LegalTech New York: A Cybersecurity Perspective
This past week, I attended and presented at LegalTech New York. It was my first experience at this conference and I got the feeling it was a bit of an anomaly to have someone from the cybersecurity field there as well. That being said, I had some great conversations, listened to some fantastic presentations, and presented on a panel about how cybersecurity and information governance are converging. Overall, I left the conference with some really valuable information.
I had many conversations centered on cybersecurity, no surprises there. It was fortuitous (I guess, for the attendees at least) that the Anthem Healthcare breach was disclosed while the conference was going on. It added realism of the subject, and drove home the fact that we were talking about real, no-kidding issues … not some hypothetical ghost thing that is fun to talk about but doesn’t exist in the real world.
So I thought I’d go through some of the common questions people asked and how I answered.
“What does cybersecurity even mean?”
“Cybersecurity” is kind of like the word “Smurf:” It means different things to different people, and all of them are more or less correct.
My definition is something along the lines of “the holistic protection of digital information assets, and the systems that store, process, and transmit that data.” I suppose I could make my definition more verbose, but I’m more interested in precision than flaunting my grammatical prowess. I once heard that the ability to explain deeply technical concepts in a clear, concise, easily understandable manner was the truest test of understanding. So, there you go.
“How does cybersecurity apply to the things we’re interested in like information governance and compliance, civil and criminal litigation, or eDiscovery?”
This topic was very interesting to me, and was one of the focal points of the panel I presented on.
If you think about information governance (IG), the concept is pretty simple: Identify your critical information assets and protect them in a manner that your industry has agreed on as reasonable. Of course, what is reasonable to me may not be reasonable to someone else, for example if they are not quite as technical. So while we may not agree on the means for protected these assets, we very much agree on the fact that they require protection.
As legal services providers, you hold your clients’ most valuable and risky data. That makes you a target for cybercriminals and raises the stakes for any inadvertent data losses as well. As such, cybersecurity needs to be a top priority.
In my opinion as a 15-year veteran of field operations, protection by means of a checklist is a bit naïve. Recent breaches have illustrated that organizations cannot rely on preventative measures alone to keep their data safe. Instead, they need to assume that a breach in imminent and take their protective measures to the next level.
This “enhanced” protection strategy should include rigorous, goal oriented penetration testing (looking at your security posture with the eyes of a hacker), as well as a well-thought-out incident response plan (how you detect and respond to a cybersecurity incident). You need to test your security strategy over and over again, not unlike a boxer training for a prize fight. Learn how to shuck and jive, how to take a punch in the mouth, and how to throw a couple of punches of your own.
If attacks are coming, and it’s unrealistic to think you can prevent them, focus on the next best things: Identification, disruption, and response.
“How will security breaches affect corporate security posture and spending in 2015?”
I thought this question was interesting as well and was not surprised at the general consensus: Organizations are going to spend more money on cybersecurity in 2015 than in any previous year. The vast number of high-profile breaches have thrust this topic into the forefront of the minds of executives and boards worldwide.
They need to worry about the tangible financial impact of the breach (compliance fines, forensics and legal retainers, victim monitoring and alerting, etc.) but also the long-term effects such as loss of customer confidence, loss of market share, and a decline in company valuation. As if this weren’t enough, we’re starting to see post-incident class action lawsuits. So now we have the “breach trifecta” of potential impacts, any of which could devastate an organization caught unprepared. Together, they represent a nightmarish scenario that executives will likely have to navigate in the not-so-distant future. So I think it’s safe to say this will be a very lucrative year for security providers.
Obviously there were plenty of other topics that generated spirited discussion throughout Midtown this week. In my opinion, this sort of information sharing is vital for any business that stores, processes, or transmits data. It stokes of flames of preparedness, and excites people like me who are passionate about cybersecurity. Remember, if your data is valuable to you, and you make money from doing what you do, there is a black market price for that data.
The faster any organization realizes that it is indeed a target, and will experience a cybersecurity issue in the next 12 to 18 months (if it’s not experiencing one already; whether you know it or not), the better off it will be.
Looking forward to seeing how much the cybersecurity agenda has progressed at LegalTech next year!