10th Securing The Law Firm
London, 19th September 2018
Law firms really are different, so how can cybersecurity be tailored to them?
Most often claims of exceptionalism are excuses for poor performance or inaction. But in the case of the legal sector, the claims are true. Most large organisations, even those formed by multiple mergers and acquisitions, are essentially one structure, capable of centralising key functions and responsibilities, and with at least the theoretical ability to impose standardization across even a multi-national footprint. Even smaller companies tend to be formed in ways that can overcome the problems that individual silos or personalities can bring to central functions such as finance, compliance and security.
Most law firms do not fit neatly into these typical corporate structures. Many of the large, cross-border firms use structures such as Swiss vereins or UK CLGs, which essentially allow firms to grow through M&A without actually having to properly fuse the various firms under the umbrella. These remain, to a far larger extent than in any normal corporation, separate businesses.
Within these diffuse structures, and also at smaller firms, the firms are further siloed by a partnership model in which each business unit is controlled by individual partners, making a law firm an agglomerate of many smaller businesses all operating under one roof, each with a powerful head suspicious of the centre and its costs.
This model makes centralised decision-making next to impossible. It stands in the way of innovation and long-term investment. And it makes processes which require centralisation and standardisation, such as finance, marketing, HR, compliance, technology and cybersecurity a nightmare – if they can be implemented at all.
These structures will have to change. But in the meantime, how can law firms ensure that they comply with core regulations such as GDPR? How can they implement even the basics of cybersecurity hygiene? And how can they hope to hire and keep security talent?