms opt for one, Kyle said. Some firms are not quite ready to make the leap. They may be loath to pay a fulltime salary and benefits. And they may only need someone once or twice a week. The vCISO can report to the office or (most likely under current conditions) work remotely.

Sometimes firms don’t feel that they can find one person to meet the disparate needs a CISO may be asked to address. For example, one month a firm may want someone who can do penetration testing, Kyle said. Another month it may want audit testing to help it prepare to pass an audit. One person may be able to handle both, but it may be easier and faster to swap in people for each project, Kyle said.

Kyle reminisced fondly about his own days as a CISO. He worked for a fuel pump company that was a supplier for a car manufacturer. Kyle, who is now a certified professional ethical hacker, would sometimes hack his old company to demonstrate the problems that required executives’ attention. He found that “show and tell” was an effective way of communicating.

What law firms need to attend to first and foremost, of course, is client data. One of the first things DLA Piper said when the firm had recovered its ability to communicate with the world, was that it didn’t think any client data had been lost or compromised.

Other firms have not been so lucky. Some of the biggest law firm hacks, like the Panama Papers scandal, have demonstrated that one attack can destroy not just a firm’s reputation, but also its business. That has undoubtedly opened the eyes of the industry. As have the growing number of ransomware attacks.

A particularly nasty variety has surfaced recently called a Maze attack. Not only is a law firm’s data encrypted, but some data is stolen and held hostage. If the firm doesn’t pay quickly, the hackers slowly make the stolen data public.

What makes Lockstep’s vCISO program particularly attractive to law firms, Kyle said, is his company’s deep experience in technology. They have more collective skills than most CISOs would likely bring to the table. Not only are they experts who can advise on and test a firm’s security. They can fix or architect solutions to problems that other people would not be able diagnose.

And now that lawyers are already working remotely, this could be a good time to try out a virtual CISO who also works from home.