First Off Apologies and Thanks
As you can see, it is now Tuesday and I am finally getting the wrap-up posted which I had promised by last Thursday. I very much apologize for the delay. I was woefully unprepared for the amount of great information (plus fun and networking) this past week at ILTA and I am still somewhat recovering from the very busy week.I can honestly say that ILTA 2012 was simultaneously the most fun and most informative conference I have ever attended (which is hard combination to pull off). I would like to echo the many tweeters and say a big thank you to the ILTA staff, volunteers, and especially the conference coordinators for putting on such a wonderful conference. I would also like to thank our ILTA-member friend Rebecca for originally telling us that the ILTA conference is a must-attend event.
Security at ILTA 2012
Here are just a few of the security themes from the many sessions I attended:
Client Security Requirements Increasing
This conference gave me the first chance to meet a wide range of people working on (and in some cases struggling with) the growing security demands being placed on law firms and legal IT professionals. One session put on by James Fortmuller named “Believe It or Not … You’ve Been Hacked” (#RRMPG4) was so crowded that many (including myself) were sitting in the aisles due to a lack of seats. (The slides for this session had a lot of good info and can be found on this page.)
It is clear that for most law firms, the increase in clients specifying security requirements or conducting assessments of the law firm environment were the driving force behind security initiatives. In the “Top Technology Issues for Law Firm CIOs in 2012” (#TECH9) session which had good attendance, only two audience members indicated they had NOT received some type of client security review or questionnaire. One audience member remarked that he had spent about 200 hours in the past year responding to such inquiries.
Lots of Interest in ISO 27001
To meet these increasing client security requirements some law firms are seeking ISO 27001 certification and there were two good sessions presenting firsthand knowledge on the challenges and rewards of ISO certification. The first “Differentiate Your RFP from the Competition with ISO Certification” (#RRMPG1) discussed increased client demand and how ISO might certification streamline the assessment process and reduce costs for a law firm.
The second session, “ISO 27001/27002: What Can They Do For Me” (#TECH11) was engagingly moderated by Brian Lynch of IntApp and featured three great panelists all of whom had managed a law firms ISO certification effort. During the session they polled the audience and found that only two people in the audience worked for firms that had completed the certification process. However, about half the audience expressed some interest in pursuing certification or alignment (alignment means that you follow ISO standard but without going through the external audits to receive a certification). This was an information-packed session with lots of great pointers most of which were given verbally, so I think the session recording may be an even better resource than the slide deck. Here are just a few of my highlights:
Here are just a few of the security themes from the many sessions I attended:
Client Security Requirements Increasing
This conference gave me the first chance to meet a wide range of people working on (and in some cases struggling with) the growing security demands being placed on law firms and legal IT professionals. One session put on by James Fortmuller named “Believe It or Not … You’ve Been Hacked” (#RRMPG4) was so crowded that many (including myself) were sitting in the aisles due to a lack of seats. (The slides for this session had a lot of good info and can be found on this page.)
It is clear that for most law firms, the increase in clients specifying security requirements or conducting assessments of the law firm environment were the driving force behind security initiatives. In the “Top Technology Issues for Law Firm CIOs in 2012” (#TECH9) session which had good attendance, only two audience members indicated they had NOT received some type of client security review or questionnaire. One audience member remarked that he had spent about 200 hours in the past year responding to such inquiries.
Lots of Interest in ISO 27001
To meet these increasing client security requirements some law firms are seeking ISO 27001 certification and there were two good sessions presenting firsthand knowledge on the challenges and rewards of ISO certification. The first “Differentiate Your RFP from the Competition with ISO Certification” (#RRMPG1) discussed increased client demand and how ISO might certification streamline the assessment process and reduce costs for a law firm.
The second session, “ISO 27001/27002: What Can They Do For Me” (#TECH11) was engagingly moderated by Brian Lynch of IntApp and featured three great panelists all of whom had managed a law firms ISO certification effort. During the session they polled the audience and found that only two people in the audience worked for firms that had completed the certification process. However, about half the audience expressed some interest in pursuing certification or alignment (alignment means that you follow ISO standard but without going through the external audits to receive a certification). This was an information-packed session with lots of great pointers most of which were given verbally, so I think the session recording may be an even better resource than the slide deck. Here are just a few of my highlights:
- You don’t have to certify your whole environment. Narrowing the scope to the most critical systems can have a huge impact on the work required to achieve certification.
- Once the scope is identified, ensure you focus heavily on data classification to identify what matters most to the law firm within that scope.
- ISO 27001 focuses on risk management and continuous improvement. Get started and then get better over time.
To read more about ISO 27001, be sure to check out the ISO 27001 article in ILTA’s award-winning Peer-to-Peer magazine by Renee Murphy, one of the panelists at this talk.
LegalSEC Comes Together
It was clear that some of the attendees interested in ISO 27001 sessions came from small to medium-sized firms who were concerned about the level of effort and investment needed to achieve certification. Indeed, ISO 27001 certification can be daunting even if you follow the panelists advice and narrow the scope. Regardless of the framework one chooses, managing security on a small budget can be quite difficult. This is especially true given the ever growing number of the cyber threats and client demands are often not being matched with a corresponding increase in budget.
Like any great community organization, ILTA sees the security challenges as an opportunity to serve its members and recently announced the LegalSEC initiative, a new working group focused on law firm security. Randi Mayes, Executive Director of ILTA, announced the mission statement for this organization back in May of 2012:
"To enhance the delivery of secure services to clients by raising and maintaining security awareness and by providing an asset protection framework for law firms"
One of our primary reasons for attending ILTA was to get more information about LegalSEC and how Carlson & Wolf might use it to help provide direction to law firms looking to improve the firm’s information security posture.
During the ILTA Annual Meeting luncheon, Robert Dubois (Liaison between LegalSEC and ILTA’s board of directors) described the initiative as the “brainchild of Carlos Rodriguez,” who lleads the initiative. Carlos wrote the feature article in the current Peer-to-Peer magazine on LegalSEC where he outlined five primary objectives:
- Analyze and Adapt Current [Security] Standards
- Deliver a Set of Policies and Procedures Templates
- Recommend Technical Controls
- Provide Security Awareness Program Template
- Create More Networking Opportunities/Information Sharing
Please check out the article for yourself to read more about the objectives from Carlos himself.
LegalSEC leaders created a lively information sharing opportunity on the last day of the conference at the official LegalSEC session where the audience was split into three groups to discuss three different topics: Technical Controls, Policies and Procedures, and Security Awareness Training.
I joined the initial security awareness group and heard great feedback from a number of members about the challenges of implementing a training program in their firm. There were also some helpful suggestions for addressing the issues by other members (offer CLE, offer content in short videos to provide flexibility, etc.). It served as a brainstorming session and helped solicit a number of good ideas.
For more information on law firm security awareness training please read our article in ILTA’s Peer-to-Peer magazine titled “Train to Strengthen Security’s ‘Weakest Link’”
After a short while, the groups swapped topics and my group discussed technical controls where we again shared information and questions about best practices. This topic was much broader and the easel used to take notes had three or four full pages before we ran out of time. I wish we had had more time to systematically go through the SANS Top 20 list because I kept suggesting controls only to learn they’d been written on a previous page (I blame it on the early morning session).
Unfortunately, we ran out of time before we got a chance to fully discuss the “Policies and Procedures” topic, but the facilitators promised to collect the information and provide it back to the members, so hopefully it will be published and shared.
Based on the energy and enthusiasm displayed during this session, I’m confident that LegalSEC will have strong participation and hopefully deliver some quality security resources in the near future. If you would like to participate, please reach out to Carlos Rodriguez using the contact information contained in his Peer-to-Peer article.
Other (Non-security) Thoughts On ILTA
The Twitter Effect
Twitter was in heavy use throughout this conference and I had a great time participating in the discussions. ILTA conference organizers did a really nice job of managing the hashtags for the various sessions as well as encouraging a conference specific hash tag (#ILTA12).
It was interesting to see tweets coming out of the other sessions and in one case, they made me jump up and run down the hall to catch some security discussions in a non-security session. I also tried to do my part by sharing some of the big ideas from my own sessions with @ajcsec. There were lots of great tweeters but I’m going to dub @jeffrey_brandt and @VMaryAbraham the King and Queen respectively. Honorable mentions go out to @Tim_Golden, @InsideLegal, @MLSandler, @sperris13, @bren924 and many, many more!
THE Place To Be For Legal Vendors
Based on the huge number of vendors and vendor events, everyone seems to agree that ILTA is THE place to meet potential clients. ILTA does a great job of providing the vendors ample opportunity to engage with members but also ensuring that they do not overwhelm the community-based atmosphere and member-to-member connections. We attended as consultants meaning we were classified as vendors but participated in sessions alongside the ILTA members (which was perfect for us).
Attention Vendors: Get Legally Educated
On the topic of vendors, I also really want to thank ILTA and the great people at InsideLegal for putting on the “ILTA/InsideLegal Vendor Education Program.” This session was meant to be a law firm primer and provided a lot of great information about the conference and legal industry as a whole. ILTA clearly wants their vendor partners to succeed and I was pleasantly surprised by the level of candor and pragmatism in the advice that was offered. I also can’t speak highly enough about JoAnna Forshee & Jobst Elster of InsideLegal, who clearly know this industry extremely well and were more than willing to share their great advice after the session ended and throughout the conference.
Despite the 1000+ vendor representatives in attendance of ILTA 2012, this session was only half full, meaning some vendors missed out on a great opportunity to learn more about successfully engaging the legal industry and its professionals. I highly recommend attending next year’s vendor education program for anyone focusing on the legal market. I got a lot out of it. Finally, I wanted to thank the veteran ILTA vendors and consultants who went out of their way to share advice and ideas--much appreciated.
ILTA 2013 Countdown Begins
I truly had no idea what to expect as a first time attendee of the ILTA conference. I knew it was going to be big based on the venue and anticipated number of attendees (and lack of available hotel rooms in the gigantic Gaylord National). However, I didn’t think it would be quite so engaging and was pleasantly surprised by the number of great conversations I had over the course of the week and the number of new friends I made. I was so excited to put some faces to names and have a chance to really engage the legal IT community in substantive discussions. Having met so many people, next year will be even better as there is no doubt that Carlson & Wolf will be attending ILTA 2013 in Las Vegas.
Thanks so much again to ILTA for the wonderful program and all of the speakers who chose to share their knowledge.
[Edited 9/4/2012 for minor language and punctuation errors]
No comments:
Post a Comment