The legal profession, like all businesses, is not immune to the atrocities of modern cyber-criminals or the theft/fraud that can be perpetrated from within the organization's own walls.  There has never been a more critical need for providing professional management and oversight of your firm's assets.  The true security professional is someone who oozes integrity, knows nothing other than honesty, has the work ethic of a mule, the fortitude of a granite cliff and who, by his or her very nature, is a leader. 

You might be thinking, "We've got someone who is responsible for security, and he's doing a good job (as far as we know).  Security is a hot space, and it seems like everyone is talking security this, security that.  Are we sure we're looking in the right places?"  If this is your train of thought - you're missing the point . . . entirely.

The Changing Role of Security
The practice of security, like most things, has undergone massive change over the past three decades.  In the '80s, law firms hadn't installed personal computers on a large scale.  Sure, there were PCs on a handful of desks, and accounting may have had some sort of "system," however, the practice of law continued to rely heavily on pen, paper and typewriters.  Firms knew how to manage paper records and went through quite a few typewriter ribbons, but short of a document being stolen or a typewriter breaking, the need for security was minimal, overlooked or ignored.

In the '90s, the pervasiveness of computers, coupled with the Internet and increased competition, forced law firms to turn toward technology to push the top line up and the bottom line down.  There were innumerable possibilities when it came to hardware, operating systems, software and architectures - each with its own strengths and weaknesses to the firm.  Firms were largely successful using the technologies until system defects began to rear their ugly faces.  To make matters worse, there were more and more people taking advantage of these defects by writing viruses.  The effects of these viruses ranged from simple annoyance to outright destruction, while making every stop along the way.  Funny thing about viruses and virus writers - each generation showed improvement, always staying one step ahead of the next generation of technology to slow or prevent their spread.

Enter the new millennium and with it, a plethora of new threats.  After 9/11, everyone realized that this "business continuity" and "disaster recovery" stuff really does impact the entire organization (not just IS) and really is important, if not essential.  The elected administration unleashed a number of regulations from virtually every branch of the government, which either directly or indirectly impact law firms.  The virus writers, hackers and fraudsters have come together and are now looking for a paycheck.  And they are trying everything from extortion to identify theft.  All of this while our firms are begging for increased mobility, less structure and rigidity and fewer controls.

Being a security leader can be a thankless job - one in which some, if not much, of what you do is cloaked in confidentiality and/or operates behind the scenes.  Your business has come to you and asked you to help them manage their risks from all sources of threats, and they expect you to do so without impeding their business.  From experience, this is easier said than done.  However, a true security professional can earn a seat at the table and work hand-in-hand with the business leaders to manage risks every step of the way.  And the business should understand and appreciate their efforts.  This type of security leader seldom argues bits and bytes, but rather, he or she is focused on revenue, productivity and profitability.

Beyond the Bits and Bytes
My advice for the firms who don't have a security professional - spend the time to find a true security leader (not a security technologist), position them for success in the organization and measure the improvement over time.  You'd be surprised what a little leadership can do without a lot of cash.

My advice for security professionals - look in the mirror and decide if you're a security technologist or a security leader.  Do you argue firewalls and IDSs or profit per partner?  If it's the latter, welcome to the new breed of leaders!

About our author . . .

Adam Hansen is Manager of Information Security at Sonnenschein Nath & Rosenthal LLP.  He is responsible for all Information Security, including setting policy, risk management, product selection and implementation, investigation and crisis management.  Adam is also the President/Founder of the National Security & Privacy Executive Roundtable, a user group dedicated to knowledge sharing among security professionals.  He can be reached at ahansen@sonnenschein.com.