By Kenny Tung, In-Gear Legalytics
Cybersecurity used to be viewed as black magic. From a non-technical, user or customer perspective, most people are happy that the IT folks “just make it work” and “no news is good news”.
This sentiment is familiar to lawyers, who are commonly viewed as someone to call when things go wrong; keepers of checklists of past experience; the person to sweat the details in a dispute or complex negotiation. And who are to be avoided in most other situations.
In a recent McKinsey podcast, Nathaniel Gleicher, head of cybersecurity at Illumio, raised a number of challenges facing the cybersecurity industry that echo many of the challenges facing legal professionals.
The recent change in the perception of cybersecurity has evolved due to the increasing scope and scale of breaches, organisations’ move into exposed environments and the emerging internet of things.
Gleicher observed that if we made cars the ways we make computers and software, they would go 800 kilometres an hour, travel 200 kilometres on a litre of fuel and blow up once a week. In the cyber world, surprisingly small software bugs are increasingly capable of causing significant physical chain effects.
Legal environments are also getting more complex. There are more regulations, globalisation is driving greater cross-border complexity, changes to rules are happening faster and more frequently, rule-making is routinely falling behind macro drivers amid turbulent socio-economic and technological shifts, and corporations are routinely being targeted by social discontent as society demands a higher bar for compliance. On top of these challenges, social media amplifies the threat of reputational risk.
In response to this threat environment, cybersecurity professionals are increasingly expected to quantify the risks and measure the benefits of their solutions. Likewise, today’s clients of legal services expect analysis and insights from data, and demand solutions to legal issues to be based on what lawyers know and not just what they think.
Yet Gleicher complains that the cybersecurity market can sometimes act like a group of fourth graders playing soccer — the whole bunch chasing the ball across the field rather than playing a coordinated game with big-picture coverage. Hot topics and best practices — encrypting data, strong passwords, whitelisting apps, segment environment, patching vulnerabilities — do surface but are not generally in practice because of the challenges of accomplishing them in scale across large organisations.
By the same token, lawyers continue to value legal complexity above solving for business problems. Billing hours aside, their reason for existence is mostly about the latest case, rule making and gossip. Best practices are talked about but not often put into practice, mostly due to the culture of practising law for the sake of jurisprudence, lack of law savviness among clients and general dearth of progress in the development of lawyers as T-shaped professionals to solve problems holistically across organisational silos.
The main cybersecurity challenge today concerns the lack of a single coherent strategic model that prescribes how to protect an environment. While many tactical models exist, companies are starting to figure out how to see the threat as a whole.
Most companies do not have, or have not known, a corporate legal strategy that is integral to the business/corporate strategy. Legal strategies come up mainly in major disputes, rule-making with significant impact on an industry or bet-the-farm transactions.
Understanding the environment
In principle, the foundation of every security discipline is to understand the environment to protect and exert control, such as prevention of access, detection and response over the environment. But yet when it comes to cybersecurity, most organisations live with a general lack of clarity in defining what is the network, what is connected to what and where high value assets are. As a result, they end up with relatively few options to control the environment, and are found defending an open field, stuck in a reactive position to attackers’ moves.
In the legal space, most lawyers work at their desks, even if they are considered to be co-located with their clients. A majority rarely work across the corporate silos despite the fact that the legal function supports every business unit and function. Few lawyers have close up and thorough appreciation of what their colleagues and internal clients do or what their vital interests are. Even fewer are engaged with the client at the strategic level and are usually called upon only after something has gone terribly wrong or opportunities for an easier solution were missed, leaving no option but to call in the clean-up team. At that stage, whether in dispute resolution or an investigation, it is convenient to shift part of the responsibility to the legal team if the outcome is unsatisfactory. This is all too common when we stand at the threshold of an era where compliance is called upon to graduate from being aspirational to strategic and from remedial to preventive.1
Better detection and response in cybersecurity starts with understanding the environment — the business risks, assets that the corporate strategy, initiatives and operations rely on, which, if exposed or compromised, would fundamentally harm ways of doing business. Take how the secret service protects the U.S. President before a speech in an auditorium (an open environment). The main exercise is to reduce the number of attack angles to monitor by restricting public access, thus simplifying the environment to control, which makes detection much easier — managing the false positives and false negatives, making breaches more obvious and enabling speedy reaction, prioritising alerts of threat to highest value assets.
Similar considerations call for practising preventive law and even helping to drive corporate and business strategies. Beyond conversations with the business folks in canteens, to truly appreciate the business environment and risks, lawyers should regularly walk the shop floors, join sales calls, meetings with suppliers, product development gate conferences and generally maintain an immersive experience with business processes where legal input may matter. This will enable legal to start looking at risks as a whole or a portfolio, in a measured, prioritised and practical manner. In addition to connecting opportunities with commensurate risks, we will look at risk management in terms of minimising false positives that will overwhelm limited resources, and false negatives that will shift the focus of solutions away from the legal function and damage, or even end, the organisation. All must be grounded on the organisation’s strategic priorities and negotiated across people-process-system — also known as corporate culture.
Cybersecurity is an organisational solution, not just a response to a technical problem. There are many touch points — computers, systems, employees and third parties. Applying the basic security hygiene (passcodes, basic caution in cyber activities and people control) at all chinks in the armour will eliminate half of the problems. As with other areas of compliance, everyone has a role to play.
The modernised legal function starts with deriving a living corporate legal strategy from the organisation’s strategy, to serve as basis for legal decision making and solutions, especially in an era of precise interaction based on data analysis. Starting with streamlining legal work processes and automating tasks that were previously thought to be bespoke and uniquely handled, lawyers, like every function, will leverage change management to tackle a more complex environment by simplifying it rather than resorting to pure legal complexity and uncertainty. This means shifting our own and other’s expectation on what the modern legal function can achieve and playing a part to link up resources and insights across businesses and functions. This mission for the legal function is not a nice-to-have, but is critical for the function to be ready to work with the “internet of legal things”, working with clients and designing an environment that addresses problems faster, better and within commensurate costs.
As with other changes, a successful legal function transformation is prescribed by the four Cs across an organisation:
- Command — From a top-down leadership to drive change which rests with interdisciplinary cooperation and a common purpose, not just a legal department project;
- Connection — With the strategy to shape and sustain a business model to satisfy customer needs — not technology for technology’s sake — and ultimately with the customer’s value proposition;
- Culture (and Capability) — Especially toward collaboration and creativity in problem solving in a digital world, and more proactive thinking like an enterprise owner;
- Commitment — To stay the course as transformation requires alignment of disparate interests and keeping an eye on moving the needle over twists and turns.
While the legal profession is no exception in the need to leverage technology to keep up with how the world works, when it comes to working with people and their relationship with their organizations and the world, lawyers can return to the roots of their expertise which is not just the law but the underlying relationship impacting parties who are ultimately human.
Kenny Tung has been advising companies on strategic projects and transactions through Lex Sigma. He also co-founded In-Gear Legalytics to serve providers, clients developers and investors in the legal service value net. Previously Kenny served as the chief legal counsel of Geely Holding and before that as the general counsel in Greater China or Asia at a number of multinationals that are also household names.
- “Five Currents Pointing To Compliance As A Strategic Function,” Kenneth Tung, Linkedin Post, May 17, 2017; first published in Compliance Elliance Journal, Volume 3, Number 1, 2017.