May is “Privacy Month” on the Pivot Point Security blog, and we’re offering a multi-part post on the five indispensable success factors for law firms’ security/privacy initiatives.
In this Part 3, I’ll cover the remaining factors 3, 4 and 5:
- Prioritize resources
- Align security and privacy objectives
- Take a team approach
Factor 3: Prioritize resources
Given limited resources and dozens or potentially hundreds of requirements to address, there is really no way around the need for prioritization. A formal risk assessment is a great place to start. Assessing information security and privacy risks often requires the subject matter expertise of people in different business areas—so taking a risk-based approach to prioritizing issues also inherently prioritizes the necessary resources.
Comparing your current security and privacy controls against a framework like ISO 27001, the NIST cybersecurity framework or HIPAA guidelines is also an appropriate way to prioritize resources to address gaps in your environment. Performing both a risk assessment and a gap assessment will also help bring to light overlapping issues that hopefully can be addressed once and have multiple impacts in different areas of the firm.
Another benefit of “prioritizing prioritization” is it enables you to see early on if there are any gaps in your expertise or bandwidth. Having a prioritized plan and roadmap to reach your goals is key to addressing resource challenges.
Factor 4: Align security and privacy objectives so they overlap wherever possible
While security and privacy aren’t synonymous, there is inherently a lot of overlap between them. The more you can align your security and privacy efforts, the more time, money and effort you’ll save.
For example, if you have a security framework like ISO 27001 in place, you’ve already covered roughly 70% of the technical and organizational measures in privacy regulations like GDPR. (In the specific case of ISO 27001, adding controls for ISO 27018, a privacy-specific standard, would likely provide almost total coverage across both security and privacy control requirements.)
Here are some further examples of ways in which security and privacy objectives can overlap:
- Establishing the context and scope of your organization as a prerequisite to implementing an ISO 27001-compliant ISMS and maintaining a data map or inventory for GDPR compliance both require you to define an overview of the organization and to document data flow.
- An information security risk assessment and a privacy-related data protection impact assessment are very similar, in that both identify, score and define the treatment of risks.
- A third-party risk management (TPRM) program and processor/sub-processor requirements in GDPR both require you to develop vendor due diligence and monitoring practices.
- Security frameworks like NIST and ISO 27001 address backups, disaster recovery, incident response, and business continuity, while privacy guidelines address data retention, purging, incident response and breach notification. All these functions relate to data lifecycles and managing issues of data confidentiality, integrity, and availability.
In short, it rarely makes sense to address security and privacy goals separately, as an overarching view and process can readily account for similar or overlapping requirements from multiple directives.
Factor 5: Use the team approach
A team is always better than an individual when it comes to managing security and privacy efforts. I strongly recommend creating a “Risk Management, Information Security and Privacy” (or similar) committee that includes stakeholders from all relevant areas across your firm, such as third-party risk management (TPRM), Purchasing, IT, Information Security and Human Resources.
Different stakeholders have different requirements and priorities around security and privacy. Until you know what everyone needs, you can’t effectively and holistically address their needs. Likewise, competing priorities will invariably cause internal struggles that hamper implementation and potentially lead to redundancies in controls or procedures.
Holding regular committee meetings is a good way to ensure that all voices are heard and accounted for within your security and privacy program. Ensure that transparency, collaboration and the avoidance of political wrangling across business areas are “baked in” to the meeting format.
This concludes my 3-part post on security/privacy initiatives for law firms. I hope you’re confident you can put these themes into practice at your firm.
To discuss your practice-specific security and privacy requirements and concerns with an expert, or to strategize on next steps, contact Pivot Point Security.