This is my first blog in this forum, so please bear with me. First, let me introduce myself. I've been practicing information security for what seems like an eternity now. I enjoy it. Each day is different. Each day is the same. Security is serious, but making a difference is (even when unmeasurable or unnoticed) somewhat gratifying. I've been lucky enough to practice security across multiple verticals all at differing maturity levels. Each of these industries had different needs, requirements, and risks associated with the services they offered or those they serviced. I've even worked where information security was provided as a service. Through all of these differences, I've learned a few things which are constant.
1. Security is too much until it's not enough. While info sec is continually a hot topic, application of proper security will always be questioned largely due to the fact (I think) that consumerization and vendors quick to market don't play nice in this space. Security recommendations/requirements must be based on sound reasoning (best practice) and adequate risk measurement.
2. Gain trust and then preserve it. Take it easy on the FUD. There are only so many times the sky can fall. Vendors and the "press" will give you enough ammunition and you should or can be the voice of reason - again, based on risk analysis specific to your situation.
3. Persevere and stay positive, but understand that even with sound risk analysis, you will not always get agreement. Move on (but document). Risk mitigation is the key and takes place over time.
There are definately other constants and I'm sure others have had differing experiences (that's what the comment section of this blog is for), but based on my experience I am excited about the prospects for law firms participating in LegalSEC. LegalSEC, by providing guidance aligned with ISO 27001, will give those new to security a head start and provide seasoned security professionals additional insight. By aligning with ISO, individual firms will be able to build a program (over time) addressing control objectives (the risk) with actual controls that are appropriate to their situation. In the end, I believe the ISO approach helps address the 3 constants I listed by directing the identification and validation of risk. In turn, this allows the program or individual to better articulate the need for a control and manage the risk.
Security is serious and addressing it is difficult, but you have to maintain a positive attitude. With that, I'll try to keep any additional blogs light and hopefully spur some spirited discussions.