For those of you with short attention spans, here is the Twitter version of this blog post:
Q: Why have a legal-industry specific information security maturity model? A: Context @Tim_Golden #LegalSEC
For the rest, here is the full version...
Where do we go from here?
Man maintains his balance, poise, and sense of security only as he is moving forward. - Maxwell Maltz
You don't make progress by standing on the sidelines, whimpering and complaining. You make progress by implementing ideas. - Shirley Chisholm
In February of this year, Joe Patrice described law firms as “...the soft underbelly of American cyber security...” and if you look at headlines over the last few years you might find it hard to argue with him. With each breach, public or otherwise, potential attackers see the industry as a softer target.
As service providers and trusted business partners for our clients, we have to improve our collective security posture. Carlos Rodriguez (original leader of the LegalSEC initiative and generally awesome guy) was fond of saying “an attack on one of us is an attack on all of us”. I firmly believe that his “go to” phrase, if well understood and adopted, will improve the footing of legal security more than any outside client assessment / audit / ”friendly check-in” or the threat of government intervention. Sharing of information between legal service providers is what will drive a clearer understanding of the challenges we face.
So, it makes sense that the International Legal Technology Association would have a vested interest in moving legal industry information security forward. That is one of the reasons the LegalSEC initiative was formed. But why is the LegalSEC initiative developing an information security maturity model?
You might think, “Do we really NEED another standard, framework, or punch list?”
The information and advice currently available to security-minded professionals in today’s firms is incredible. ISO 270xx is an incredible resource, regardless of industry. Industry-specific standard such as PCI-DSS provide guidance on what our clients in various markets are expected to do and what firm’s, to comply with client requirements, are being held to (which I refer to as “regulation by proxy”). There is also a host of excellent blogs, commercial sites, and information security communities, all of which provide thoughtful (though at times conflicting) advice. For firms without mature information security programs and dedicated information security staff, this sea of information can be overwhelming.
The goal of the LegalSEC Maturity Model project is not to replace or duplicate existing work. Instead, the model is designed to provide critical CONTEXT for firms (and eventually corporate legal departments) based on the unique nuances of how the legal profession “receives, stores, processes, and transmits” non-public client information.
We are working to integrate the relevant frameworks, standards, and regulations, focusing on providing security-minded professionals with the answers to two key questions:
- Where are we on the map, based on current capabilities in the areas of security policy, security controls, and security awareness?
- Given our current position, what our enterprise is trying to accomplish, and the needs of our clients / customers, where should we go from here?
The answer to the second question will be unique to each organization. Our hope is that the Maturity Model will provide the added legal-industry specific context necessary for you and your management team to make to a more informed (and more successful) choice, given the options available. Our clients are counting on it.