Jamie Herman, Manager of Information Security – Ropes & Gray LLP

Lisa Markey, Director Information Security - Shearman & Sterling LLP

Chris Yule, Managing Security Consultant - Dell SecureWorks

Security Strategy Focus: Building a Successful Security Team and Program in Legal

A Little About Us…

Today’s Agenda

The developing role of information security

teams in law firms

Best practices for developing a successful

strategy

Common IT areas to focus initial efforts on

Firm business areas to focus initial efforts on

Takeaways

New Security Programme?

The KEY to success

…AT ONCE

SecureWorks

Characteristics of a

Security Strategy

Characteristics

Risk-based

Alignment with firm goals

Senior leadership support

People and Process

Technology as a tool, not a goal

Assume you will be compromised

Vision – looking ahead down an unknown road

SecureWorks

Strategic Focus Areas

SecureWorks

Understand the

Extended Enterprise

Understand firm organizational goals, and align with them accordingly

Identify the key information assets

Understand where they’re stored, who has access to them, how they’re protected

Identify the risks to those assets

1

2

3

4

Look beyond the organisational boundary? 5

Understand the Extended

Enterprise

Understand what’s happening in your firm

SecureWorks

Increase Visibility

Increase Visibility of Threats

and Vulnerabilities Security Maturity Assessments

Collect and monitor all of your security events

Host and Network-based IDS/IPS to inspect user activity

Apply threat intelligence

1

2

3

4

Vulnerability Scans, Penetration Tests, Patch/Configuration Management 5

What’s the problem?

Understand the players

Detect anomalies

SecureWorks

Build a Culture of

Security

Build a Culture of Security

Make everyone responsible for their own role in protecting information

Put in place a person who is accountable for security

Bring together a steering group involving stakeholders from across the organisation

Get top management backing for information security

1

2

3

4

We’re stronger working together than apart

SecureWorks

Train Your Users

Train Your Users

Build a layered security awareness program

Include Security Essentials, Organisation-Specific and Role-Specific training

Training as a continuous exercise

Train up as well as down

1

2

3

4

Test effectiveness of your training 5

Keep it Simple…

SecureWorks

Be Prepared to

Respond to Incidents

Be Prepared to Respond to

Incidents

Build a tried and tested incident response process

Formalise roles and responsibilities in every type of incident

Understand where your logs are and how to get access to them

Ensure organisational boundaries won’t get in the way

1

2

3

4

Have pre-arranged relationships you can call on if you need it 5

Where to focus…

Elevated privilege accounts

Local admin accounts?

Shadow IT

Critical systems

Public facing systems

Finance and other critical business units

Takeaways

Understand the environment internally and externally

Prioritize risks and recommend mitigating controls

Work with the business to make everyone aware of risks

Change the culture of security from the top down

Collaborate with your peers at other firms and industries

Thank You