From cybersecurity to real, risk-based exposure management: the true power of resilience
20th January 2026 • Park Plaza Victoria, London, UK
Individual assets and vulnerabilities are the wrong focus. So how do you link technical security with business necessities?
Critical questions for legal firms – and their security teams
If you run any organisation large or small today, the best way to test your cybersecurity function is simply to ask, “are we 100% secure against a ransomware attack crippling the business?”. The answer will, in almost all cases, be “no” and that is where all real conversations about cybersecurity should start.
In that discussion, ransomware is simply a placeholder for any type of attack that can disable critical business processes to the extent that the enterprise is materially affected. And to answer the question, the enterprise has to do a lot more than give the task to the CISO and rely on a security stack that focuses on specific threats without reference to enterprise risk.
Risk prioritisation requires a complete understanding of the minimum viable business, the processes and assets (end-to-end) which that business would need to run, and then an analysis of the IT systems and vulnerabilities implicated.
That requires the business, the CRO, IT and operational risk staff, the business continuity team, the cybersecurity team and senior management all to co-operate actively to put together a true picture of what the firm really is – in terms of the businesses, people and processes that cannot be lost. In all likelihood, this analysis has never been done before, and the pace of technical change probably means that figuring out the technology aspects will never have been done either. Does anyone know every single element in a particular business process? If not, then no security team will be able to secure it.
So, is anyone really doing this outside those forced to by regulation? If not, do they understand the risk they are taking? How do they think about cybersecurity risk and how do they prioritise resources to mitigate it?
The ransomware question prompts dozens of others and not around resilience.
- Are you securing your firm — or just your IT department?
- If your firm had to publish its cyber hygiene metrics alongside its financials, what would clients think?
- Would your partners rather pay off attackers in silence than admit a breach to clients? Have they?
- How many nation-states already have a copy of your clients’ privileged information?
- Does your CISO have the authority to say “no” to a managing partner — and survive the day?
- When a breach comes, will clients sue your attackers — or sue you?
- If regulators demanded impact tolerances for law firms tomorrow, would you know what they meant, and could you produce them?
- Which is the greater insider threat: your employees, or your contractors?
- Why do firms with the world’s highest hourly billing rates still plead poverty on cybersecurity spend?
All of this boils down to moving away from vulnerability management, or securing the network, or securing the cloud, or securing applications. Dividing the enterprise up by its technologies is how a technologist would secure it. But as they themselves admit, technologists (and CISOs) struggle to articulate the business case for security spend.
They blame management’s lack of understanding of complex IT and the uncertainties of security. But managements are used to complexity and uncertainty – that’s literally the business. So, the real problem is security teams not talking about risk, about material exposures in terms of the business. Only by focusing on critical business processes and true resilience can security free itself from the impossible task of security as it is currently managed.