Law Firm Security Metrics ... Are Your Bases Covered?

CIO.com recently cited a study from risk-based security compliance company Tripwire, entitled "Security Metrics Are Undervalued, Misunderstood". When it comes to the intersection of business and IT regarding security, there are a few issues that stand out. One issue is that security metrics are too technical and senior executives typically don't understand them. Then, there's the business side that doesn't believe security is as important as other "pressing issues". 

They key to proper enterprise security is ensuring you have your bases covered (aka, establish metrics and measures that help you benchmark your firm's security & privacy health) and finding a way to communicate the importance of those metrics, measures and security tools to the executives. 

Tim Golden (McGuire Woods) & William Kyrouz (Bingham McCutchen)

For the first part of that challenge, I thought back to one of my favorite sessions at ILTA LegalSEC Summit in June - "LegalSEC Top 10: Improve Your Security Posture" which was presented by Tim Golden (McGuire Woods LLP) and William Kyrouz (Bingham McCutchen LLP). Below I've taken the Top 10 list from my tweets during that presentation, but you can review the presentation here.

1. Formalize patch management - Make sure people are rebooting their computers often instead of just putting to sleep.
2. Minimize use of elevated privileges.
3. 3rd way to increase security: Implement multi-factor authentication. This causes the most push back but necessary.
4. Leverage your entire security suite. Know what you own & use it. - Talk to your vendor partners and find out what you own that you aren't using.
5. Whitelist Your Applications. William Kyrouz recommends reviewing the Australian DSD Top 35 list.
6. Secure your web & email gateways. Block "bad stuff" but have HR's guidance.
7. Network with peers. It makes all firms a harder target.
8. Setup intrusion detection/prevention. "IDS is the gateway drug for security controls".
9. Clean up your policies. Make sure it's communicated clearly (w/o acronyms) & explain why. - Key policies to have in place: acceptable use, mobile device, change management, incident response policy.
10. Formalize information security awareness. Educate new hires; refresh annually; track your efforts/results.

Adam Hansen (Pierce & Associates) & Luke Tenery (Kroll Advisory Solutions)

The next session we attended which is relevant in the security metrics context was "Have You Been Breached? Tracking and Reporting Security Metrics" presented by Adam Hansen (CIO, Pierce & Associates) & Luke Tenery (Kroll Advisory Solutions). You can also find the presentation here. Below are a few notes I tweeted during the session:

• Audience poll: How many have an intrusion detection system? about 30% hands raised
• Audience poll: How many have anti-virus system? 100% hands raised
• Mobile device policies gaining popularity include language stating that mobile devices will be wiped upon leaving firm.
• Containerization (content syncing) is a new feature for modern mobile device management.
• Real world security metrics: analytics; anomaly detection; risk management; auditing & continuous monitoring; forensics.
• BlackBerry 10 is getting a few attendee nods in terms of user adoption and support; still an extremely small amount, not market ready.
• When managing mobile ... establish device policy, review it, establish mobile teams, involve risk attys/HR, create approved device lists.

What else is on your firm's list? What are you struggling the most with as it relates to this topic? You would think the "getting executives' attention and buy-in" would be a no-brainer at this point, but then again, many so called topical experts and prominent media outlets (including the WSJ and New York Times) blamed Big Data analytics and data mining as a major reason the Edward Snowden NSA leak happened, NOT the blatant negligence and ignorance of security and privacy protocols and policies. So, the moral of the story, don't assume your bosses get it ... present the business case, articulate the business continuity implications and you should see heads nod and hopefully related technology and services purse strings loosen.