The landscape is shifting rapidly in the field of cyber security, and this poses a real challenge for all law firms, both in terms of having the technology in place to ensure their organisation, employees, and clients remain safe, but also finding the money and people to make this happen.
Given cyber attacks on UK law firms in 2018 equated to over £11m of client money being stolen and over 60% of legal companies experienced an information security incident in the same timescale, our industry is simply not cyber ready…yet.
Faced with the challenge of embedding the necessary resources to make their firms cyber ready in a manner which is robust, timely, and cost-efficient, law firms often do not know the options available to them. In this article, we provide advice for law firms who are unsure where to find the necessary cybersecurity skills, by looking at in-house vs outsourcing, externally managed services, and hybrid resourcing models for embedding security expertise.
Do I need to hire a team of cyber security specialists?
To achieve your goal of implementing robust cyber secure systems across your operation, regardless of scale, you will need to need to invest in people with specific skills in the domain of cybersecurity. This is not a task which should be deferred solely to your existing IT team or to another member of staff if they have no experience or strong understanding of the threats, risks, mitigations, strategies and technologies involved. This is not to say that existing resources should not be utilised and ‘up-skilled’ over time, but from the outset, securing the right level of expertise will pay dividends.
But, while cyber skills are necessary, they are in hot demand globally, with correspondingly high salaries. This is not helped by the fact there is now an ongoing cybersecurity skills gap, with demand far outstripping supply. There are also new roles emerging in this space, for example, many large organisations (not necessarily legal) are hiring Security Awareness Managers, whose role it is to ensure company-wide compliance in relation to IT security and data.
Faced with the reality of needing the skills but in a tight market for such expertise, law firms can consider taking on cyber specialists on a more flexible basis, either by outsourcing their needs entirely, hiring in-house where the need is warranted, or mixing the two approaches.
In-house vs outsourcing cyber security expertise
The skills required to handle the cyber security needs of an organisation are vast. These include hardware implementation and configuration, maintenance and administration, architecture and design, training, penetration testing, software development, detection of breaches, forensics, cryptography, and many other areas. And the larger the law firm, the bigger the team needed to manage the cyber needs of the organisation.
Pros and cons of an in-house team
An in-house cyber security team means you can construct a team which is dedicated to your precise needs and is dedicated solely to your organisation (i.e. not working for other companies at the same time). This affords greater control and the confidence that they understand your business. On the flip side, the cost of hiring such a team may be considerable, and there may be a large amount of time to ‘ramp-up’ to readiness. There is also the potential that by trying to do everything in-house, the people tasked with cybersecurity management may be spread too thinly, or there may be large skills gaps.
Pros and cons of out-sourcing
Managed Security Service Providers (MSSP) are now in great demand by organisations seeking to implement robust cybersecurity strategies. These external providers specialise in the monitoring and management of security devices and systems, providing managed firewalls, intrusion detection, virtual private network, vulnerability scanning and anti-virus prevention. They also use security operation centres to provide round-the-clock services. Importantly MSSPs already have the certification, IT systems, real-world experience, and skills to handle cybersecurity. You may also hear this referred to as ‘Cybersecurity-as-a-Service’ (CSaaS). From a cost perspective, organisations which specialise in providing security as a service often do so for a fixed monthly fee – which will be considerably cheaper than hiring an in-house team. They also learn from cyberattacks, threats and issues which are affecting their other clients, and hence can confer the benefit of this learning to your firm.
The disadvantage of an out-sourced cyber security team is that they will not be as acquainted with your organisation, people, and structure as your own in-house staff. That said, many outsourcing firms work hard to overcome this limitation, and regularly make themselves familiar with their client’s businesses.
Mixed models for cyber security resourcing
It also makes strong sense for a mixed approach to cyber security resourcing to be considered. This can work in different ways. One way is for an in-house member of your team to use a ‘Virtual Security Operations Centre’ (VSOC); a ready to go third-party external cloud-based solution which enables monitoring, testing, and response to cyber threats. This approach is relatively low cost and negates the need to purchase and implement an expensive suite of cybersecurity tools and systems but leverages in the in-house knowledge of your firm.
Another way to implement a mixed approach is to have a small number of core cyber security-focused staff within your law firm who partner and work closely with a team of outsourced resources. This means you have the confidence that dedicated in-house staff are ultimately responsible and keeping abreast of your firm’s cyber needs, but they are working closely with external technical and domain expertise, forming strong processes, procedures, and working relationships.
In conclusion
Whether your law firm is at the start of its cyber security journey, or you are looking to increase the maturity of your cyber strategy and capabilities, it is essential to remember that you have a range of options for finding the people and skills necessary to make sure your firm and clients are safe. Cost and lack availability of skills and people are absolutely no barrier to cyber readiness. Depending on the scale of your law firm’s operation, you may elect to choose a cloud and service-based cybersecurity strategy to entirely handle your cyber security needs, allowing your business to focus on its core legal focus. Whichever option you choose, don’t delay; cyber criminals are getting stronger by the day and won’t wait for your firm to be fully cyber ready.
