Most law firms know that cybersecurity is an important issue, but only half have a cybersecurity team in place, a third don’t have cyber liability insurance and a fifth don’t have any data breach plan prepared.

Without these precautions in place, these law firms are putting their practice at risk for a data breach that could cost them their business.

The easiest way to remediate these problems is by hiring a Chief Information Security Officer, or CISO, who can take ownership over all security matters. In addition to protecting the business, they can ensure that a law firm adheres to all relevant compliance requirements and respond to any cybersecurity issues in a way that protects the firm.

Let’s take a look at the cybersecurity risks facing law firms, why they should hire a CISO and how they can access the same expertise at a fraction of the cost with a virtual CISO, or vCISO, such as the Lockstep Technology Group.

What is a CISO?

Most law firms have a Chief Information Officer (CIO), but the Chief Information Security Officer (CISO) role is less common, particularly in smaller law firms with limited budgets. But, before diving into the CISO role and why it may be necessary for law firms, it’s helpful to understand the differences between CIO, CISO and other technology-related roles.

• Chief Information Officers, or CIOs, are responsible information technology resource management, including policy development, standard operating procedures, training, budgeting and planning project lifecycles.
• Chief Technology Officers, or CTOs, may report to the CIO and focus on longer-term issues and the integration of new technologies, but they don’t exist in every practice.
• Chief Information Security Officers, or CISOs, are responsible for monitoring and analyzing potential security risks in an organization. While CIOs may be familiar with security, they have a much broader mandate.

The rise in data breaches and other cybersecurity risks has led to the development of the Chief Information Security Officer (CISO) role, which has become increasingly commonplace within the legal industry. Given the importance of compliance and security issues in modern law firms, the CISO role has also risen to become a true C-level executive position.

The average CISO makes upwards of $181,403 in the United States, according to Glassdoor, with much higher salaries in metro areas. These high costs have made the position difficult to fill for many smaller law firms, but most medium to large law firms have CISOs in place.

Why You Need a CISO

Law firms are one-stop shops for hackers since they hold sensitive information — such as trade secrets, business plans and personal data — from multiple clients. A single data breach could provide a treasure trove of information. As a result, cybersecurity has become a major professional responsibility and liability threat facing the legal profession.

Nearly one-in-four law firms have experienced a data breach at some point, according to the ABA 2018 Legal Technology Survey, which is up from just 15 percent of law firms in 2013. About half of all law firms reported infection with viruses, spyware or malware, which could have compromised sensitive customer data or exposed the network to attack.

In addition to data breaches, there are also compliance requirements that law firms must meet. For instance, law firms working with healthcare organizations are required to adhere to HIPAA requirements for data security. A failure to meet these compliance requirements could result in significant liability if a data breach were to happen.

CISOs can help address both of these key concerns: Their primary mandate is to eliminate cybersecurity vulnerabilities and ensure that security measures meet compliance requirements. Without a dedicated CISO, it’s easy for a CIO to become overwhelmed with meeting their other responsibilities and taking ownership over these sensitive security matters.

How to Afford a CISO

Most large firms already have a dedicated full-time CISO in place, but small firms may struggle to afford a six-figure salary. At the same time, a law firm with a single location may not even require a full-time CISO position. A great alternative is a Virtual CISO, or vCISO, which is a part-time or outsourced CISO that takes charge of security initiatives.

If you’re on the fence about hiring a CISO, consider hiring an independent party to perform a risk assessment that analyzes your firm’s security and quantifies the number of vulnerabilities. The results should indicate whether you can manage to fix the vulnerabilities on your own, or if you need to bring in expert assistance in the form of a CISO or security contractor.

Lockstep Technology Group provides vCISO solutions with legal industry experience helping clients like Drew Eckl & Farnham LLP. Rather than hiring a dedicated CISO, our clients bring us in to work on site for a set number of days per week. Our contractors develop a seamless knowledge of the organizations they work for, and most clients treat them as they would any other staff member.

The Cloud Beta Project podcast recently discussed the vCISO role with Jason Landers, Director or IT for Drew Eckl & Farnham LLP, a prestigious law firm in Atlanta, who hired Lockstep Group to provide vCISO services to their firm.

“When we did that first audit, there was a lot that we needed advice on,” says Landers, Director of IT at Drew Eckl & Farnham LLP. “[Lockstep Technology Group] ran through, point by point [all of these requirements]… They were the ones that ultimately helped to drive and facilitate that long-term remediation build … through the vCISO offering.”

The Bottom Line

Law firms face significant cybersecurity risks stemming from their sensitive client data. By hiring a CISO, they can mitigate the risk of a successful cyber attack and protect their firm from a catastrophic data breach, as well as meet any other compliance requirements. vCISOs are a great option for smaller firms that can’t afford a full-time CISO.

Contact Lockstep Technology Group today to learn more about our vCISO options and how we can help your law firm secure your existing assets, meet compliance requirements and adhere to cybersecurity best practices over the long-term. In addition, we provide virtualization, cloud services and other IT services designed to help law firms make the most of their IT budgets.