LegalSEC® - Cybersecurity

From small beginnings come great things.

Hard to believe the idea of a simple guide and framework for law firm security has blossomed in to the full steam initiative LegalSEC™.  Carlos Rodriguez, my predecessor as Peer Group Vice President of Server Operations and Security Peer Group, brought the idea to ILTA leadership, pitching an initiative that would provide a comprehensive road map for law firms to follow.  I wanted to post a little history of the initiative, milestones achieved during its growth and a sense of where we are now and our path for the future.

The initial planning call in November of 2011 centered around the topics of ISO27001/27002 as a starting point, cyber insurance, defense in-depth for those shying away from ISO and addressing risk management through policies and procedures.  Carlos, along with members of the SOSPG and Kristy Costello began building the initial framework, with guidance from Deb Himsel and Peggy Wechsler.  Team members were assembled, vendor involvement was discussed and the tactics, or initial objectives of LegalSEC™ drafted.  ILTA’s Executive Director, Randi Mayes, gave the green light and in May of 2012 announced the creation of the Legal Information Security Counsel, LegalSEC™ – a coalition of law firm professionals with the following mission statement:

“To enhance the delivery of secure services to clients by raising and maintaining security awareness and by providing an asset protection for law firms”

Based on the mission statement, the best way to achieve this is by leveraging the biggest strengths of ILTA; collective knowledge and collaboration.  Five primary objectives were defined and translated into deliverables:

• Addressing current standards and create a roadmap for implementation.  No need to re-invent the wheel, there are many great standards available such as ISO and NIST.  The teams will review documentation and guide firms through the use and application of these standards.

  Deliver a set of Policy and Procedure templates.  Streamline communication and provide a standard for deliver.  We communicate with our peers on a daily basis as to the best practice each would recommend.  LegalSEC™ can deliver a repository of policies.
  

• Recommend technical controls, a Defense in Depth approach.  LegalSEC™ will make recommendations based on a layered approach to security by tapping into the available resources such as ILTA’s technology survey, SAN’s 20 security controls and Australian DSD 35 Security Controls.  Translating controls to fit with any sized firm.
  

• Provide a Security Awareness Program template.  Aside from implementing security controls, most firms suffer from a lack of security awareness training.  Educating the users by following a recommended template will ease the creation process and will make a significant and meaningful contribution to the firm.

The initiative’s most outward facing exposure since its beginnings was the inaugural LegalSEC™ Summit held in June of 2013.  The single day event brought together attendees from every aspect of the firm, IT, Administration, etc..., to spend a day attending sessions, developing relationships with the sponsoring vendors and, most importantly, speaking with their peers about the day’s topics and the challenges faced within their firms.

The day was kicked off with a keynote from FBI Special Agent Eric Brelsford who discussed cybercrime and legal security. His keynote focused on real world events that happened within law firms and an excellent overview of how firms are being penetrated and what we can do to combat the breach.  The sessions where divided into two separate tracks; managerial, approaching the topics from an administrator perspective and technical, focusing on the infrastructure and implementation.

LegalSEC™ Summit is another example of how ILTA’s peer network comes together and with direct involvement, brings solutions to the membership as a whole.

Due to the success of LegalSEC™, the little initiative from the Server Operations & Security peer group is now a standalone ILTA endeavor, and with that many changes are being announced to the membership to improve and expand peer involvement. Changes include, mission statement and goals, changes to leadership structure and the creation of the LegalSEC™ Counsel.

Mission statement change and goals are as follows:

The primary goals of LegalSEC™ are:

• Align the legal community with ISO 27000 series standards
• Promote information security through education.
• Foster improved communications in the legal industry around information security.

To achieve these goals LegalSEC™ will:

• Deliver a Set of Resources/Documentation
• Recommend Technical Controls, a Defense-in-Depth Approach
• Provide guidance for a Security Awareness Program

  Based on meetings held with thought leaders it was decided to revamp the mission statement and goals to bring it in line with the defined direction for LegalSEC™.  The leadership has been overhauled as well, keeping the advisory board intact. They will now work with the steering committee to help prioritize deliverables and assist with long term strategic plans.  The most meaningful change is the advent of the LegalSEC™ counsel.  Application to the council is open to members, vendors and members of other associations in the legal space that are interested in leading the charge on this critical industry-wide initiative.  Please go to Volunteer Council positions and apply.  In addition, ILTA has identified a wider variety of deliverables for the initiative, such as webinars, articles, blog posts, templates, policies, technical controls, maturity model guidelines and much more.

I am very excited about the current direction of LegalSEC™.  Regardless of firm size; small, mid-size or big law, we all should have access to concise content and best practice allowing any firm the opportunity to secure their systems, intellectual property and client data.  I encourage you to get involved, participate and contribute.  It’s what the ILTA membership does best!