Home » Large Law » ILTACON on IT Security: Unsolvable vs. Risk Management

ILTACON on IT Security: Unsolvable vs. Risk Management

A Ridiculously Frightening ILTACON Session on IT Security

Following a high profile breach, a major bank said it was doubling its security spend. To Josh Goldfarb, it underscores everything that’s wrong with the current philosophy in IT security.

“You can throw that money in the fire but it doesn’t mean you improved your security,” he said in an ILTACON session titled “Peeling Away the Many Layers of Intrusion” (#ILTA027).  His point was clear:  How money is invested in security may be equally important as how much it is invested.

He may have some insights worth listening to: His ideas have been published by the technology trade publication Information Week, the Information Systems Security Association Journal, and even technology research firm Gartner.

“Security is an unsolvable problem”

Mr. Goldfarb says he isn’t much for sound bites such as “security is an unsolvable problem.” This is because these sayings are rather meaningless.

“Swallowing the ocean is an unsolvable problem,” he said, noting we’d probably start by drinking a glass of water, one at a time. Instead the problem – IT security – needs to be defined and broken down.

In his view, IT security can be defined in two words:  risk management.  Security is a business process just like any other business function, HR or finance for example. It’s not practical to simply throw money at a function to solve a problem, which is essentially what the tech community has done to address IT security for the last 20 years.

And the industry still has security challenges.

Also see these related posts:
Infographic: Cybersecurity Stats for Legal Tech
4 Certs Legal Should Ensure Managed Services Providers Have
ABA Pilot Recommends Law Firms Collaborate on Cybersecurity


IT Security by the Numbers

Mr. Goldfarb laid out the numbers – how the thinking over the last 20 years has gotten the tech community into trouble:

  • It takes a median of 205 days before an intrusion is even detected
  • It takes an average of 32 days to respond to a breach (after detected)
  • 69% of companies learn of a breached from an external entity

In all of these cases, 100% of the victims had traditional measures in place – updated firewalls or anti-virus signatures.

It’s not working because “humans are the weakest link in the chain.”  We are susceptible to malicious phishing emails and sophisticated attacks.  One recent study found inside counsel was far more likely to open a phishing email than any other department.

Businesses, including law firms, invest to prevent intrusions.  Prevention is a necessary baseline, but it’s not sufficient, according to Mr. Goldfarb.

In one study, Mr. Goldfarb helped a team examine 1,216 companies in a “proof of value” (POV) test across 63 countries and 20+ industries.  A shocking 97% of these companies were compromised (and didn’t know it).  Worse, 27% had APT – or advanced persistent threats.

This creates the potential for data – sensitive data – to flow right out the door. He mused that if criminals compromised perhaps just 30-40 law firms in this manner, those people would “have a really good idea” of M&A deals for example.

Intrusion Detection:  Mitigate Risk

These attacks happen over time and leave traces that can be analyzed and detected.

“If we can detect these [traces], we can break the progression in the middle,” said Mr. Goldfarb.  “You break the communication and you’ve mitigated the risk.  It doesn’t matter if they’ve compromised 100 laptops, because you broke the chain.

The path forward, he says, is the augmentation of prevention “with detection and response” through intrusion detection tools.

The right investment has a long way to go:  He says the collective budget for traditional network security is roughly $35 billion, while just $500 million is spent on intrusion and detection. Given security is a board of directors level discussion, the investment seems disproportional.

* * *

Law firms are often criticized for being slow to adopt technology, though the scrutiny of late has gone a long way to raise awareness and invest in action. If Mr. Goldfarb is right, IT security is a constant battle that’s going to require more than just money to keep at bay.

Find more on IT Security from Mr. Goldfarb on his blog, An Analytical Approach.

If you enjoyed this post, you might also like:
SlideShare Friday: Why Law Firms are at Cybersecurity Risk

Photo credit:  Flickr, Tama Leaver, Horse. Possibly Trojan! (CC BY 2.0)

Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Frank Strong

Frank Strong
Frank Strong is the communications director for the LexisNexis software division located on NC State’s Centennial Campus in Raleigh. In this capacity, he leads communications efforts in support of software products for law practice and law department management and also litigation tools – across large law, small law and corporate counsel segments. With more than 15 years of experience in the high-tech sector, Strong previously served as director of public relations for Vocus, which developed marketing, PR and media monitoring software. He has held multiple roles both in-house with corporations, ranging from startups to global organizations, and has also endured the rigors of billable hours, having completed gigs at PR firms including the top 10 global firm Hill & Knowlton. A veteran of two year-long deployments, Strong has concurrently served in uniform in reserve components of the military for more than 20 years, initially as an enlisted Marine and later as an infantry officer in the Army National Guard. Strong holds a BA in Film and TV production from Worcester State University, an M.A. in Public Communication from American University, and an M.B.A. from Marymount University. He is a PADI-certified Master Scuba Diver and holds a USPA "B" skydiving license.