Peer to Peer Magazine

best practices •Dedication to Security: It's hard to have a comprehensive security program when responsible staff members are busy juggling a long, disconnected task list. But, with such dedicated security training, this is rarely an issue for CISSPs or CISMs. CISSPs are on the path to stay knowledgeable and relevant. "These are necessary tools; however, the role of a security professional in the legal industry for the next few years is to shift that mindset to one about managing data risk," said Vasquez. "Hackers are defeating antivirus and other technologies that many law firms have relied upon for years, and the role of the security professional is to ensure that even if an attack occurs, the data will still be protected, and the business process is resilient." In order to accomplish these goals, security departments will need to focus on proactive, preventive solutions. For example, if firms assume data breaches are inevitable, they may be more inclined to develop a dynamic security system capable of proactively encrypting data, monitoring for sensitive data loss and reconstructing events after a breach. Security Rules The Future of Security Here are a few ways the information security field may evolve in the years to come: •More Structured, Hierarchical Security Departments: While many firms have not yet developed a strategic design for their security departments, the future may bring a more deliberate hierarchy in which a security leader (likely a CISO or manager/director of information security) will oversee work done by an amalgamation of engineers, architects and analysts. Once these institutions become widespread, a more comprehensive security program can be built with better defined roles and responsibilities, a superior pipeline for project management and a specific process for addressing regulations and compliance requirements. While information security strategies and staffing models are still evolving, it is clear the industry is recognizing the need to design sustainable security initiatives. Continued progress will require meaningful buy-in from firm leadership. "When there is strong senior leadership support for improving and enforcing information security at the firm, the security team is able to spend more time mitigating risks and potential threats, rather than justifying why controls or policies are necessary," said Jamie Herman, CISM, CISSP, Manager of Information Security at Ropes & Gray LLP in New York City. "With the security leadership role evolving in legal right before our eyes, the alignment between information security, IT governance and the business should continue to improve dramatically over the next several years." Approaching the year 2020, firms that make these initiatives a salient priority will be better able to secure their internal environment from malicious attacks while simultaneously offering secure services to clients. It's certainly an exciting time in the industry for both emerging and established security professionals. "There is a great opportunity for security professionals to evolve into the risk management practice and vice versa so that information governance and information security can be tackled together with a unified approach." — Carlos Rodriguez, CISSP, CISM •Proactive Instead of Reactive Measures: If momentum continues as it is today, hackers will strive to stay ahead of the technology used to defend against them. The security professional will need to embrace change and be a creative problem-solver. However, developing creative, forwardthinking solutions becomes a difficult task when firms still think about security in terms of patching computers and running antivirus software. 18 Peer to Peer Benjamin Weiss is the Digital Marketing Strategist for Infusive Solutions, a New York City-based IT staffing firm in the Microsoft Partner Network that specializes in the placement of professionals in the legal, financial and media industries. He can be contacted at ben@infusiveny.com.

• Cover