Hong Kong

By Kenny Tung, In-Gear Legalytics

Email: kenny@iglegalytics.com

 

Cybersecurity used to be viewed as black magic. From a non-technical, user or customer perspective, most people are happy that the IT folks “just make it work” and “no news is good news”.
This sentiment is familiar to lawyers, who are commonly viewed as someone to call when things go wrong; keepers of checklists of past experience; the person to sweat the details in a dispute or complex negotiation. And who are to be avoided in most other situations.
In a recent McKinsey podcast, Nathaniel Gleicher, head of cybersecurity at Illumio, raised a number of challenges facing the cybersecurity industry that echo many of the challenges facing legal professionals.

Complexity
The recent change in the perception of cybersecurity has evolved due to the increasing scope and scale of breaches, organisations’ move into exposed environments and the emerging internet of things.
Gleicher observed that if we made cars the ways we make computers and software, they would go 800 kilometres an hour, travel 200 kilometres on a litre of fuel and blow up once a week. In the cyber world, surprisingly small software bugs are increasingly capable of causing significant physical chain effects.
Legal environments are also getting more complex. There are more regulations, globalisation is driving greater cross-border complexity, changes to rules are happening faster and more frequently, rule-making is routinely falling behind macro drivers amid turbulent socio-economic and technological shifts, and corporations are routinely being targeted by social discontent as society demands a higher bar for compliance. On top of these challenges, social media amplifies the threat of reputational risk.
In response to this threat environment, cybersecurity professionals are increasingly expected to quantify the risks and measure the benefits of their solutions. Likewise, today’s clients of legal services expect analysis and insights from data, and demand solutions to legal issues to be based on what lawyers know and not just what they think.

Strategic failure
Yet Gleicher complains that the cybersecurity market can sometimes act like a group of fourth graders playing soccer — the whole bunch chasing the ball across the field rather than playing a coordinated game with big-picture coverage. Hot topics and best practices — encrypting data, strong passwords, whitelisting apps, segment environment, patching vulnerabilities — do surface but are not generally in practice because of the challenges of accomplishing them in scale across large organisations.
By the same token, lawyers continue to value legal complexity above solving for business problems. Billing hours aside, their reason for existence is mostly about the latest case, rule making and gossip. Best practices are talked about but not often put into practice, mostly due to the culture of practising law for the sake of jurisprudence, lack of law savviness among clients and general dearth of progress in the development of lawyers as T-shaped professionals to solve problems holistically across organisational silos.
The main cybersecurity challenge today concerns the lack of a single coherent strategic model that prescribes how to protect an environment. While many tactical models exist, companies are starting to figure out how to see the threat as a whole.
Most companies do not have, or have not known, a corporate legal strategy that is integral to the business/corporate strategy. Legal strategies come up mainly in major disputes, rule-making with significant impact on an industry or bet-the-farm transactions.

Understanding the environment
In principle, the foundation of every security discipline is to understand the environment to protect and exert control, such as prevention of access, detection and response over the environment. But yet when it comes to cybersecurity, most organisations live with a general lack of clarity in defining what is the network, what is connected to what and where high value assets are. As a result, they end up with relatively few options to control the environment, and are found defending an open field, stuck in a reactive position to attackers’ moves.
In the legal space, most lawyers work at their desks, even if they are considered to be co-located with their clients. A majority rarely work across the corporate silos despite the fact that the legal function supports every business unit and function. Few lawyers have close up and thorough appreciation of what their colleagues and internal clients do or what their vital interests are. Even fewer are engaged with the client at the strategic level and are usually called upon only after something has gone terribly wrong or opportunities for an easier solution were missed, leaving no option but to call in the clean-up team. At that stage, whether in dispute resolution or an investigation, it is convenient to shift part of the responsibility to the legal team if the outcome is unsatisfactory. This is all too common when we stand at the threshold of an era where compliance is called upon to graduate from being aspirational to strategic and from remedial to preventive.1
Better detection and response in cybersecurity starts with understanding the environment — the business risks, assets that the corporate strategy, initiatives and operations rely on, which, if exposed or compromised, would fundamentally harm ways of doing business. Take how the secret service protects the U.S. President before a speech in an auditorium (an open environment). The main exercise is to reduce the number of attack angles to monitor by restricting public access, thus simplifying the environment to control, which makes detection much easier — managing the false positives and false negatives, making breaches more obvious and enabling speedy reaction, prioritising alerts of threat to highest value assets.
Screen Shot 2017-08-30 at 3.31.04 pmSimilar considerations call for practising preventive law and even helping to drive corporate and business strategies. Beyond conversations with the business folks in canteens, to truly appreciate the business environment and risks, lawyers should regularly walk the shop floors, join sales calls, meetings with suppliers, product development gate conferences and generally maintain an immersive experience with business processes where legal input may matter. This will enable legal to start looking at risks as a whole or a portfolio, in a measured, prioritised and practical manner. In addition to connecting opportunities with commensurate risks, we will look at risk management in terms of minimising false positives that will overwhelm limited resources, and false negatives that will shift the focus of solutions away from the legal function and damage, or even end, the organisation. All must be grounded on the organisation’s strategic priorities and negotiated across people-process-system — also known as corporate culture.

Organisational solutions
Cybersecurity is an organisational solution, not just a response to a technical problem. There are many touch points — computers, systems, employees and third parties. Applying the basic security hygiene (passcodes, basic caution in cyber activities and people control) at all chinks in the armour will eliminate half of the problems. As with other areas of compliance, everyone has a role to play.
The modernised legal function starts with deriving a living corporate legal strategy from the organisation’s strategy, to serve as basis for legal decision making and solutions, especially in an era of precise interaction based on data analysis. Starting with streamlining legal work processes and automating tasks that were previously thought to be bespoke and uniquely handled, lawyers, like every function, will leverage change management to tackle a more complex environment by simplifying it rather than resorting to pure legal complexity and uncertainty. This means shifting our own and other’s expectation on what the modern legal function can achieve and playing a part to link up resources and insights across businesses and functions. This mission for the legal function is not a nice-to-have, but is critical for the function to be ready to work with the “internet of legal things”, working with clients and designing an environment that addresses problems faster, better and within commensurate costs.
As with other changes, a successful legal function transformation is prescribed by the four Cs across an organisation:

  • Command — From a top-down leadership to drive change which rests with interdisciplinary cooperation and a common purpose, not just a legal department project;
  • Connection — With the strategy to shape and sustain a business model to satisfy customer needs — not technology for technology’s sake — and ultimately with the customer’s value proposition;
  • Culture (and Capability) — Especially toward collaboration and creativity in problem solving in a digital world, and more proactive thinking like an enterprise owner;
  • Commitment — To stay the course as transformation requires alignment of disparate interests and keeping an eye on moving the needle over twists and turns.

While the legal profession is no exception in the need to leverage technology to keep up with how the world works, when it comes to working with people and their relationship with their organizations and the world, lawyers can return to the roots of their expertise which is not just the law but the underlying relationship impacting parties who are ultimately human.

 

Kenny Tung has been advising companies on strategic projects and transactions through Lex Sigma. He also co-founded In-Gear Legalytics to serve providers, clients developers and investors in the legal service value net. Previously Kenny served as the chief legal counsel of Geely Holding and before that as the general counsel in Greater China or Asia at a number of multinationals that are also household names.

 

End Note:

  1.  “Five Currents Pointing To Compliance As A Strategic Function,” Kenneth Tung, Linkedin Post, May 17, 2017; first published in Compliance Elliance Journal, Volume 3, Number 1, 2017.

 

 

http//: www.iglegalytics.com

Email: kenny@iglegalytics.com

[sharethis]
Tags: Cybersecurity
Related Articles by Firm
Statutory Registration of Standard Terms and Conditions in Tanzania
All companies doing business in Tanzania should know the salient points of the Standard Form (Consumer Contracts) Regulations 2014 which takes effect on 29 December 2015.
Tanzania Bill Establishing the Petroleum Act 2015
Tanzania's proposed Petroleum Act 2015 introduces key changes to the Petroleum Exploration and Production Act 1980 and the Petroleum Act 2008.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
Ship arrest in China - Increased clarity from the Supreme People's Court
The Supreme People's Court of the PRC published the Regulations for Certain Issues Concerning the Application of Law Relating to Arrest and Auction of Ships which took effect on March 1, 2015.
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Related Articles
A roadmap for response and remediation
Cybersecurity professionals are no doubt familiar with the oft-repeated adage that there are only two kinds of companies — ‘those that have been breached’ and ‘those who do not know it yet’ ...
Cybersecurity a boardroom priority
“Nothing is certain but death, taxes and cyber-attack” - By Rory Macfarlane, Partner, Ince & Co Hong Kong ...
Myanmar – Microfinance institutions and their obligations under the 2016 notifications
Further clarification is required on the implementation, scope and reach of these Notifications and the extent of their interaction with applicable laws ...
Related Articles by Jurisdiction
The AI genie is out of the bottle: is this the tip of the spear for law firms?
Aparna Bundro, Business Development and Communications specialist and former lawyer, comments on whether AI robots may be the next inflection point in the legal industry after NewLaw, and considers ...
Desperately seeking the Visionary Firm of the Year, Asia and the Middle East!
General Counsel have shared with the In-House Community™ that the three prevailing challenges they face on a day to day basis are: Managing Costs and evaluating value-added ...
Latest Articles
Thailand: New Amendment to the Labor Law
The Labor Protection Act B.E. 2541 (“LPA”) was first enacted in February 1998; the LPA has been amended several times ...
New Ministerial Decision brings clarity to Private Joint Stock Companies
The private joint stock company is one of the forms of company contemplated by UAE Federal Law No. 2 of 2015 concerning commercial companies ...
Former Myanmar deputy finance minister joins Zico
Maung Maung Thein joins as executive chairman of local subsidiary Zico Law Myanmar.