May is “Privacy Month” on the Pivot Point Security blog, and we’re offering a multi-part post on the five indispensable success factors for law firms’ information security and data privacy initiatives.
In Part 1, I introduced all 5 success factors and explained why they’re so critical. In this post, I’ll cover factors 1 and 2 in greater detail:
- Educate yourself and your team members
- Get senior leadership buy-in
Factor 1: Educate yourself and your team members
The idea here is you need to know where you’re going before you can get there. Many IT professionals in the legal vertical are responsible for security- and privacy-related tasks but may not have deep expertise in the full scope of these areas.
The prospect may not strike you as terribly exciting, but I recommend that you read over the GDPR, the California Consumer Privacy Act (CCPA), current Privacy Shield requirements or whatever guidance pertains to your goals. One thing you’ll notice is how conceptually similar they are. This should help relieve some of the uncertainty that often precedes efforts to align with various recommendations.
If you dig into them, you’ll likewise find that security requirements like HIPAA and PCI, as well as comprehensive frameworks like ISO 27001 and SOC 2, are very similar in terms of control recommendations for the areas they cover.
I’ll end this section with a caveat: true expertise is in short supply in the Privacy space especially. As a mentor to fellow professionals as well as someone who’s “in the trenches” every day, I’m regularly underwhelmed by the lack of experience, knowledge, and talent shown by people proclaiming themselves as “privacy experts.” If you seek third-party support, due diligence is very important.
Factor 2: Get senior leadership buy-in
This is probably the single most critical success factor in information security and privacy initiatives across the board, not just in law firms but in every industry. Gaining company-wide cooperation to adhere to security and privacy policies and procedures is unlikely to happen without some formal direction. When that direction comes from the top down, cooperation and adoption are much easier to achieve. When senior leadership is not actively engaged, implementation is an uphill slog that may grind to a halt short of the goal.
To those responsible for “selling” security and privacy to senior management, I often recommend pulling in your marketing team (if you have one) or applying some marketing principles to the problem. Marketers are experts in understanding their audience and crafting a message that will resonate. Don’t go to management with “We need to do this!” on page 1 of your flip chart. Instead, try to relate the initiative to metrics that align with their view and responsibilities, like revenue, profit and loss, year-over-year growth, customer retention, competitive advantage, access to new markets and so on.
That’s it for this post—I’ll cover the remaining three success factors next time.
To discuss your practice-specific security and/or privacy requirements and concerns with an expert at any time, contact Pivot Point Security.