Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The risk landscape dave cunningham quoted sep 2008


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

The risk landscape dave cunningham quoted sep 2008

  1. 1. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 1 of 4 Search M em bers Vendors Publcat ons i i M eet ngs i Archi ves Recordi ngs Servi ces Aw ards login E-Mail Print the risk landscape apply hom e archi ves peer t peer archi o ves novem ber 2008 - ri m anagem ent sk t ri l he sk andscape register network At ILTAs annual conference, the Risk Management Peer Group Track offered several informative and well attended panel discussions about the new and growing challenges in legal IT security. Our volunteer panelists shared their thoughts on the current state of security, sponsor risk and conflicts management, and they offered valuable and insightful predictions for firms to consider as they manage risk in the context of new technologies and a changing economy. volunteer We are grateful that many of these panelists were willing to put down some of their thoughts on these questions, and we present their answers to you here. We think their answers to our seven questions will help firms form or fine-tune their risk strategies and enable them Am I a member? to grow more confidently. The respondents in this article are: Browse the member listing... • Richard Patterson, Director of Security, Sidley Austin, 1,800 attorneys • Kevin R. Davidson, Director of Information Security, Stinson Morrison Hecker LLP, 325 attorneys • Andy Jurczyk, CIO, Sonnenschein Nath & Rosenthal LLP, 550 attorneys • Jim Soenksen, CEO, Pivot Group, LLC, an information security audit and assessment firm • David Cunningham, Managing Director, Baker Robbins & Company, an independent technology consulting firm dedicated to developing and implementing innovative solutions • Dan Safran, Executive Vice President, Project Leadership Associates, a business and technology consulting firm focusing on the legal market What do you think are the three biggest risks facing law firms today? Patterson: The three things I think are the biggest risks are the lack of an operational risk management role, data leakage - which is to say theres too much client information leaving firms on too many forms of media and technology - and physical security and IT security at trial sites and with contract attorneys. Davidson: I think the three biggest risks include a general lack of security awareness by attorneys and staff; myriad locations of confidential information (Have we performed an EDD on ourselves lately?); and the Internet. Access to the Internet is no longer restricted to computers that are safely behind a firewall; plus there are the social aspects of various Web 2.0 applications. Jurczyk: I can list the three biggest risks. First, theres the evolving technical risk landscape. Over the past few years weve seen technical attack vectors move from the network layer up to the application layer. This evolution magnifies the risk because these application-layer attacks can be used to steal information (e.g., corporate espionage, state-sponsored espionage, etc.) and have a direct link to productivity. Second, there are the recent changes and global differences in the rules and regulations surrounding information handling. These range from privacy regulations to discovery laws and are a major source of risk to law firms given our diverse customer base. Third, its the economy. The partnership model has its strengths and, weaknesses but, simply put, the underlying causes of this recession and the symptoms in the open market are the perfect storm for this model. This rears its ugly head in a partnerships ability to raise capital and operate in the short term, and may present long-term problems without extensive risk management efforts. Soenksen: I see the three biggest risks being vendor management, data privacy and insider threats; and by that last one, I mean attorneys leaving the firm and taking intellectual property with them or disgruntled employees sabotaging the network, as well as the general loss or leakage of data that accompanies this. Cunningham: First, financial growth and overall stability: To quote from a recent issue of The Lawyer, "Around 500 firms have been referred to the so-called intensive care units (ICU) of their banks because they are facing financial difficulties. It is understood that 21 of the United Kingdoms top 150 firms are being treated in Barclays ICU, which is known as business banking support, although the bank refused to confirm this number." Second, theres malpractice, mostly via rogue lawyers who cause the firm to be sued or to lose significant business. This is not the most likely risk, but it is serious enough that general counsels in New York reported it as the risk that keeps them awake at night . . . well, at least it did before the risk described above became an issue. Third, I consider information governance a major risk. Inability to identify and control the firms online content results in firmwide holds to address litigation, inability to match clients retention policies, massive duplication of data, lack of clarity around the retention of new media (electronic voice mail, instant messages, etc.) and increased recovery times for lost data. Safran: The three biggest risks today are, first, complying with the revised Federal Rules on Civil Disclosure and other global/national rule sets. I realize this isnt pure security but it certainly overlaps relative to information access and overall firm risk management. Next, I think its the challenge of staying on top of continually changing security threats in rapidly changing internal and external environments to protect the firms intellectual and client data. And finally, its raising management and employee awareness to fund proactive security measures and identify threats. 11/5/2011
  2. 2. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 2 of 4 As many firms look toward going global, do you see their security problems growing, shrinking or staying the same and changing? Patterson: Its growing, especially if you ignore the risks that other corporations have addressed when they globalize. Davidson: Its growing, especially in complexity. Jurczyk: In the context of the risks I mentioned above, I foresee the security problems growing exponentially. Although I see many of the technical problems remaining the same, I do expect our technical security problems to grow linearly as a function of the amount of technology we use. And its no surprise that the financial risk will grow at a non-linear rate as we look to fund larger operations. However, I see the exponential growth coming largely from changes in rules and regulations and client demands from different areas of the world. Soenksen: Its growing. Lack of control of systems in other countries, change management issues, the configuration of a network to be uniform and other considerations are increasing the complexity of security. Also, knowledge and compliance with different data privacy laws will add to the complexity. Cunningham: Almost by definition, security issues will grow and change. Electronic data interchange agreements are a fine example of security problems that few firms have yet tackled well. Safran: With complexity in growing and managing global enterprises comes a natural increase in security problems. More things and people to manage, different cultures, different values and different levels of government controls and rules based on location all contribute to the increased complexity. An example is where certain countries monitor Internet traffic or others that have stringent rules around transmission of in and outbound data . . . all of this adds complexity to privacy and security requirements. Differences in security and privacy laws as well as practice guidelines vary from country to country. Do you believe these differences are giving an advantage to local and regional firms focused in primarily one country? Patterson: Not really; the lawyers in the offices in those locations become the experts on the local regulations, you just develop internal local expertise. Davidson: Not yet. Jurczyk: I believe that non-revenue generating functions can only impact two of the three dials linked to competitive advantage: customer perceived value and cost of operations. It is my opinion that compliance with these rules and regulations in many countries is required and/or implied, therefore, it cannot impact customer perceived value. To the extent that a firm is able to demonstrate compliance with these rules and regulations at a cost less than its competitors, I believe strong risk management/security programs can contribute to a competitive advantage so long as revenues associated with serving the clientele necessitating compliance are realized. Soenksen: Maybe . . . The local attorneys in each office should or will be aware of their particular laws and educate the other partners as to what their requirements are for their jurisdiction. The issue will be whether the firms technologies, policies, training and support infrastructure will be in place to keep the local offices competitive. Cunningham: A one-country firm would only have potential advantage with one-country clients. A firm dealing with multinational clients has to understand and address these multinational issues, not stop working across borders. Safran: They may have a slight increase in competitive advantage, but knowledge of local laws does not provide a high barrier to entry. A firms local or regional understanding of security and privacy rules can help support local and collaborative law practices; however, my sense is that the competitive advantage of local or regional firms does not greatly differ from global firms. After all, many global firms acquire local or regional offices of other firms or lateral hires or they hire local talent with that competitive knowledge. Everyone admits the technical landscape is changing, and nobody argues the link between technology and risk. As a result of these changes, do you foresee risks increasing, decreasing or staying the same in size, scope and magnitude? Patterson: Risk will always increase as you make systems and data more widely available to people on more platforms and over new and varied mediums. Davidson: I see it increasing, as it is only more difficult to stay on top of the risk with the methods, laws, and exploits changing so quickly. Jurczyk: I believe that as new technologies are developed, released and adopted by the masses, our cumulative risk does grow; not growing is simply unavoidable in this context. However I also believe that a good risk management process can balance the incremental risk against potential value to the firm. For example, by producing more donuts, you are increasing the total calories that I can consume, thus my belt size. However, by my choosing to only eat half of the donut or better yet (and less likely) me not eating the donut, I am controlling my calories, thus belt size. These same basic rules apply to managing technical risk. Soenksen: I see it increasing; as technologies such as Web applications and software as a service become more prevalent, the risks associated with sharing confidential or private information become an increasing challenging to protect. Cunningham: Technical risks increase but in a relatively small way compared to information management and people risks. Safran: For much the same rationale in question three, I see risks increasing, mostly due to the increased complexity in firm growth, geographic expansion and increasing country rules and regulations. Technology continues to evolve and progress, which adds increased complexity to user and network environments. Integration with other rapidly advancing technology sets also causes greater risk. If you had to identify three technologies that carry with them the greatest risk, what would they be? 11/5/2011
  3. 3. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 3 of 4 Patterson: VoIP, virtualization and Outlook Web Access, which is less a technology and more an application, but I had to throw it in. Davidson: Mobile devices, flash drives and WiFi. Jurczyk: First, there are the peer-to-peer technologies, including collaboration technologies such as instant messaging, that place the firm at great risk. The pressure to allow the use of these technologies in service of our clients is rising globally while, at the same time, recent studies released by the FBI suggest that these technologies are becoming a conduit for information theft by crackers, hackers and state-sponsored espionage programs. Although our options for blocking and logging use are getting better, I believe many are reactive and largely useless in the long term, and the only real solution lies in embedding security into the information which transcends corporate boundaries. Also, portal and information collaboration platforms, which represent the melding of my two top risks - the upward trend in attack targets (application layer) and the increasingly complex regulatory landscape. Without belaboring the point, I believe this melding of the technical and non-technical represents quite possibly the biggest risk facing firms today and over the next two to four years. Third, mobile devices carry a lot of risk. These devices continue to grow in storage and processing capability and are becoming required in order to practice law. This trend, coupled with the rapid integration of non-business features such as music, video and the Internet, has opened up a new dimension to the risk landscape. I believe these technologies will grow in use, will become more and more consumer- focused and will be a future attack platform of choice. Soenksen: Ubiquitous computing, meaning the use of BlackBerry devices, PDAs and iPhones outside of the confines of the traditional in -house network, is the greatest risk since these devices can contain highly sensitive information and are easily lost. Next, there are the Web-based portals; accessing highly confidential data from outside the boundaries of the law firm carries the risk of this data being compromised, either by a hacker or unauthorized party. This data can be accessed from any public computer and leave residual confidential information on the hard drive of an unauthorized computer. Or, it is accessed from home where employees do not have the same level of security found in the enterprise. If this data is then downloaded to the home computer, the risk increases. Then theres e- mail. Due to the capacity of e-mail accounts, the "smoking gun" of a lawsuit will be buried in the countless number of e-mail messages. Additionally, if the uses of Web-based e-mail such as Gmail accounts are incorrectly used by employees to conduct law firm business, the risk of this information being compromised is great, since the law firm does not have control over the Gmail servers. Cunningham: The use of e-mail has single-handedly broken down the former partner review and records management processes of firms. What used to be a letter carefully read by a partner before it left the door is often now a casual e-mail message sent directly by a junior lawyer. Then there are remote access configurations; many are poorly or thinly configured and have password-only authentication - a hackers dream. And then theres Google, which is used more often than any partner thinks. Safran: The three most risk-filled technologies are mobile devices, websites and mobile workers. Mobile devices lead to more local data that needs to be secured and further decentralizes where risky documents and records reside. Also, collaborative applications and websites are risky, for the same reasons as above. And the increasing number of mobile and dispersed home knowledge workers means more data records need to be protected in environments that are inherently localized, unstructured and flexible. How do you think the economy is affecting security in law firms? Patterson: As clients go under firms lose revenue streams. Plus, clients are using firms like banks; theyre not paying their bills or they are very slow to pay the bills. Davidson: As our clients are affected, we become affected. Some verticals (bankruptcy, for example) are stronger. Jurczyk: The economic problems were facing today are unprecedented in modern history - at least since technology has become mainstream. In light of these extreme circumstances, I believe all non-revenue generating activities have been affected in varying degrees, which include a firms investment in technology, accounting, marketing and security. However, after looking at our finances and reflecting on what my peers are doing, I believe the economy is having less effect on security spending (proportionally) than in other areas for two reasons. First, once security matures in an organization, capital and operating costs tend to decline sharply making it one of the least expensive areas to operating when compared to others. Second, and probably more important, you may be able to defer an upgrade one more year, but you cant afford to leave systems unprotected; in order to work, you must protect systems from viruses and respond to intrusions. In that respect, security is like accounting - you have to pay your bills in order to keep the lights on, just like you have to protect your organizations capacity to work. Soenksen: Law firms are feeling the effects of the recent downturn in the economy as the demand for some legal services are declining. Thus, law firms are reviewing all capital and expense items and are determining what security initiatives need to be performed this month/quarter/year or delayed until the next month/quarter/year. Cunningham: No noticeable effect seen yet. More firms are auditing IT now, so that could have a long-term effect by ensuring firms at least understand their security situation. However, this could be offset in the short-term by firms that may stop advancing the staffing and investments in security. Safran: As firms evaluate overall spending, it becomes harder to rationalize spending on information or other security measures versus investments that spur business. I am already hearing about security budgets taking a squeeze in many of our clients - and headcount reductions and freezes are having some effect. Looking into the future, do you see a convergence between security as it exists today and broader risk management (e.g., enterprise risk management)? If so, whats behind this shift? 11/5/2011
  4. 4. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 4 of 4 Patterson: I think that shift would have to be clearly established in the corporate sector before law firms would follow. They have too much of a lemming mentality, and I dont see firms leading in any areas of risk management or security. Davidson: Yes, because IT is a business center, not a black box. Risk is risk. Those that limit it to IT leave huge gaps in their risk management plans Jurczyk: History is the best predictor of the future, and, assuming that trend holds, I do expect there to be a convergence of risk management functions in the short and long term. As firms look for new ways to compete, customer perception and costs become critically important and will serve as the forces driving the convergence and pushing us towards an enterprise risk management function. In light of this opinion, I see two changes occurring across the legal vertical over the next few years. I predict this function will broaden in scope over the next year or so to include physical security, investigations and forensics. This makes sense given the close relationship with these functions and IS, and thus presents an opportunity to drive costs down. With this added responsibility, it will move up organizationally and may shed some day-to-day technical responsibilities given the operational framework of the IS department. The last step I see is this function expanding to include broader operational risk management functions such as conflicts, insurance, new business intake, records and others. Although this appears at first blush a giant leap, each of these functions directly ties to either the active or passive management of operational risks. At this point, I foresee the potential for reduced day-to-day responsibilities and upward pressure on this function to include greater involvement with the practice groups, general counsel and executive director, COO, etc. I believe firms that take these steps will grow their competitive advantage over those who do not take these steps Soenksen: There will be a convergence between security and enterprise risk management. This shift will be prompted by more laws concerning security issues as more client data is stored on removable media devices, in different locations and different jurisdictions and as the remote workforce grows. Law firms need to be proactive in combating the risk associated with remote access and storage and the mobile workforce with an enterprise view of the total risk to the firm versus the traditional risk silos. Cunningham: Security will continue to evolve under a risk management umbrella, but it will stand in line behind electronic information management and business continuity to get there. Safran: We do see a shift in our larger clients that have implemented more centralized enterprise risk management structures and organizations. In some cases, these risk management functions report to the firms general counsel or "director" of enterprise risk management. These functions are becoming increasingly responsible for information security, physical security, new business intake and file open functions, general compliance, records management or a combination thereof. About our author :: :: :: Adam Hansen, Sonnenschein Nath & Rosenthal LLP, is responsible for all information security, including setting policy, risk management, product selection and implementation, investigation and crisis management. Adam is also the president and founder of the National Security & Privacy Executive Roundtable, a user group dedicated to knowledge sharing among security professionals. Adam serves as Vice President of ILTAs Risk Management Peer Group. He can be reached at © 2011 International Legal Technology Association MyILTA | E-Groups | Contact Us | | | | Site Map | Terms & Conditions 9701 Brodie Lane, Suite 200 Austin, TX 78748 11/5/2011